AnsweredAssumed Answered

LDAP + StartTls

Question asked by nancygaillard on Jul 21, 2015
Latest reply on Aug 5, 2015 by nancygaillard
Hello,

I am using Alfresco 4.2.e on Windows Server 2008 R2.

I intent to configure LDAP authentication on Alfresco so that the users of my Windows AD could log on Alfresco.

My problem is the use of a certificate with StartTls encryption method. Anybody of my AD can log on Alfresco, and I haven't found in the documentation something about my case… How can I enforce Alfresco to choose StartTls encryption method?

In alfresco.log, I have the following error :
<blockquote>
11:00:00,186 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 06200027 Echec de la connexion à ldap://SERVER.DOMAIN.local:389. Raison javax.naming.AuthenticationNotSupportedException, [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1 ]
   at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:192)
   at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:108)
   at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:89)
   at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$3.<init>(LDAPUserRegistry.java:688)
   at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:685)
   at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:969)
   at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:714)
   at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob$1.doWork(UserRegistrySynchronizerJob.java:51)
   at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
   at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob.execute(UserRegistrySynchronizerJob.java:47)
   at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
   at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1 ]
</blockquote>

Method applied :

1) Tests with Apache Directory Studio

* Failed with the previous error when:
server : SERVER.DOMAIN.local, port:389, encryption method : none, provider : JNDI
authentication method : simple, Bind DN/SASL : CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
or authentication method : simple, Bind DN/SASL : user_alfresco@domain.local

* Succeed with
server : SERVER.DOMAIN.local, port:389, encryption method : StartTls, provider : JNDI
authentication method : simple, Bind DN/SASL : CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
or authentication method : simple, Bind DN/SASL : user_alfresco@domain.local

2) Alfresco configuration

In alfresco-global.properties file I added in the end :
<blockcode>
### Protocoles d’authentification ###
authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm

### Synchronisation Active Directory ###
synchronization.import.cron=0 0/30 9-18 ? * MON-FRI
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
</blockcode>

I added in the arborescence :
C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap
- file : common-ldap-context.xml (copy)
- directory : ldap-ad1
   |
   ——– files : ldap-ad-authentication.properties (copy), ldap-ad-authentication-context.xml (copy)
** copies from C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication…

I updated the copy of ldap-ad-authentication.properties like this :

<blockcode>
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@domain.local
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://SERVER.DOMAIN.local:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=user_alfresco,Administrateur,admin
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
ldap.synchronization.java.naming.security.credentials=secret

ldap.synchronization.queryBatchSize=1000     
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))

ldap.synchronization.groupSearchBase=dc\=DOMAIN,dc=local
ldap.synchronization.userSearchBase=dc\=DOMAIN,dc=local

ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
</blockcode>

3) Java configuration
Inspired by https://wiki.alfresco.com/wiki/Ldap_over_SSL

- I copied the certificate from Apache Directory Studio (Window>Preferences>Apache Directory Studio> Certificate validation> export on my PC the certificate CN=SERVER.DOMAIN.local and renamed "certificate.der")
- in a Windows batch console (Administrator mode):

C:\Alfresco\java\bin\keytool -import -alias 192.168.1.101 -keystore "C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts" -file C:\Users\user_alfresco\Documents\certificate.der


C:\Alfresco\java\bin\keytool -import -alias SERVER.DOMAIN.local -keystore "C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts" -file C:\Users\user_alfresco\Documents\certificate.der

I indicated my keystore password for each previous command.
I opened the properties of the tomcat service of Alfresco with the following command

C:\Alfresco\tomcat\bin\tomcat7w //ES//alfrescoTomcat

And in Java>Java Options, I added :
-Djavax.net.ssl.trustStore="C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts"

I restarted tomcat and… it I could not log on Alfresco.
<!–break–>

Outcomes