AnsweredAssumed Answered

Problems getting passthrough to work with LDAP-AD

Question asked by florianjerusalem on Feb 10, 2016
Hi there, been struggling quite a while getting Alfresco to work with LDAP-AD:

Using alfresco community 5.0.d.
Did an "easy"-installation and appended the global config as follows:


#
# LDAP
#

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=false

ldap.authentication.allowGuestLogin=false
ldap.synchronization.userIdAttributeName=userPrincipalName
ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.provider.url=ldap://itg-vws-dc01.itg.local:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.synchronization.java.naming.security.principal=CN=Doc,OU=Robots,DC=ITG,DC=local
ldap.synchronization.java.naming.security.credentials=SUPERSECRETPASSWORD
ldap.synchronization.groupSearchBase=CN=SG_Doc,CN=Users,DC=ITG,DC=local
ldap.synchronization.userSearchBase=CN=Users,DC=ITG,DC=local

ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=SG_Doc,CN\=Users,DC\=itg,DC\=local)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=SG_Doc,CN\=Users,DC\=itg,DC\=local)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))


Kindly note I am working with a security-group here: SG_Doc
And I changed the default username to the UPN (E-Mail). All users being a member of the SG are able to login to alfresco.

Everything is working fine when using alfresco-share.

Now to allow my users to login to CIFS I changed the config to the following:



#
# LDAP
#

authentication.chain=passthru1:passthru,alfinst:alfrescoNtlm,ldap1:ldap-ad
alfresco.authentication.authenticateCIFS=false
ldap.authentication.active=false

ntlm.authentication.sso.enabled=false

ldap.authentication.allowGuestLogin=false
ldap.synchronization.userIdAttributeName=userPrincipalName
ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.provider.url=ldap://itg-vws-dc01.itg.local:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.synchronization.java.naming.security.principal=CN=Doc,OU=Robots,DC=ITG,DC=local
ldap.synchronization.java.naming.security.credentials=SUPERSECRETPASSWORD
ldap.synchronization.groupSearchBase=CN=SG_Doc,CN=Users,DC=ITG,DC=local
ldap.synchronization.userSearchBase=CN=Users,DC=ITG,DC=local

ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=SG_Doc,CN\=Users,DC\=itg,DC\=local)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=SG_Doc,CN\=Users,DC\=itg,DC\=local)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ntlm.authentication.sso.enabled=true
passthru.authentication.servers=itg.local\\itg-vws-dc01.itg.local
passthru.authentication.domain=# Leave blank
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=Administrator,alfresco

passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true


But this does not seem to work…
Tried to login with DOMAIN\firstname.lastname, firstname.lastname@domain, …
But all I get is

ERROR [auth.cifs.PassthruCifsAuthenticator] [AlfJLANWorker19] org.alfresco.jlan.smb.SMBException: Invalid parameter

In the catalina.out-file…

What exactly am I missing here? Any help would be highly appreciated.

Outcomes