Good day,
I'm in the middle of my first Alfresco installation and configuration and need some assistance configuring Alfresco to work with Active Directory over SSL.
Here's a summary of what I've done so far:
- Exported the certificate from my AD server
- Imported the cert into the default keystore: C:\alfresco-current\alf_data\keystore\ssl.keystore via the command:
keytool -importcert -alias myad.mydomain -file cert.crt -keystore C:\alfresco-current\alf_data\keystore\ssl.keystore -storetype JCEKS (was I supposed to import this cert into the default keystore?)
alfresco-global.properties
### LDAP Configuration ###
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
# Disable guest logins
ldap.authentication.userNameFormat=%s@domain.com
ldap.authentication.java.naming.provider.url=ldaps://myserver.mydomain:636
ldap.authentication.defaultAdministratorUserNames=svc-alfresco
ldap.synchronization.java.naming.security.principal=svc-alfresco
ldap.synchronization.java.naming.security.credentials=<redacted>
ldap.synchronization.groupSearchBase=OU=SecurityGroups,OU=Groups,OU=Accounts,DC=mydomain
ldap.synchronization.userSearchBase=OU=Users,OU=Groups,OU=Accounts,DC=mydomain
Here's the error I'm seeing in the alfresco.log:
2018-05-31 13:37:46,122 ERROR [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] [localhost-startStop-1] Unable to connect to LDAP Server; check LDAP configuration
javax.naming.CommunicationException: simple bind failed: myad.mydomain:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
I've been trying to piece all the documentation together to try to troubleshoot this issue, but I'm not getting very far and could use some help from some experienced users in where to go from here.
Any help would be appreciated.
Solved! Go to Solution.
The ssl.keystore is only used for communication between Repository and SOLR. It is inconsequential for communication with LDAP / AD over SSL. In order to use LDAPS, the subsystem provides its own properties for configuring a specific keystore as the truststore. Look for the "ldap.authentication.truststore.xx" settings in the documentation. Of course you could re-use the ssl.truststore for this and add the certificate for the Active Directory server (or for the signing CA) in there.
The ssl.keystore is only used for communication between Repository and SOLR. It is inconsequential for communication with LDAP / AD over SSL. In order to use LDAPS, the subsystem provides its own properties for configuring a specific keystore as the truststore. Look for the "ldap.authentication.truststore.xx" settings in the documentation. Of course you could re-use the ssl.truststore for this and add the certificate for the Active Directory server (or for the signing CA) in there.
Thanks Axel. I've got the Active Directory integration working now over SSL. I did a reinstall of Alfresco to restore the ssl.keystore to it's original state and imported the AD cert into a ldap.keystore file. After an issue with needing to use escape characters in the alfresco-global.properties file to point to the new keystore file everything started up properly with no errors in the log. I was then able to login using my AD account.
I'll now mark this question as solved.
Thanks again.
sir can i see your config in alfresco.global.properties
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.