AnsweredAssumed Answered

Alfresco 3.4b external authentication in share

Question asked by lminoza on Dec 8, 2010
Hello,

I want to use CAS with alfresco and share 3.4b an external authentication

I followed the instructions in : http://wiki.alfresco.com/wiki/Alfresco_With_mod_auth_cas and http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems.

Create one user in a ldap to use synchronization and test authentication with firefox + "Modify Headers" extention

Here is the authentication part of my alfresco-global.properties:
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
external.authentication.enabled=true
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.proxyUserName=
ldap.authentication.atcive=false
ldap.synchronization.active=true
ldap.authentication.java.naming.provider.url=ldap://localhost:389
ldap.synchronization.java.naming.security.principal=cn=admin,dc=atexo,dc=fr
ldap.synchronization.java.naming.security.credentials=secret
ldap.authentication.userNameFormat=cn=%s,ou=Users,dc=atexo,dc=fr
ldap.synchronization.groupSearchBase=ou=Groups,dc=atexo,dc=fr
ldap.synchronization.userSearchBase=ou=Users,dc=atexo,dc=fr
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(objectclass\=inetOrgPerson)
synchronization.syncWhenMissingPeoplLogIn=true
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncOnStartup=true
synchronization.import.cron=0 */1 * * * ?

the content of share-config-custom.xml:
<!– Overriding endpoints to reference an Alfresco server with external SSO or NTLM enabled –>
   <!– NOTE: For NTLM, the NTLM Authentication Filter must also be enabled in share web.xml –>
   <!– NOTE: if utilising a load balancer between web-tier and repository cluster, the "sticky –>
   <!–       sessions" feature of your load balancer must be used –>
   <config evaluator="string-compare" condition="Remote">
        <remote>
            <!– SSL client certificate + trusted CAs. Optionally used to authenticate share to an external SSO system such as CAS –>
            <keystore>
                <path>alfresco/web-extension/alfresco-system.p12</path>
                <type>pkcs12</type>
                <password>alfresco-system</password>
            </keystore>
        
            <connector>
                <id>alfrescoCookie</id>
                <name>Alfresco Connector</name>
                <description>Connects to an Alfresco instance using cookie-based authentication</description>
                <class>org.alfresco.connector.AlfrescoConnector</class>
            </connector>

            <endpoint>
                <id>alfresco</id>
                <name>Alfresco - user access</name>
                <description>Access to Alfresco Repository WebScripts that require user authentication</description>
                <connector-id>alfrescoCookie</connector-id>
                <endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
                <identity>user</identity>
                <external-auth>true</external-auth>
            </endpoint>
           
        </remote>
    </config>

and th content of the ldap repository:
# atexo.fr
dn: dc=atexo,dc=fr
objectClass: top
objectClass: dcObject
objectClass: organization
dc: atexo
o: atexo.fr

# Users, atexo.fr
dn: ou=Users,dc=atexo,dc=fr
objectClass: organizationalUnit
objectClass: top
ou: Users

# Groups, atexo.fr
dn: ou=Groups,dc=atexo,dc=fr
objectClass: organizationalUnit
objectClass: top
ou: Groups

# alfresco_users, Groups, atexo.fr
dn: cn=alfresco_users,ou=Groups,dc=atexo,dc=fr
objectClass: groupOfNames
objectClass: top
cn: alfresco_users
member: uid=external1,ou=Users,dc=atexo,dc=fr

# external1, Users, atexo.fr
dn: uid=external1,ou=Users,dc=atexo,dc=fr
o: ATEXO
sn: External
mail: externl1@atexo.fr
telephoneNumber: 1234567890
givenName: 1
objectClass: inetOrgPerson
uid: external1
cn: External 1
userPassword:: cGFzc3dvcmQ=

When I activate "modify headers", the header "X-Alfresco-Remote-User: external1
" is added in all the HTTP requests, when I open http://localchost:8080/alfresco, I'm logged as external1 and can use explorer without problems, but when I open http://localhost:8080/share, I'm redirected to the login page and can't open share with my user.

Is my configuration bad or is share does not handle external authentication in 3.4b.

When searching the forums, it seams that it doesn't work in 3.3 but all the relevant entries in JIRA where closed with the 3.4b release.

Outcomes