Authentification with Active Directory and Linux

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
simon
Member II

Authentification with Active Directory and Linux

Hi all,

We're installing a new Alfresco Enterprise Network  v1.1.2 system on a Linux server and our employees are stored in a Windows Active Directory 2003 LDAP. What's the best way to use the Active Directory authentification with our Linux Alfresco system?

I tried to activate NTLM following the steps in the Configuring NTLM WIKI documentation.

But I ran into some problems:

1. After changing the application-context.xml file I found this in the log:
Error creating bean with name 'descriptorComponent' defined in class path resource [alfresco/application-context.xml]: Can't resolve reference to bean 'systemBootstrap' while setting property 'systemBootstrap';

2. Changing the db.url parameter (as seen in the orther post) in the repository.properties solved this but gave me a new error:
[org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/alfresco]] Exception sending context initialized event to listener instance of class org.alfresco.web.app.ContextListener
org.alfresco.error.AlfrescoRuntimeException: Failed to initialise [more here …]
Caused by: org.springframework.jdbc.UncategorizedSQLException: (HibernateTransactionManager): encountered SQLException [Data truncation: Out of range value adjusted for column 'allowed' at row 1]; nested exception is java.sql.BatchUpdateException: Data truncation: Out of range value adjusted for column 'allowed' at row 1 at org.springframework.jdbc.support.SQLStateSQLExceptionTranslator.translate(SQLStateSQLExceptionTranslator.java:99) at org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.translate(SQLErrorCodeSQLExceptionTranslator.java:257) at org.springframework.orm.hibernate3.HibernateTransactionManager.convertJdbcAccessException(HibernateTransactionManager.java:600) at org.springframework.orm.hibernate3.HibernateTransactionManager.doCommit(HibernateTransactionManager.java:496) at org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:401) at org.springframework.transaction.interceptor.TransactionAspectSupport.doCommitTransactionAfterReturning(TransactionAspectSupport.java:260) at org.alfresco.util.transaction.SpringAwareUserTransaction.commit(SpringAwareUserTransaction.java:376) at org.alfresco.web.app.ContextListener.contextInitialized(ContextListener.java:184)

So… is it possible to use the NTLM authentification when Alfresco is installed on Linux and, secondly, where do I find a solution for these errors?

Thanks for the help!
6 Replies
andy
Active Member

Re: Authentification with Active Directory and Linux

Hi

This looks like nothing to do with authentication.

Could you let us know the database and version, app container etc.

It looks like an issue during saving a permission.

It would help to see whay the node_perm_entry table looks like.
For example, you could use mysql using ….



mysql> use alfresco;
Database changed
mysql> describe  node_perm_entry;
+————+————–+——+—–+———+——-+
| Field      | Type         | Null | Key | Default | Extra |
+————+————–+——+—–+———+——-+
| id         | bigint(20)   | NO   | PRI |         |       |
| protocol   | varchar(50)  | YES  | MUL | NULL    |       |
| identifier | varchar(100) | YES  |     | NULL    |       |
| guid       | varchar(36)  | YES  |     | NULL    |       |
| typeUri    | varchar(100) | YES  | MUL | NULL    |       |
| typeName   | varchar(100) | YES  |     | NULL    |       |
| name       | varchar(100) | YES  |     | NULL    |       |
| recipient  | varchar(100) | YES  | MUL | NULL    |       |
| allowed    | bit(1)       | NO   |     |         |       |
+————+————–+——+—–+———+——-+
9 rows in set (0.02 sec)

I will have to check if you can do NTLM authentication from a repository installed on linux.

If you only want authentication against LDAP then see the example in the wiki about doing this.

http://www.alfresco.org/mediawiki/index.php/Security_and_Authentication

Regards

Andy
simon
Member II

Re: Authentification with Active Directory and Linux

First NTLM versus LDAP:

If you only want authentication against LDAP then see the example in the wiki about doing this.

We would like to test NTLM first, if this doesn't work with Linux we'll have to drop this idea and switch to LDAP for authentification with MS Active Directory (but then I would like to hear this). If I'm not mistaken NTLM is somewhat more secure than plain LDAP authentification. I know, we use a Linux server so it's possible that we are complication things here but it's interesting enough to check.

Next some system information as requested:
MySQL: mysqladmin  Ver 8.41 Distrib 5.0.18, for unknown-linux-gnu on x86_64
Java: 1.5.0_06-b05
Alfresco: Enterprise Network v1.1.2
OS version: 2.4.21-37.EL
Application server: Tomcat (the one included in the Alfresco 1.1.2 tar)

The MySQL table you are talking about:


mysql> describe  node_perm_entry;
+————+————–+——+—–+———+——-+
| Field      | Type         | Null | Key | Default | Extra |
+————+————–+——+—–+———+——-+
| id         | bigint(20)   | NO   | PRI |         |       |
| protocol   | varchar(50)  | YES  | MUL | NULL    |       |
| identifier | varchar(100) | YES  |     | NULL    |       |
| guid       | varchar(36)  | YES  |     | NULL    |       |
| typeUri    | varchar(100) | YES  | MUL | NULL    |       |
| typeName   | varchar(100) | YES  |     | NULL    |       |
| name       | varchar(100) | YES  |     | NULL    |       |
| recipient  | varchar(100) | YES  | MUL | NULL    |       |
| allowed    | bit(1)       | NO   |     |         |       |
+————+————–+——+—–+———+——-+
9 rows in set (0.00 sec)

I see the allowed value is set to required, is this the cause of the problem? Don't think I need to change this because it looks like your version.

Note:
I don't get this specific error when I drop the modification I made earlier (changing the db.url line in the repository.properties file). But when I try to run Alfresco without this modification I get the same errors as the post I mentioned earlier.
simon
Member II

Re: Authentification with Active Directory and Linux

Andy,

Any update on the NTLM and Linux question?

I will have to check if you can do NTLM authentication from a repository installed on linux.

Still trying the get NTLM authentication up and running but it's not as easy as I hoped. Can you answer the question above so I know I'm not wasting my time?

Thanks!
andy
Active Member

Re: Authentification with Active Directory and Linux

Hi Simon

I have asked Gary to respond to this specific question as he did the NTLM stuff.

I have tried LDAP "simple" authentication to both Active Directory and OpenLDAP. There will be an interim enterprise build previewing this code.

I have not tried SSL connections on top of this.

The only other alternative I am aware of for Active Directory is to use Kerberos authentication. It is a big leap in the amount of external configuration required (Jaas, Kerberos). The Sun Kerberos provider only trusts tickets stored as a result of logging in, in the JVM, so do not expect single sign on support.

Regards

Andy
gary_spencer
Member II

Re: Authentification with Active Directory and Linux

Hi Simon,

I've just tested Alfresco on linux with NTLM authentication enabled for the web client and passthru authentication to my WinXP desktop system, worked ok.

I would enable debug output by adding the following lines to the log4j.properties file in the alfresco/WEB-INF/classes folder :-

log4j.logger.org.alfresco.smb.protocol.auth=debug
log4j.logger.org.alfresco.web.app.servlet.NTLMAuthenticationFilter=debug
log4j.logger.org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter=debug

You should see log output similar to the following during startup as the passthru authentication validates the Windows server(s) :-

09:30:29,591 DEBUG [org.alfresco.smb.protocol.auth] Added passthru server [starlah:90.1.0.2Smiley Surprisedffline:0,0]
09:30:29,607 DEBUG [org.alfresco.smb.protocol.auth] New auth session from linuxsrv_1 to \\90.1.0.2\IPC$\
09:30:29,628 DEBUG [org.alfresco.smb.protocol.auth] Trying address 90.1.0.2
09:30:29,630 DEBUG [org.alfresco.smb.protocol.auth] Connected to address 90.1.0.2
09:30:29,631 DEBUG [org.alfresco.smb.protocol.auth] Connected session, protocol : TCP/IP NetBIOS
09:30:29,638 DEBUG [org.alfresco.smb.protocol.auth] SessionFactory: Negotiated SMB dialect NT LM 0.12
09:30:29,651 DEBUG [org.alfresco.smb.protocol.auth] Passthru server online, [starlah:90.1.0.2Smiley Surprisednline:0,0]

Could you email me your file-servers.xml and authentication-services-context.xml files.

Cheers

Gary
simon
Member II

Re: Authentification with Active Directory and Linux

Thanks for the feedback!

I think I made some progress but it isn't working yet. I could send you the configuration files and log files but it may be something trivial like creating a home space for the user that's trying to log in or something similar…

When I tried to activate the NTLM login mechanism the first time (see my previous posts in this topic) I used the information found in the "NTLM Passthru Authentication" section of the Configuring NTLM document in the WIKI. I didn’t add the proper configuration lines in the web.xml file as described in the first part of the article. I thought the first part was only needed for single sign on and I didn’t really need that.

I now added these lines to the web.xml file and things look better. I get the popup window from Windows and the login for the admin user or usernames defined in the Alfresco database are no longer valid (the admin user should always be a valid user in my opinion, no matter which authentication mechanism is used but that’s an other story).

My credentials (username and password) as defined in our Windows Active Directory 2003 are checked, yes! When the username or password is wrong I get redirected to a blank page (strange but I can live with that, I would expect some kind of error message). When my username and password match my credentials in Active Directory I get the following error:

Note: The question marks are not parsed by the phpBB forum but should be replaced by an 'a' with a bar on top.

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

java.lang.NullPointerException
   org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.?(Unknown Source)
   org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticate(Unknown Source)
   sun.reflect.GeneratedMethodAccessor118.invoke(Unknown Source)
   sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   java.lang.reflect.Method.invoke(Method.java:585)
   org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:287)
   org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:155)
   org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:122)
   org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:57)
   org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:144)
   org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:174)
   $Proxy15.authenticate(Unknown Source)
   org.alfresco.web.app.servlet.NTLMAuthenticationFilter.?(Unknown Source)
   org.alfresco.web.app.servlet.NTLMAuthenticationFilter.doFilter(Unknown Source)

note The full stack trace of the root cause is available in the Apache Tomcat/5.5.9 logs.
Apache Tomcat/5.5.9

So authentication seems to work but once logged in I get this Java error, what else should I do?

Note: The error is a Tomcat error, not an Alfresco one (I think)