Ldap over SSL
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Alfresco Hub
- :
- ACS - Hub Docs
- :
- Ldap over SSL
Ldap over SSL
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
6 Jun 2015
0:40 AM
Obsolete Pages{{Obsolete}}
The official documentation is at: http://docs.alfresco.com
Table of Contents
LDAP Authentication with SSL
This is a quick guide to configure Alfresco to authenticate on a OpenLDAP server
over a SSL channel, secure encrypted communication.
Configuration Files
On Alfresco 4.2 and possibly older versions too, add these entries to tomcat/shared/classes/alfresco-global.properties. The alfrescoNtlm authentication has been left in place in the example below as a fall-back authentication option.
ldap.authentication.active=true
authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.userNameFormat=cn=%s,o=users,ou=YOURCOMPANY,dc=COM
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.security.authentication=SIMPLE
ldap.authentication.java.naming.read.timeout=30000
ldap.authentication.java.naming.provider.url=ldaps://rtfwinf.rorotika:636
Pay special attention on ou=Users,dc=YOURCOMPANY,dc=COM in the examples, adapt to your OpenLDAP schema.
Note the line ldaps://YOURLDAPSERVER:636, the ldaps and port 636 indicates
the secure communication.
You can also add these sections to synchronise from LDAP to Alfresco.
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=cn=PRINCIPLEUSER
ldap.synchronization.java.naming.security.credentials=YOURPASSWORD
ldap.synchronization.userSearchBase=o=users,ou=YOURCOMPANY,dc=COM
ldap.synchronization.groupSearchBase=o=GROUPNAME,ou=YOURCOMPANY,dc=COM
The line ldap.synchronization.java.naming.security.principal refers to the username of the user with permissions
to search the LDAP base, in most cases, this parameter can be left empty. It is only required to synchronise users from the LDAP database to Alfresco.
Adapt o=users,ou=YOURCOMPANY,dc=COM, PRINCIPLEUSER, YOURPASSWORD and GROUPNAME to match your LDAP settings.
Passwords from LDAP do not seem to synchronise (confirmation required).
In older versions (2008 or earlier), it may have been necessary to follow these configuration instructions instead (based on the previous information on this page): (Confirmation required)
You will need to edit alfresco/tomcat/shared/classes/alfresco/extension/ldap-authentication-context.xml
If you don't find it, maybe a .sample will exist in the directory.
This file is something like:
<beans>
<bean name='authenticationDao' class='org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao' >
<property name='allowDeleteUser'>
<value>false</value>
</property>
</bean>
<bean id='authenticationComponent' class='org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl'>
<property name='LDAPInitialDirContextFactory'>
<ref bean='ldapInitialDirContextFactory'/>
</property>
<property name='userNameFormat'>
<value>uid=%s,ou=Users,dc=YOURCOMPANY,dc=COM</value>
</property>
</bean>
<bean id='ldapInitialDirContextFactory' class='org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl'>
<property name='initialDirContextEnvironment'>
<map>
<entry key='java.naming.factory.initial'>
<value>com.sun.jndi.ldap.LdapCtxFactory</value>
</entry>
<entry key='java.naming.provider.url'>
<value>ldaps://YOURLDAPSERVER:636</value>
</entry>
<entry key='java.naming.security.authentication'>
<value>simple</value>
</entry>
<entry key='java.naming.security.principal'>
<value></value>
</entry>
<entry key='java.naming.security.credentials'>
<value></value>
</entry>
</map>
</property>
</bean>
<bean id='ldapPeopleExportSource' class='org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource'>
<property name='personQuery'>
<value>(objectclass=inetOrgPerson)</value>
</property>
<property name='searchBase'>
<value>ou=Users,dc=YOURCOMPANY,dc=COM</value>
</property>
<property name='userIdAttributeName'>
<value>uid</value>
</property>
<property name='LDAPInitialDirContextFactory'>
<ref bean='ldapInitialDirContextFactory'/>
</property>
<property name='personService'>
<ref bean='personService'></ref>
</property>
<property name='namespaceService'>
<ref bean='namespaceService'/>
</property>
<property name='attributeMapping'>
<map>
<entry key='cm:userName'>
<value>uid</value>
</entry>
<entry key='cm:firstName'>
<value>givenName</value>
</entry>
<entry key='cm:lastName'>
<value>sn</value>
</entry>
<entry key='cm:email'>
<value>mail</value>
</entry>
<entry key='cm:organizationId'>
<value>o</value>
</entry>
<entry key='cm:homeFolderProvider'>
<null/>
</entry>
</map>
</property>
<property name='attributeDefaults'>
<map>
<entry key='cm:homeFolderProvider'>
<value>personalHomeFolderProvider</value>
</entry>
</map>
</property>
</bean>
<bean id='ldapGroupExportSource' class='org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource'>
<property name='groupQuery'>
<value>(objectclass=groupOfNames)</value>
</property>
<property name='searchBase'>
<value>ou=Groups,dc=YOURCOMPANY,dc=COM</value>
</property>
<property name='userIdAttributeName'>
<value>uid</value>
</property>
<property name='groupIdAttributeName'>
<value>cn</value>
</property>
<property name='groupType'>
<value>groupOfNames</value>
</property>
<property name='personType'>
<value>inetOrgPerson</value>
</property>
<property name='LDAPInitialDirContextFactory'>
<ref bean='ldapInitialDirContextFactory'/>
</property>
<property name='namespaceService'>
<ref bean='namespaceService'/>
</property>
<property name='memberAttribute'>
<value>member</value>
</property>
<property name='authorityDAO'>
<ref bean='authorityDAO'/>
</property>
</bean>
<bean id='ldapPeopleTrigger' class='org.alfresco.util.TriggerBean'>
<property name='jobDetail'>
<bean id='ldapPeopleJobDetail' class='org.springframework.scheduling.quartz.JobDetailBean'>
<property name='jobClass'>
<value>org.alfresco.repo.importer.ImporterJob</value>
</property>
<property name='jobDataAsMap'>
<map>
<entry key='bean'>
<ref bean='ldapPeopleImport'/>
</entry>
</map>
</property>
</bean>
</property>
<property name='startDelay'>
<value>300000</value>
</property>
<property name='repeatInterval'>
<value>3600000</value>
</property>
</bean>
<bean id='ldapGroupTrigger' class='org.alfresco.util.TriggerBean'>
<property name='jobDetail'>
<bean id='ldapGroupJobDetail' class='org.springframework.scheduling.quartz.JobDetailBean'>
<property name='jobClass'>
<value>org.alfresco.repo.importer.ImporterJob</value>
</property>
<property name='jobDataAsMap'>
<map>
<entry key='bean'>
<ref bean='ldapGroupImport'/>
</entry>
</map>
</property>
</bean>
</property>
<property name='startDelay'>
<value>300000</value>
</property>
<property name='repeatInterval'>
<value>3600000</value>
</property>
</bean>
<bean id='ldapPeopleImport' class='org.alfresco.repo.importer.ExportSourceImporter'>
<property name='importerService'>
<ref bean='importerComponentWithBehaviour'/>
</property>
<property name='transactionService'>
<ref bean='transactionComponent'/>
</property>
<property name='authenticationComponent'>
<ref bean='authenticationComponent'/>
</property>
<property name='exportSource'>
<ref bean='ldapPeopleExportSource'/>
</property>
<property name='storeRef'>
<value>${spaces.store}</value>
</property>
<property name='path'>
<value>/${system.system_container.childname}/${system.people_container.childname}</value>
</property>
<property name='clearAllChildren'>
<value>false</value>
</property>
<property name='nodeService'>
<ref bean='nodeService'/>
</property>
<property name='searchService'>
<ref bean='searchService'/>
</property>
<property name='namespacePrefixResolver'>
<ref bean='namespaceService'/>
</property>
<property name='caches'>
<set>
<ref bean='permissionsAccessCache'/>
</set>
</property>
</bean>
<bean id='ldapGroupImport' class='org.alfresco.repo.importer.ExportSourceImporter'>
<property name='importerService'>
<ref bean='importerComponentWithBehaviour'/>
</property>
<property name='transactionService'>
<ref bean='transactionComponent'/>
</property>
<property name='authenticationComponent'>
<ref bean='authenticationComponent'/>
</property>
<property name='exportSource'>
<ref bean='ldapGroupExportSource'/>
</property>
<property name='storeRef'>
<value>${alfresco_user_store.store}</value>
</property>
<property name='path'>
<value>/${alfresco_user_store.system_container.childname}/${alfresco_user_store.authorities_container.childname}</value>
</property>
<property name='clearAllChildren'>
<value>true</value>
</property>
<property name='nodeService'>
<ref bean='nodeService'/>
</property>
<property name='searchService'>
<ref bean='searchService'/>
</property>
<property name='namespacePrefixResolver'>
<ref bean='namespaceService'/>
</property>
<property name='caches'>
<set>
<ref bean='userToAuthorityCache'/>
<ref bean='permissionsAccessCache'/>
</set>
</property>
</bean>
</beans>
Certificate
To comunicate with other computer using SSL or TLS, JAVA will need validate the certificate. I can't make this
work without it. Well, you will need to export the certificate to a file and import using keytool.
I used the certificate in DER format. (PEM format should work too...)
Tell java that you trust on that certificate.
keytool -import -alias FQDN.OF.YOURSERVER -keystore /etc/java/keystore -file YOURCERTIFICATE.der
I have some trouble without the alias option, I recommend that you use it.
JAVA Options
Now the certificate is stored on /etc/java/keystore. You will have to pass this file as a parameter to the VM.
Edit the script that starts your server, (in Alfresco is alfresco.sh) (this is in /opt/alfresco-4.2.c/tomcat/scripts/ctl.sh on Linux), add to the JAVA_OPTS
the option -Djavax.net.ssl.trustStore=/etc/java/keystore
Chaining and admin users
When your system authenticate users on LDAP, yours internal users will disappear
You can configure admin rights to a LDAP user just putting the username on the section
<property name='adminUsers'>
<set>
<value>admin</value>
<value>administrator</value>
<value>YOURUSERNAME</value>
</set>
</property>
in the file tomcat/webapps/alfresco/WEB-INF/classes/alfresco/authority-services-context.xml
Otherwise, you can configure the chaining property. There are several tutorials about chaining, so, I don't need to talk about it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Alfresco Content Services Hub Docs
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
Latest Articles
- Alfresco Community Edition 201911 GA Release Notes
- Alfresco Community Edition 201910 EA Release Notes
- Deconstructing SOLR Indexes
- Alfresco Community Edition 201901 GA Release Notes
- Alfresco Community Edition 201808 EA file list
- php_upload.docx
- Alfresco Community Edition 201808 EA Release Notes
- Alfresco_6.0_docker deployment.pdf
- Alfresco Community Edition 201806 GA file list
- alfresco.log
- Alfresco Addons *Incomplete list*
- Alfresco Community Edition 201806 GA Release Notes
- AGS Benchmark Driver Documentation
- Default memory allocation issue in Alfresco CE 201...
- Alfresco Community Edition 201804 EA file list
We use cookies on this site to enhance your user experience
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.