Encrypting LDAP setting for 2 LDAP connectors

cancel
Showing results for 
Search instead for 
Did you mean: 
brian12
Member II

Encrypting LDAP setting for 2 LDAP connectors

We  are currently on Alfresco 5.2.3 connected to 2 differant LDAP servers and need to encrypt the password at the sub level.  Is there a way to do 2 differat LDAP servers?  We understand that encryption can be set at the Global level for 1 LDAP Server.

 

 

1 Reply
afaust
Master

Re: Encrypting LDAP setting for 2 LDAP connectors

As encryption of alfresco-global.properties is a feature of Alfresco Enterprise (5.2.3 is an Enterprise version after all) you should contact Alfresco Support with that inquiry. From my past experiences and the code handling subsystems such as LDAP in Alfresco, I seriously doubt that such a use case is supported at all. It may be possible to create a workaround though using Spring property placeholders so that you can reference the password config setting in the unencrypted LDAP configuration properties while its value is actually stored in the encrypted global properties file.

 

E.g. in ../webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/additional.properties file you could define the following (empty) default properties:

ldap.synchronization.server1.password=
ldap.synchronization.server2.password=

Then, in the encrypted global properties file you can actually set values for thsee properties.

Finally, in the LDAP subsystem instances (e.g. ../shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/custom-additional.properties) you can then set

ldap.synchronization.java.naming.security.credentials=${ldap.synchronization.server1.password}

 

Explanation:

  1. I am not using Enterprise a lot these days and have certainly not tried this myself - so no guarantees
  2. Defining the empty, dummy properties in the first file is required because Alfresco does not automatically propagate every setting from global properties to subsystems - only those that match the keys defined in those subsystem configuration templates
  3. using ${} effectively means "resolve the value of another configuration property at runtime", so using this to reference the password configuration property from the encrypted global properties avoids having to put the raw password in the unencrypted subsystem config file