June 25, 2017

Alfresco LDAP integration – Two examples Netscape DS and Active Directory

The Alfresco Authentication Chain supports multiple alternative implementations of authentication subsystem, each designed to work with one of the different types of back-end authentication systems like AD, LDAP, Kerberos, alfrescoNtlm (default in the built-in auth) or other external servers. The Alfresco official wiki shows the following table with the list of the authentication subsystem types supplied with Alfresco.

giuseppe-urso-alfresco-ldap-00
In this post I show how to integrate Alfresco with the two LDAP subsystems, OpenLDAP and Active Directory. More info about the Alfresco Authentication Susbsystems can be found here.

    

EXAMPLE 1. – Subsystem ldap, integration with Netscape Directory Server (NDS)

In this example I use a rebuild of Netscape Directory Server (NDS) called CentOS Directory Server, a LDAP solution for CentOS Linux server distributions. Other LDAP systems coming from NDS are: Red Hat Directory Server, Fedora 389 Directory Server, Sun One Directory Server. To test and better manipulate ldap users, I use JXplorer, a open source ldap client written in java. Here the application stack.

Alfresco: Community 4.0.e
LDAP Server: CentOS Directory Server 8.2
LDAP Client: JXplorer 3.3

The first operation to do is a test of ldap connection using the anonymous access against the ldap server CentOS-DS (LDAPv3).

 giuseppe-urso-alfresco-ldap-01

giuseppe-urso-alfresco-ldap-02

Furthermore we can test ldap authentication using the credentials of a user. Use the full Distinguished Name (DN) in the BIND request, here two examples:

Pay attention to the attributes cn and uid in the DN. The exact DN expression is very important in order to correctly set ldap.authentication.userNameFormat, the Alfresco property that specifies how to map the user identifier entered by the user in the login.

giuseppe-urso-alfresco-ldap-03

Here the ldif format for LDAP Users and Groups in this example.

– LDAP USER

 

– LDAP GROUP

In this example I also configure the LDAP syncronization mechanism based on the Alfresco “user registry export” service. Here the four steps to integrate Alfresco with Centos-DS LDAP server (authentication and syncronization).

1. Create the properties files to configure myldap instance

 

2. Edit the file ldap-authentication.properties to define myldap set up

 

3. Add the following properties to the alfresco-global.properties file

 

4. Optionally enable debugging in the log4j.properties file

Follows the user name format I set in Alfresco:

If no errors occurs you will get the following log messages on Alfresco bootstrap (synchronization.syncOnStartup=true).

giuseppe-urso-alfresco-ldap-04

giuseppe-urso-alfresco-ldap-05

giuseppe-urso-alfresco-ldap-06

EXAMPLE 2. – Subsystem ldap-ad, integration with  Microsoft Active Directory

In this example I integrate Alfresco and Microsoft Acrive Directroy. I use a test environment where a instance of  Microsoft Active Directory Server 2003 is running. Here the application stack.

Alfresco: Community 4.0.e
LDAP Server: Microsoft Active Directory 2003
LDAP Client: JXplorer 3.3

I create the two Organiztional Units Groups and People for groups and users.

giuseppe-urso-alfresco-ldap-07

giuseppe-urso-alfresco-ldap-08

Use JXplorer to test the ldap connection and authentication. Insert the full Distinguished Name (DN) in the BIND request. In this case I use the cn attribute in the full DN:

 

giuseppe-urso-alfresco-ldap-09

giuseppe-urso-alfresco-ldap-10

Follows the ldif format for LDAP Users and Groups in this example.

– LDAP-AD Group

– LDAP-AD User

For the user name format in Alfresco I use the following expression:

Here the four steps to integrate Alfresco with Microsoft Active Directory server (authentication and syncronization).

1. Create the properties files to configure myldap instance

2. Edit the file ldap-authentication.properties to define myldap set up

3. Add the following properties to the alfresco-global.properties file

4. Optionally enable debugging in the log4j.properties file

giuseppe-urso-alfresco-ldap-11

giuseppe-urso-alfresco-ldap-12

giuseppe-urso-alfresco-ldap-13

Related posts

12 Comments

  1. George

    Thank you for your deep understanding document. It worked for me.

    Past two weeks i am working on alfresco 4.2 integration with liferay 6.2 for document management. I imported AD users success in both tools and they are all able to login individually. I would like to set up SSO and auto login in browsers. Please guide me to set up auto login and SSO for alfresco.

    All your words valuable for me.Thank you

    Reply
    1. Giuseppe Urso

      Hi Gerorge,

      I’m happy to hear this post was useful!
      The scenario you’ve described is very common in a enterprise environment. The Alfresco-Liferay integration is a widely used practice. Unfortunately in this context I don’t have a lot to say about the web SSO…As you’ve already figured out, this is my job and an Alfresco specialist is paid to do consulting, you know.
      However I can suggest you to take a look at CAS, a widely used single sign-on solution for the web. It works well both with Alfresco and Liferay.

      Here is some links that could be useful:

      https://wiki.jasig.org/display/CAS/Home
      http://www.liferay.com/it/community/wiki/-/wiki/Main/CAS+Liferay+6+Integration
      https://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration

      Giuseppe

  2. George Vincent

    Thank you Giuseppe Urso for your quick reply. Here is my situation how do i work. My active directory server is available in intranet. i connected through Cisco Secure mobility client (VPN). When i try to access http://xx.xx.xx.xx:8080/alfresco the browser gives pop up. It requires for intranet user credential to login. With out this login pop up user must be able to login(Login must done in back end).

    Sorry to trouble Urso, i am a student and i do some part time jobs. i am unable to pay you by now. please help me.
    Thank you for your golden time.

    Reply
    1. Giuseppe Urso

      George,

      when you ask for the url http://host:8080/alfresco , what is the exact browser response?
      Does it show the default Alfresco login page ?
      Reading your description, It seems that all http requests are filtered by a proxy web server. The login popup could come from a web proxy. Alfresco has not a popup login, but simply a web page form like the image I’ve posted in the article.

      If this is all wrong, then maybe you want a direct access into Alfresco without a login page. In this case, as I already said, you must configure a web SSO like CAS.

      Remember that Alfresco like Liferay contain private areas so you must be logged in to see their pages. Use CAS as central front-end login system. It will manages the authentication chain to your back-end applications like Alfresco, Liferay and so on.

      PS: You have posted the same reply two time. Please the next time, post a single comment.
      Giuseppe

    2. George Vincent

      I am using cas-server-4.0.0-release and apache-tomcat-7.0.55 When i run tomcat i get this

      Error:You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS

      i googled but i could not fixed it

      i followed this demo document till step:4 https://wiki.jasig.org/display/CASUM/Demo

      in server.xml file i added

      and un commented

      i did nothing more than that also i tried with old version of CAS but tomcat remains the same

  3. Vivek

    Hi,

    I have a similar requirement like the one Mr.George explained. Are you available to do this task for me? We can negotiate on the amount. Please give me your skype details or email details. I will touch you directly.

    Reply
  4. George Vincent

    Hi friends,

    I am using cas-server-4.0.0-release and apache-tomcat-7.0.55 When i run tomcat i get this Error:You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS. I googled but i could not fixed it. I followed this demo document till step:4 https://wiki.jasig.org/display/CASUM/Demo in server.xml file. I added and un commented i did nothing more than that also i tried with old version of CAS but tomcat remains the same

    Reply
    1. Giuseppe Urso

      Hi,

      as the error message says you must configure CAS to work with HTTPS (pay attention, no HTTP). The CAS official wiki writes:
      “By default, CAS only sends the single sign on cookie (CASTGC) over secure connections; in other words it is not sent over a plain HTTP channel”.

      In order to successfully enable the Tomcat HTTPS connector, you need a keystore. For example you can use “keytool” to create a self-signed certificate. When you uncomment the SSL entries in the server.xml file, you must have a keystore and a truststore to ensure the HTTPS channel.

      Take a look here:
      http://www.maximporges.com/2009/11/18/configuring-tomcat-ssl-clientserver-authentication/

      Giuseppe

Leave a Reply

Your email address will not be published.