Active Directory over SSL

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Member II

Active Directory over SSL

Jump to solution

Good day,

I'm in the middle of my first Alfresco installation and configuration and need some assistance configuring Alfresco to work with Active Directory over SSL.

Here's a summary of what I've done so far:

- Exported the certificate from my AD server

- Imported the cert into the default keystore: C:\alfresco-current\alf_data\keystore\ssl.keystore via the command:

keytool -importcert -alias myad.mydomain -file cert.crt -keystore C:\alfresco-current\alf_data\keystore\ssl.keystore -storetype JCEKS (was I supposed to import this cert into the default keystore?)

alfresco-global.properties

### LDAP Configuration ###

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
# Disable guest logins
ldap.authentication.userNameFormat=%s@domain.com
ldap.authentication.java.naming.provider.url=ldaps://myserver.mydomain:636
ldap.authentication.defaultAdministratorUserNames=svc-alfresco
ldap.synchronization.java.naming.security.principal=svc-alfresco
ldap.synchronization.java.naming.security.credentials=<redacted>
ldap.synchronization.groupSearchBase=OU=SecurityGroups,OU=Groups,OU=Accounts,DC=mydomain
ldap.synchronization.userSearchBase=OU=Users,OU=Groups,OU=Accounts,DC=mydomain

Here's the error I'm seeing in the alfresco.log:
2018-05-31 13:37:46,122 ERROR [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] [localhost-startStop-1] Unable to connect to LDAP Server; check LDAP configuration
javax.naming.CommunicationException: simple bind failed: myad.mydomain:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)

I've been trying to piece all the documentation together to try to troubleshoot this issue, but I'm not getting very far and could use some help from some experienced users in where to go from here.

Any help would be appreciated.

1 Solution

Accepted Solutions
Highlighted
Master

Re: Active Directory over SSL

Jump to solution

The ssl.keystore is only used for communication between Repository and SOLR. It is inconsequential for communication with LDAP / AD over SSL. In order to use LDAPS, the subsystem provides its own properties for configuring a specific keystore as the truststore. Look for the "ldap.authentication.truststore.xx" settings in the documentation. Of course you could re-use the ssl.truststore for this and add the certificate for the Active Directory server (or for the signing CA) in there.

View solution in original post

2 Replies
Highlighted
Master

Re: Active Directory over SSL

Jump to solution

The ssl.keystore is only used for communication between Repository and SOLR. It is inconsequential for communication with LDAP / AD over SSL. In order to use LDAPS, the subsystem provides its own properties for configuring a specific keystore as the truststore. Look for the "ldap.authentication.truststore.xx" settings in the documentation. Of course you could re-use the ssl.truststore for this and add the certificate for the Active Directory server (or for the signing CA) in there.

View solution in original post

Highlighted
Member II

Re: Active Directory over SSL

Jump to solution

Thanks Axel.  I've got the Active Directory integration working now over SSL. I did a reinstall of Alfresco to restore the ssl.keystore to it's original state and imported the AD cert into a ldap.keystore file. After an issue with needing to use escape characters in the alfresco-global.properties file to point to the new keystore file everything started up properly with no errors in the log.  I was then able to login using my AD account.

I'll now mark this question as solved.

Thanks again.