September 18, 2019

Alfresco LDAP integration – Two examples Netscape DS and Active Directory

The Alfresco Authentication Chain supports multiple alternative implementations of authentication subsystem, each designed to work with one of the different types of back-end authentication systems like AD, LDAP, Kerberos, alfrescoNtlm (default in the built-in auth) or other external servers. The Alfresco official wiki shows the following table with the list of the authentication subsystem types supplied with Alfresco.

giuseppe-urso-alfresco-ldap-00
In this post I show how to integrate Alfresco with the two LDAP subsystems, OpenLDAP and Active Directory. More info about the Alfresco Authentication Susbsystems can be found here.

    

EXAMPLE 1. – Subsystem ldap, integration with Netscape Directory Server (NDS)

In this example I use a rebuild of Netscape Directory Server (NDS) called CentOS Directory Server, a LDAP solution for CentOS Linux server distributions. Other LDAP systems coming from NDS are: Red Hat Directory Server, Fedora 389 Directory Server, Sun One Directory Server. To test and better manipulate ldap users, I use JXplorer, a open source ldap client written in java. Here the application stack.

Alfresco: Community 4.0.e
LDAP Server: CentOS Directory Server 8.2
LDAP Client: JXplorer 3.3

The first operation to do is a test of ldap connection using the anonymous access against the ldap server CentOS-DS (LDAPv3).

 giuseppe-urso-alfresco-ldap-01

giuseppe-urso-alfresco-ldap-02

Furthermore we can test ldap authentication using the credentials of a user. Use the full Distinguished Name (DN) in the BIND request, here two examples:

DN: cn=Lara Croft,ou=People,dc=foocorp,dc=com
DN: uid=lara.croft,ou=People,dc=foocorp,dc=com

Pay attention to the attributes cn and uid in the DN. The exact DN expression is very important in order to correctly set ldap.authentication.userNameFormat, the Alfresco property that specifies how to map the user identifier entered by the user in the login.

giuseppe-urso-alfresco-ldap-03

Here the ldif format for LDAP Users and Groups in this example.

– LDAP USER

DN: uid=lara.croft,ou=People,dc=foocorp,dc=com
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn: Lara Croft
givenName: Lara
sn: Croft
uid: lara.croft

 

– LDAP GROUP

DN: cn=R&D,ou=Groups,dc=foocorp,dc=com
objectClass: groupOfUniqueNames
objectClass: top
cn: R&D
description: Research and Development
uniqueMember: uid=lara.croft,ou=People,dc=foocorp,dc=com
uniqueMember: uid=sailor.popeye,ou=People,dc=foocorp,dc=com
uniqueMember: uid=ufo.robot,ou=People,dc=foocorp,dc=com
uniqueMember: uid=lupin.3,ou=People,dc=foocorp,dc=com

In this example I also configure the LDAP syncronization mechanism based on the Alfresco “user registry export” service. Here the four steps to integrate Alfresco with Centos-DS LDAP server (authentication and syncronization).

1. Create the properties files to configure myldap instance

$ mkdir {ALFRESCO_HOME}/shared/classes/alfresco/extension/subsystems/Authentication/myldap
$ cd {ALFRESCO_HOME}/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/
$ cp  ./ldap/*.properties {ALFRESCO_HOME}/shared/classes/alfresco/extension/subsystems/Authentication/ldap/myldap

 

2. Edit the file ldap-authentication.properties to define myldap set up

ldap.authentication.active=true
# Full DN format to login
ldap.authentication.userNameFormat=uid=%s,ou=People,dc=foocorp,dc=com
ldap.authentication.java.naming.provider.url=ldap://192.168.56.101:389

ldap.synchronization.active=true
# Anonymous access for sync
ldap.synchronization.java.naming.security.authentication=none

ldap.synchronization.groupQuery=(objectclass\=groupOfUniqueNames)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfUniqueNames)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=ou\=Groups,dc\=foocorp,dc\=com
ldap.synchronization.userSearchBase=ou\=People,dc\=foocorp,dc\=com

ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider

ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.groupType=groupOfUniqueNames
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=uniqueMember

 

3. Add the following properties to the alfresco-global.properties file

# LDAP
authentication.chain=alfrescoNtlm1:alfrescoNtlm,myldap:ldap
synchronization.sinchronyzeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true
synchronization.import.cron=0 0 18 * * ?

 

4. Optionally enable debugging in the log4j.properties file

#LDAP 
log4j.logger.org.alfresco.repo.importer.ImporterJob=debug
log4j.logger.org.alfresco.repo.importer.ExportSourceImporter=debug
log4j.logger.org.alfresco.repo.security.authentication.ldap=debug
log4j.logger.org.alfresco.repo.security.sync=debug
#log4j.logger.org.alfresco.repo.security.sync=info

Follows the user name format I set in Alfresco:

ldap.authentication.userNameFormat=uid=%s,ou=People,dc=foocorp,dc=com

If no errors occurs you will get the following log messages on Alfresco bootstrap (synchronization.syncOnStartup=true).

giuseppe-urso-alfresco-ldap-04

giuseppe-urso-alfresco-ldap-05

giuseppe-urso-alfresco-ldap-06

EXAMPLE 2. – Subsystem ldap-ad, integration with  Microsoft Active Directory

In this example I integrate Alfresco and Microsoft Acrive Directroy. I use a test environment where a instance of  Microsoft Active Directory Server 2003 is running. Here the application stack.

Alfresco: Community 4.0.e
LDAP Server: Microsoft Active Directory 2003
LDAP Client: JXplorer 3.3

I create the two Organiztional Units Groups and People for groups and users.

giuseppe-urso-alfresco-ldap-07

giuseppe-urso-alfresco-ldap-08

Use JXplorer to test the ldap connection and authentication. Insert the full Distinguished Name (DN) in the BIND request. In this case I use the cn attribute in the full DN:

DN: CN=ian hill,OU=People,DC=adsrv,DC=foocorp,DC=com

 

giuseppe-urso-alfresco-ldap-09

giuseppe-urso-alfresco-ldap-10

Follows the ldif format for LDAP Users and Groups in this example.

– LDAP-AD Group

DN: CN=R&D,OU=Groups,DC=adsrv,DC=foocorp,DC=com
objectClass: top
objectClass: group
cn: R&D
description: Research and Development Department
distinguishedName: CN=R&D,OU=Groups,DC=adsrv,DC=foocorp,DC=com
groupType: -2147483646
instanceType: 4
member: CN=steve harris,OU=People,DC=adsrv,DC=foocorp,DC=com
member: CN=jimi hendrix,OU=People,DC=adsrv,DC=foocorp,DC=com
name: R&D
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=adsrv,DC=foocorp,DC=com
objectGUID:: RmNuVu+/ve+/vSxJ77+9RUt0Xkfvv70Y
objectSid:: AQUAAAAAAAUVAAAA77+977+9be+/ve+/vTnvv71xS++/ve+/vQZUBAAA
sAMAccountName: R&D
sAMAccountType: 268435456

– LDAP-AD User

DN: CN=brian may,OU=People,DC=adsrv,DC=foocorp,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
accountExpires: 9223372036854775807
cn: brian may
displayName: brian may
distinguishedName: CN=brian may,OU=People,DC=adsrv,DC=foocorp,DC=com
givenName: brian
memberOf: CN=Production,OU=Groups,DC=adsrv,DC=foocorp,DC=com
name: brian may
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=adsrv,DC=foocorp,DC=com
sAMAccountName: brian.may
sAMAccountType: 805306368
sn: may
userAccountControl: 512
userPrincipalName: brian.may@adsrv.foocorp.com

For the user name format in Alfresco I use the following expression:

sAMAccountName@adsrv.foocorp.com

Here the four steps to integrate Alfresco with Microsoft Active Directory server (authentication and syncronization).

1. Create the properties files to configure myldap instance

$ mkdir {ALFRESCO_HOME}/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/myldap
$ cd {ALFRESCO_HOME}/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/
$ cp  ./ldap-ad/*.properties {ALFRESCO_HOME}/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/myldap

2. Edit the file ldap-authentication.properties to define myldap set up

ldap.authentication.active=true
ldap.authentication.userNameFormat=%s@adsrv.foocorp.it
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.56.106:389

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=ian.hill@adsrv.foocorp.it
ldap.synchronization.java.naming.security.credentials=12345

ldap.synchronization.groupQuery=(objectclass\=*)
ldap.synchronization.groupDifferentialQuery=(objectclass\=*)

ldap.synchronization.personQuery=(objectclass\=*)
ldap.synchronization.personDifferentialQuery=(objectclass\=*)

ldap.synchronization.groupSearchBase=ou\=Groups,dc\=adsrv,dc\=foocorp,dc\=com
ldap.synchronization.userSearchBase=ou\=People,dc\=adsrv,dc\=foocorp,dc\=com

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider

ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

3. Add the following properties to the alfresco-global.properties file

# LDAP
authentication.chain=alfrescoNtlm1:alfrescoNtlm,myldap:ldap-ad
synchronization.sinchronyzeChangesOnly=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true
synchronization.import.cron=0 0 18 * * ?

4. Optionally enable debugging in the log4j.properties file

#LDAP 
log4j.logger.org.alfresco.repo.importer.ImporterJob=debug
log4j.logger.org.alfresco.repo.importer.ExportSourceImporter=debug
log4j.logger.org.alfresco.repo.security.authentication.ldap=debug
log4j.logger.org.alfresco.repo.security.sync=debug
#log4j.logger.org.alfresco.repo.security.sync=info

giuseppe-urso-alfresco-ldap-11

giuseppe-urso-alfresco-ldap-12

giuseppe-urso-alfresco-ldap-13

Related posts

13 Comments

  1. George

    Thank you for your deep understanding document. It worked for me.

    Past two weeks i am working on alfresco 4.2 integration with liferay 6.2 for document management. I imported AD users success in both tools and they are all able to login individually. I would like to set up SSO and auto login in browsers. Please guide me to set up auto login and SSO for alfresco.

    All your words valuable for me.Thank you

    Reply
    1. Giuseppe Urso

      Hi Gerorge,

      I’m happy to hear this post was useful!
      The scenario you’ve described is very common in a enterprise environment. The Alfresco-Liferay integration is a widely used practice. Unfortunately in this context I don’t have a lot to say about the web SSO…As you’ve already figured out, this is my job and an Alfresco specialist is paid to do consulting, you know.
      However I can suggest you to take a look at CAS, a widely used single sign-on solution for the web. It works well both with Alfresco and Liferay.

      Here is some links that could be useful:

      https://wiki.jasig.org/display/CAS/Home
      http://www.liferay.com/it/community/wiki/-/wiki/Main/CAS+Liferay+6+Integration
      https://wiki.alfresco.com/wiki/Central_Authentication_Service_Configuration

      Giuseppe

  2. George Vincent

    Thank you Giuseppe Urso for your quick reply. Here is my situation how do i work. My active directory server is available in intranet. i connected through Cisco Secure mobility client (VPN). When i try to access http://xx.xx.xx.xx:8080/alfresco the browser gives pop up. It requires for intranet user credential to login. With out this login pop up user must be able to login(Login must done in back end).

    Sorry to trouble Urso, i am a student and i do some part time jobs. i am unable to pay you by now. please help me.
    Thank you for your golden time.

    Reply
    1. Giuseppe Urso

      George,

      when you ask for the url http://host:8080/alfresco , what is the exact browser response?
      Does it show the default Alfresco login page ?
      Reading your description, It seems that all http requests are filtered by a proxy web server. The login popup could come from a web proxy. Alfresco has not a popup login, but simply a web page form like the image I’ve posted in the article.

      If this is all wrong, then maybe you want a direct access into Alfresco without a login page. In this case, as I already said, you must configure a web SSO like CAS.

      Remember that Alfresco like Liferay contain private areas so you must be logged in to see their pages. Use CAS as central front-end login system. It will manages the authentication chain to your back-end applications like Alfresco, Liferay and so on.

      PS: You have posted the same reply two time. Please the next time, post a single comment.
      Giuseppe

    2. George Vincent

      I am using cas-server-4.0.0-release and apache-tomcat-7.0.55 When i run tomcat i get this

      Error:You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS

      i googled but i could not fixed it

      i followed this demo document till step:4 https://wiki.jasig.org/display/CASUM/Demo

      in server.xml file i added

      and un commented

      i did nothing more than that also i tried with old version of CAS but tomcat remains the same

  3. Vivek

    Hi,

    I have a similar requirement like the one Mr.George explained. Are you available to do this task for me? We can negotiate on the amount. Please give me your skype details or email details. I will touch you directly.

    Reply
  4. George Vincent

    Hi friends,

    I am using cas-server-4.0.0-release and apache-tomcat-7.0.55 When i run tomcat i get this Error:You are currently accessing CAS over a non-secure connection. Single Sign On WILL NOT WORK. In order to have single sign on work, you MUST log in over HTTPS. I googled but i could not fixed it. I followed this demo document till step:4 https://wiki.jasig.org/display/CASUM/Demo in server.xml file. I added and un commented i did nothing more than that also i tried with old version of CAS but tomcat remains the same

    Reply
    1. Giuseppe Urso

      Hi,

      as the error message says you must configure CAS to work with HTTPS (pay attention, no HTTP). The CAS official wiki writes:
      “By default, CAS only sends the single sign on cookie (CASTGC) over secure connections; in other words it is not sent over a plain HTTP channel”.

      In order to successfully enable the Tomcat HTTPS connector, you need a keystore. For example you can use “keytool” to create a self-signed certificate. When you uncomment the SSL entries in the server.xml file, you must have a keystore and a truststore to ensure the HTTPS channel.

      Take a look here:
      http://www.maximporges.com/2009/11/18/configuring-tomcat-ssl-clientserver-authentication/

      Giuseppe

Leave a Reply

Your email address will not be published.