AnsweredAssumed Answered

NTLM SSO with CMIS

Question asked by antonia on May 22, 2014
Latest reply on Oct 27, 2014 by prignony
Hello,
I'm trying to set up a simple Alfresco installation with NTLM SSO authentication. Since this is for testing purposes, I’m free to use passthru or just alfrescoNtlm. I tried both possibilities and everything worked quite well with Alfresco share, i.e. I wasn’t prompted for my password when accessing http://myalfrescoserver:8080/share.
Still, I get errors when trying to connect via CMIS: “Forbidden: Permission Denied” with OpenCmis and “Unauthorized” with DotCmis. Sadly, it doesn't say anything else. The only thing I found was in localhost_access-log : "GET /alfresco/cmisatom HTTP/1.1" 401 995.
Looking at this thread:  http://stackoverflow.com/questions/10519347/how-to-access-cmis-without-a-password  it should definitely work somehow?
I’m new to the whole authentification business so I’m unsure whether or not I made the right changes in alfresco-global.properties or if there are changes (except for share-config-custom.xml) needed to be done in other files for CMIS to work correctly. Or could it be that this problem stems from a completely different point in my infrastructure?

This is the corresponding part of my alfresco-global.properties:

ntlm.authentication.sso.enabled=true
authentication.chain=passthru1:passthru,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

passthru.authentication.sso.enabled=true
passthru.authentication.allowGuestLogin=false
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false

passthru.authentication.servers=myldapserver.com
passthru.authentication.domain=
passthru.authentication.useLocalServer=false
passthru.authentication.defaultAdministratorUserNames=Administrator
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS

ldap.authentication.active=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://myldapserver.com:389

ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=myldapusername
ldap.synchronization.java.naming.security.credentials=myldappassword
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)

ldap.synchronization.groupSearchBase=OU=Alfresco,DC=mydomain,DC=com
ldap.synchronization.userSearchBase=OU=Alfresco,DC=mydomain,DC=com

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member

synchronization.synchronizeChangesOnly=true


This is the code I use for CMIS (using DotCmis 0.6):

Dictionary<string, string> parameters = new Dictionary<string, string>();
parameters[SessionParameter.AtomPubUrl] = "https://<alfrescoserver>:8443/alfresco/cmisatom";
parameters[SessionParameter.BindingType] = BindingType.AtomPub;
parameters[SessionParameter.AuthenticationProviderClass] = "DotCMIS.Binding.NtlmAuthenticationProvider";

SessionFactory factory = SessionFactory.NewInstance();
ISession session = factory.GetRepositories(parameters)[0].CreateSession();

Outcomes