Alfresco 3, AD NTLM, LDAP Sync Issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2009 11:25 AM
I have NTLM Authentication working and I can access the CIFS shares as a user with out a problem. My issue is with LDAP Sync, I can not seem to get it working. When I configure ldap-authentication.properties I can no longer get into Alfresco.
I have tested the account who has delegated rights to the domain via ldapsearch without any problems.
ldap-authentication.properties
After I enable ldap-auth and ldap sync xmls, I get the above error and CIFS doesn't start nor can I login.
[#|2009-04-06T14:22:40.227+0000|INFO|sun-appserver2.1|org.springframework.beans.factory.support.DefaultListableBeanFactory|_ThreadID=16;_ThreadName=pool-1-thread-8;|Overriding bean definition for bean 'authenticationComponent': replacing [Child bean with parent 'authenticationComponentBase': class [org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl]; scope=singleton; abstract=false; lazyInit=false; autowireCandidate=true; autowireMode=0; dependencyCheck=0; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in file [/opt/glassfish/domains/<domain>/lib/classes/alfresco/extension/ntlm-authentication-context.xml]] with [Child bean with parent 'authenticationComponentBase': class [org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl]; scope=singleton; abstract=false; lazyInit=false; autowireCandidate=true; autowireMode=0; dependencyCheck=0; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in file [/opt/glassfish/domains/<domain>/lib/classes/alfresco/extension/ldap-authentication-context.xml]]|#][#|2009-04-06T14:22:49.839+0000|WARNING|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;_RequestID=7eaa0fa6-d2cf-457f-afee-7e2c50868f75;|LDAP server supports anonymous bind ldap://<ip address>|#][#|2009-04-06T14:22:49.860+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for a string uid and password at ldap://<ip address>|#][#|2009-04-06T14:22:49.881+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://<ip address>|#][#|2009-04-06T14:22:49.913+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://<ip address>|#]
I have tested the account who has delegated rights to the domain via ldapsearch without any problems.
ldap-authentication.properties
## This properties file brings together the common options for LDAP authentication rather than editing the bean definitions## How to map the user id entered by the user to taht passed through to LDAP# - simple # - this must be a DN and would be something like# CN=%s,DC=company,DC=com# - digest# - usually pass through what is entered# %s ldap.authentication.userNameFormat=%s@company-inc.net#also tried company-inc\%s and %s# The LDAP context factory to useldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory# The URL to connect to the LDAP server ldap.authentication.java.naming.provider.url=ldap://<ip address># The authentication mechanism to useldap.authentication.java.naming.security.authentication=simple# The default principal to use (only used for LDAP sync)ldap.authentication.java.naming.security.principal=cn=Alfresco Ldap,cn=users,dc=company-inc,dc=net# The password for the default principal (only used for LDAP sync)ldap.authentication.java.naming.security.credentials=password# Escape commas entered by the user at bind time# Useful when using simple authentication and the CN is part of the DN and contains commasldap.authentication.escapeCommasInBind=false# Escape commas entered by the user when setting the authenticated user# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is # pulled in as part of an LDAP sync# If this option is set to true it will break the default home folder provider as space names can not contain \ldap.authentication.escapeCommasInUid=false
# # This properties file is used to configure LDAP syncronisation## The query to find the people to importldap.synchronisation.personQuery=(objectclass=organizationalPerson)# The search base of the query to find people to importldap.synchronisation.personSearchBase=ou=users,ou=pkmm,dc=pkmm-inc,dc=net# The attribute name on people objects found in LDAP to use as the uid in Alfrescoldap.synchronisation.userIdAttributeName=sAMAccountName# The attribute on person objects in LDAP to map to the first name property in Alfrescoldap.synchronisation.userFirstNameAttributeName=givenName# The attribute on person objects in LDAP to map to the last name property in Alfrescoldap.synchronisation.userLastNameAttributeName=sn# The attribute on person objects in LDAP to map to the email property in Alfrescoldap.synchronisation.userEmailAttributeName=mail# The attribute on person objects in LDAP to map to the organizational id property in Alfrescoldap.synchronisation.userOrganizationalIdAttributeName=o# The default home folder provider to use for people created via LDAP importldap.synchronisation.defaultHomeFolderProvider=userHomesHomeFolderProvider# The query to find group objectsldap.synchronisation.groupQuery=(objectclass=group)# The search base to use to find group objectsldap.synchronisation.groupSearchBase=ou=groups,ou=pkmm,dc=pkmm-inc,dc=net# The attribute on LDAP group objects to map to the gid property in Alfrecsoldap.synchronisation.groupIdAttributeName=cn# The group type in LDAPldap.synchronisation.groupType=group# The person type in LDAPldap.synchronisation.personType=organizationalPerson# The attribute in LDAP on group objects that defines the DN for its membersldap.synchronisation.groupMemberAttributeName=member# The cron expression defining when people imports should take placeldap.synchronisation.import.person.cron=0 30 * * * ?# The cron expression defining when group imports should take place ldap.synchronisation.import.group.cron=0 30 * * * ?# Should all groups be cleared out at import time?# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)# - setting this to true means old group definitions will be tidied up.ldap.synchronisation.import.group.clearAllChildren=false
After I enable ldap-auth and ldap sync xmls, I get the above error and CIFS doesn't start nor can I login.
Labels:
- Labels:
-
Archive
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2009 12:15 PM
Hi,
I think you forgot to specify the IP/DNS of the LDAP-Server:
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://<ip address>
Greetings
Steffen
I think you forgot to specify the IP/DNS of the LDAP-Server:
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://<ip address>
Greetings
Steffen
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2009 12:56 PM
I took that info, out as well as passwords and the Domain of the application server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2009 12:57 PM
I also tested against an openldap server with no problem, of course I need CIFS so NTLM it needs to be.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2009 04:22 PM
I have ldap-authenication work and the user accounts sync'd. CIFS will only work in passthru mode, but NTLM users can not log into the CIFS share. So if you use ldap-sync you lose NTLM and so you lose CFIS SSO. Is this correct? If so, how do you manage groups in AD for Alfresco? How do you get all the users in? file-server.xml with Alfresco or enterprise won't work if you are using ldap-auth. So how do you import AD accounts using the ldap-sync?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2009 03:14 PM
this suggests to me it is not even binding correctly
It probably worked on OpenLDAP because OpenLDAP will anonymously bind until you explicitly forbid it. AD will not anonymously bind till you make it
what does your NTLM and File-server configuration look like? The file servers are a bit picky with the NTLM syntax.
file-server.xml has nothing to do with LDAP sync. you can set the file servers to use pass through to the LDAP but, that wont do anything about the sync.
When you have both NTLM and LDAP enabled. NTLM should over ride LDAP. Though it sounds like something is a bit funky. Did you change any other authentication files?
NTLM will give you SSO. LDAP will not.
If you only want to use NTLM you will have to manually enter user details (email, phone, etc).
With Both NTLM and LDAP a user account is created as soon as they log into alfresco. you do not need to sync as soon as they correctly authenticate they are allowed in
I would not use SYNC for groups because Share creates its own groups and SYNC will do one of two things. It will either delete these groups when Alfresco sees they are not in AD or, Alfresco will only be able to add users to groups. Depending on your network size you may only want to sync once and handle user details and group changes by hand.
try this…..
auth file
better safe than sorry with the port
dont know if it counts but mine is caps…i remember caps greif somewhere in here dont know where though
again verify capitalization….I think it gave me grief before… this is my capitalization pattern
yours should be valid but this is mine
and the search file
again check caps…i would guess it would be more like this. your path here and above dont match even if you did scrub them?
this isnt required information in AD have you filled it in. if not 'o' does not exist.
shouldn't matter but i used user
[#|2009-04-06T14:22:49.913+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://<ip address>|#]
It probably worked on OpenLDAP because OpenLDAP will anonymously bind until you explicitly forbid it. AD will not anonymously bind till you make it
what does your NTLM and File-server configuration look like? The file servers are a bit picky with the NTLM syntax.
file-server.xml has nothing to do with LDAP sync. you can set the file servers to use pass through to the LDAP but, that wont do anything about the sync.
When you have both NTLM and LDAP enabled. NTLM should over ride LDAP. Though it sounds like something is a bit funky. Did you change any other authentication files?
NTLM will give you SSO. LDAP will not.
If you only want to use NTLM you will have to manually enter user details (email, phone, etc).
With Both NTLM and LDAP a user account is created as soon as they log into alfresco. you do not need to sync as soon as they correctly authenticate they are allowed in
I would not use SYNC for groups because Share creates its own groups and SYNC will do one of two things. It will either delete these groups when Alfresco sees they are not in AD or, Alfresco will only be able to add users to groups. Depending on your network size you may only want to sync once and handle user details and group changes by hand.
try this…..
auth file
ldap.authentication.userNameFormat=%s
better safe than sorry with the port
ldap.authentication.java.naming.provider.url=ldap://<ip address>:389
dont know if it counts but mine is caps…i remember caps greif somewhere in here dont know where though
ldap.authentication.java.naming.security.authentication=SIMPLE
again verify capitalization….I think it gave me grief before… this is my capitalization pattern
ldap.authentication.java.naming.security.principal=CN=Alfresco Ldap,CN=Users,DC=COMPANY,DC=net
yours should be valid but this is mine
ldap.synchronisation.personQuery=(objectclass=user)
and the search file
again check caps…i would guess it would be more like this. your path here and above dont match even if you did scrub them?
ldap.synchronisation.personSearchBase=OU=Users,OU=pkmm,DC=PKMM-INC,DC=net
this isnt required information in AD have you filled it in. if not 'o' does not exist.
ldap.synchronisation.userOrganizationalIdAttributeName=o
shouldn't matter but i used user
ldap.synchronisation.personType=user
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-21-2009 03:45 PM
I will give that a try. I did use :389 in the server address. I wasn't not paying attention to case in the config for the windows configs. I am also running Glassfish so share doesn't work with that. Maybe in the next release.
Thanks
Matt
Thanks
Matt