AnsweredAssumed Answered

Alfresco LDAP and SSO

Question asked by cybermakoki on Jun 9, 2010
Hi all,

I'm working with Alfresco Enterprise 3.1 and I've currently configure alfresco to work with LDAP. This works fine, windows users can logon into alfresco

I've modified this files:

file-servers-custom.xml

<alfresco-config area="file-servers">

   <!– To override the default Alfresco filesystem use replace="true", to –>
   <!– add additional filesystems remove the replace="true" attribute     –>
  
   <config evaluator="string-compare" condition="Filesystems" replace="true">
     <filesystems>
       
         <!– Alfresco repository access shared filesystem –>
         <filesystem name="${filesystem.name}">
            <store>workspace://SpacesStore</store>
            <rootPath>/app:company_home</rootPath>

         <!– Add a URL file to each folder that links back to the web client –>
            <urlFile>
               <filename>__Alfresco.url</filename>
               <webpath>http://${localname}:8080/alfresco/</webpath>
            </urlFile>

         <!– Mark locked files as offline –>
          <offlineFiles/>

         <!– Desktop actions –>
         <!– Uses a client-side application to trigger a server-side action                         –>
         <!–   Echo - displays a message echoed from the server                                     –>
         <!–   URL  - launches a URL via the Windows shell                                          –>
         <!–   CmdLine - launches the Notepad application                                           –>
         <!–   CheckInOut - checks files in/out, drag and drop files onto the application           –>
         <!–   JavaScript - run a server-side script                                                –>
         <!–   JavaScriptURL - server-side script that generates a URL to the folder using a ticket –>
         <!–                   to avoid having to logon                                             –>

            <desktopActions>
               <global>
                  <path>alfresco/desktop/Alfresco.exe</path>
                  <webpath>http://${localname}:8080/alfresco/</webpath>
               </global>
               <action>
                  <class>org.alfresco.filesys.repo.desk.CheckInOutDesktopAction</class>
                  <name>CheckInOut</name>
                  <filename>__CheckInOut.exe</filename>
               </action>
               <action>
                  <class>org.alfresco.filesys.repo.desk.JavaScriptDesktopAction</class>
                  <name>JavaScriptURL</name>
                  <filename>__ShowDetails.exe</filename>
                  <script>alfresco/desktop/showDetails.js</script>
                  <attributes>anyFiles</attributes>
                  <preprocess>copyToTarget</preprocess>
               </action>
            <action>
               <class>org.alfresco.filesys.repo.desk.EchoDesktopAction</class>
               <name>Echo</name>
                 <filename>__AlfrescoEcho.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.repo.desk.URLDesktopAction</class>
               <name>URL</name>
                 <filename>__AlfrescoURL.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.repo.desk.CmdLineDesktopAction</class>
               <name>CmdLine</name>
                 <filename>__AlfrescoCmd.exe</filename>
            </action>
            <action>
               <class>org.alfresco.filesys.repo.desk.JavaScriptDesktopAction</class>
               <name>JavaScript</name>
               <filename>__AlfrescoScript.exe</filename>
               <script>alfresco/desktop/dumpRequest.js</script>
               <attributes>anyFiles, multiplePaths , allowNoParams</attributes>
               <preprocess>confirm, copyToTarget</preprocess>
            </action>
            </desktopActions>

         <!– Additional access control of the filesystem –>
         <!– Access type of 'none' will stop the filesystem from showing up for that user/address/protocol –>          
            <!–
            <accessControl default="Write">
               <user name="admin" access="Write"/>
               <address subnet="192.168.1.0" mask="255.255.255.0" access="Write"/>
            </accessControl>
            –>
         </filesystem>
        
         <!– AVM virtualization view of all stores/versions for WCM –>
         <!– virtual view can be any of the following: normal, site, staging, author, preview –>
         <avmfilesystem name="AVM">
            <virtualView stores="site,staging,author"/>
         </avmfilesystem>
        
      </filesystems>
   </config>
   <config evaluator="string-compare" condition="Filesystem Security" replace="true">
      <authenticator type="passthru" >
         <Server>ldap://xxxxx.xxx.com:389</Server>
      </authenticator>
   
   <!–<authenticator type="alfresco" />–>
  </config>
 
   <config evaluator="string-compare" condition="CIFS Server" replace="true">
      <serverEnable enabled="false"/>
     
      <host name="${cifs.localname}A" domain="${cifs.domain}"/>
      <comment>Alfresco CIFS Server</comment>

      <!– Set to the broadcast mask for the subnet –>
      <broadcast>${cifs.broadcast}</broadcast>
     
      <!– Set to the IP for the adapter for Java socket –>
      <bindto>${cifs.bindto}</bindto>

      <!– Use Java socket based NetBIOS over TCP/IP and native SMB on linux –>
      <tcpipSMB ipv6="${cifs.ipv6}" platforms="linux,solaris,macosx"/>
      <netBIOSSMB bindto="${cifs.bindto}" platforms="linux,solaris,macosx"/>
     
      <!– Can be mapped to non-privileged ports, then use firewall rules to forward
            requests from the standard ports –>
    
      <tcpipSMB port="1445" ipv6="${cifs.ipv6}" platforms="linux,solaris,macosx"/>
      <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/>
     

      <!– Announce the server to the workgroup/domain –>
      <!– Use enabled="false" attribute to disable announcements –>             
      <hostAnnounce interval="5" enabled="${cifs.hostannounce}"/>

      <!– Use Win32 NetBIOS interface on Windows –>
      <Win32NetBIOS/>

      <!– Announce the server to the workgroup/domain –>
      <!– Use enabled="false" attribute to disable announcements –>             
      <Win32Announce interval="5" enabled="${cifs.hostannounce}"/>

      <!– CIFS authentication –>
      <!– Available types are 'alfresco', 'passthru' and 'enterprise' –>
    <!–  <authenticator type="passthru">
      <LocalDomain/>
     </authenticator>–>
     <authenticator type="alfresco"/>
           
      <!– CIFS Passthru authentication sample –>
      <!– Also see the <DomainMappings> config in the 'Filesystem Security' section below –>
      <!–
      <authenticator type="passthru">
        <Server>ALFRESCO\adsrv1,ADOMAIN\adsrv2,adsrv1</Server>
        <protocolOrder>TCPIP,NetBIOS</protocolOrder>
        <offlineCheckInterval>60</offlineCheckInterval>
      </authenticator>
      –>
     
      <!– CIFS Enterprise authentication sample with Kerberos –>
      <!–
      <authenticator type="enterprise">
         <KDC>ad.alfresco.org</KDC>
         <Realm>ALFRESCO.ORG</Realm>
         <Password>password</Password>
         
         <kerberosDebug/>
         <Debug/>
      </authenticator>     
      –>
           
      <!– Disable the use of asynchronous sockets/NIO code –>
      <!–
      <disableNIO/>
      –>
     
      <!– Disable the use of JNI code –>
      <!– Only currently affects Windows –>
      <!–
      <disableNativeCode/>
      –>
     
      <!– Session timeout, in seconds –>
      <!– Defaults to 15 minutes, to match the default Windows client setting        –>
      <!– If no I/O is received within that time the session is closed by the server –>
      <!–
      <sessionTimeout>300</sessionTimeout>
      –>
     
      <!– Enable WINS if used for NetBIOS name lookups –>
      <!–
      <WINS>
         <primary>1.2.3.4</primary>
         <secondary>5.6.7.8</secondary>
      </WINS>
      –>
     
      <!– CIFS server debug settings –>
      <!– Enable 'log4j.logger.org.alfresco.fileserver=debug' in log4j.properties file –>
     
      <sessionDebug flags="Negotiate,Socket"/>
     
   </config>

   <config evaluator="string-compare" condition="FTP Server" replace="true">
      <!–<serverEnable enabled="${ftp.enabled}"/>–>
     <serverEnable enabled="false"/>
     
      <!– Run on a non-privileged port –>
      <port>1121</port>
     

     <!– IPv6 support –>
     <IPv6 state="${ftp.ipv6}"/>
    
      <!– FTP authentication –>
      <!– Available types are 'alfresco' and 'passthru' –>
      <authenticator type="passthru"/>
           
      <!– FTP server debug settings –>
      <!– Enable 'log4j.logger.org.alfresco.fileserver=debug' in log4j.properties file –>
      <debug flags="File,Search,Error,Directory,Info,DataPort"/>
   </config>
  
   <config evaluator="string-compare" condition="NFS Server">
      <serverEnable enabled="${nfs.enabled}"/>

      <!– Map NFS user/group ids to Alfresco users –>     
      <rpcAuthenticator>
         <userMappings>
            <user name="admin" uid="0" gid="0"/>
         </userMappings>
      </rpcAuthenticator>
   </config>
</alfresco-config>

ldap-authentication.properties:

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    

ldap.authentication.userNameFormat=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://xxxx.xxx.com:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=DIGEST-MD5

# The default principal to use (only used for LDAP sync)
#ldap.authentication.java.naming.security.principal=xxxx

# The password for the default principal (only used for LDAP sync)
#ldap.authentication.java.naming.security.credentials=*********

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

And i have added this lines in authentication-services-context.xml to enable daisy chaining

<bean id="authenticationComponentChain" class="org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl">
      <property name="authenticationComponents">
         <list>
            <ref bean="authenticationComponentAlfresco"/>
            <ref bean="authenticationComponent"/>
         </list>
      </property>   
   </bean>

   <bean id="authenticationComponentAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl" parent="authenticationComponentBase">
      <property name="authenticationDao">
         <ref bean="authenticationDao"/>
      </property>
         <property name="authenticationManager">
            <ref bean="authenticationManager"/>
         </property>   
      <property name="allowGuestLogin">
         <value>false</value>
      </property>   
      <property name="transactionService">
            <ref bean="transactionService" />
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
      <property name="personService">
            <ref bean="personService" />
        </property>
   </bean>

So this works fine, but i want to enable SSO because internet explorer is asking for username and password everytime i login into alfresco…

How can I enable SSO? I've read a lot of posts and wiki and I'm not have been able to do this :(

Can anybody help me?

Outcomes