Page Operations
Browse Space
Some notes on authentication mechanisms in Alfresco
Be aware of the following helpful pages from the Alfresco wiki.
LDAP w/ SSL
Getting LDAP authentication working should be easy, especially if using Alfresco version > 2.1 (Enterprise). After 2.1, LDAP configuration was changed slightly such that the instructions about editing the ldap-authentication-context.xml are no longer entirely accurate. You most likely should not need to modify either ldap-authentication-context.xml or ldap-synchronisation-context.xml to get LDAP authentication working. Which is good news, because XML files can be a PITA to read.
(Both ldap-authentication-context.xml and ldap-synchronisation-context.xml still need to exist though. So copy the .sample versions of those files into those filenames.)
 |
Aside from /opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco, there are also configuration files in /opt/Alfresco/tomcat/shared/classes/alfresco/extension. |
Instead, you only need to modify the ldap-authentication.properties and the ldap-synchronisation.properties files. These files are much easier to read than the XML files, and should be fairly self-explanatory. Below is the diff output of the changes I made against the .properties files that Alfresco shipped with.
--- ldap-authentication.properties 2008-05-22 12:05:01.000000000 -0700 +++ ldap-authentication.properties.bak 2008-05-22 10:19:10.000000000 -0700 @@ -9,19 +9,19 @@ # - digest # - usually pass through what is entered # %s -ldap.authentication.userNameFormat=uid=%s,ou=People,dc=ucsd,dc=edu +ldap.authentication.userNameFormat=%s # The LDAP context factory to use ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory # The URL to connect to the LDAP server -ldap.authentication.java.naming.provider.url=ldaps://papa.ucsd.edu +ldap.authentication.java.naming.provider.url=ldap://openldap.domain.com:389 # The authentication mechanism to use -ldap.authentication.java.naming.security.authentication=SIMPLE +ldap.authentication.java.naming.security.authentication=DIGEST-MD5 # The default principal to use (only used for LDAP sync) -ldap.authentication.java.naming.security.principal=uid=ldapauth,ou=Special Users,dc=ucsd,dc=edu +ldap.authentication.java.naming.security.principal=reader # The password for the default principal (only used for LDAP sync) -ldap.authentication.java.naming.security.credentials=SECRET +ldap.authentication.java.naming.security.credentials=secret \ No newline at end of file --- ldap-synchronisation.properties 2008-05-22 10:55:50.000000000 -0700 +++ ldap-synchronisation.properties.bak 2008-05-22 10:54:19.000000000 -0700 @@ -6,7 +6,7 @@ ldap.synchronisation.personQuery=(objectclass=inetOrgPerson) # The search base of the query to find people to import -ldap.synchronisation.personSearchBase=ou=People,dc=ucsd,dc=edu +ldap.synchronisation.personSearchBase=dc=company,dc=com # The attribute name on people objects found in LDAP to use as the uid in Alfresco ldap.synchronisation.userIdAttributeName=uid @@ -30,7 +30,7 @@ ldap.synchronisation.groupQuery=(objectclass=groupOfNames) # The search base to use to find group objects -ldap.synchronisation.groupSearchBase=ou=Groups,dc=ucsd,dc=edu +ldap.synchronisation.groupSearchBase=dc=company,dc=com # The attribute on LDAP group objects to map to the gid property in Alfrecso ldap.synchronisation.groupIdAttributeName=cn
Basically, the ldap-authentication.properties file deals with "how to log on to the LDAP server", while the ldap-synchronisation.properties file deals with how the LDAP directory is laid out and how entity attributes are specified.
Note that I'm using SIMPLE authentication here, and the userNameFormat reflects the user DN in the LDAP server.
If you want to use SSL (and you really should), make sure you use the ldaps:// URL.
SSL
To make the SSL connection work, you need to have the right SSL keys/certificates loaded by the JVM.
In this case, I simply copied the ${JAVA_HOME}/keystore file from papa.ucsd.edu, which contains the SSL key for 'papa', and into yaku.ucsd.edu. If you're setting up a different server, you need to generate a new key for your server, then somehow import that key into the other machine that will talk to the server. See instructions elsewhere.
Then, append this to ${JAVA_OPTS} in the startup script (alfresco.sh):
-Djavax.net.ssl.trustStore=${JAVA_HOME}/keystore
Chaining
Note: Configuration has changed for the Community/Labs version of Alfresco. See attached files for Labs config.
If you only want LDAP authentication, then the above steps should be enough. However, it's also possible to "chain" authentication mechanisms such that a user can be authenticated against, for example, either the LDAP or the local Alfresco user repository.
Start by creating the chaining-authentication-context.xml file by copying it from the .sample version. By default, this file is set up for chaining the JAAS and local Alfresco user authentication. To chain LDAP and local Alfresco user authentication, simply change the references to "JAAS" to "LDAP", and comment out the definitions for "JAAS" (since we will be defining the "LDAP" beans elsewhere), as shown below:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 | --- chaining-authentication-context.xml 2008-05-27 10:57:17.000000000 -0700
+++ chaining-authentication-context.xml.sample 2007-11-10 06:39:21.000000000 -0800
@@ -10,7 +10,7 @@
<bean id="authenticationService" class="org.alfresco.repo.security.authentication.ChainingAuthenticationServiceImpl">
<property name="authenticationServices">
<list>
- <ref bean="authenticationServiceImplLDAP"/>
+ <ref bean="authenticationServiceImplJAAS"/>
</list>
</property>
<property name="mutableAuthenticationService">
@@ -21,7 +21,7 @@
<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl">
<property name="authenticationComponents">
<list>
- <ref bean="authenticationComponentImplLDAP"/>
+ <ref bean="authenticationComponentImplJAAS"/>
</list>
</property>
<property name="mutableAuthenticationComponent">
@@ -54,10 +54,7 @@
<ref bean="namespaceService"/>
</property>
<property name="searchService">
-<!--
<ref bean="searchService"/>
--->
- <ref bean="admSearchService"/>
</property>
<property name="userNamesAreCaseSensitive">
<value>${user.name.caseSensitive}</value>
@@ -79,21 +76,20 @@
</property>
</bean>
- <!-- LDAP -->
+ <!-- JAAS -->
- <bean id="authenticationServiceImplLDAP" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
+ <bean id="authenticationServiceImplJAAS" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
<property name="authenticationDao">
- <ref bean="authenticationDaoLDAP"/>
+ <ref bean="authenticationDaoJAAS"/>
</property>
<property name="ticketComponent">
<ref bean="ticketComponent"/>
</property>
<property name="authenticationComponent">
- <ref bean="authenticationComponentImplLDAP"/>
+ <ref bean="authenticationComponentImplJAAS"/>
</property>
</bean>
-<!--
<bean id="authenticationComponentImplJAAS" class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
<property name="realm">
<value>COMPANY.COM</value>
@@ -104,6 +100,5 @@
</bean>
<bean id="authenticationDaoJAAS" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao"/>
--->
-</beans>
+</beans>
|
Note that I also changed the "searchService" property for the local Alfresco, to get it to work with the local repository that Alfresco shipped with.
So now we need to define the authenticationDaoLDAP and authenticationComponentImplLDAP beans, since authenticationServiceImplLDAP in chaining-authentication-context.xml refers to them but these two beans are still undefined. Define them now by modifying ldap-authentication-context.xml:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | --- ldap-authentication-context.xml 2008-05-27 10:36:14.000000000 -0700
+++ ldap-authentication-context.xml.sample 2007-11-10 06:39:21.000000000 -0800
@@ -16,7 +16,7 @@
<!-- DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings from the UI. -->
- <bean name="authenticationDaoLDAP" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
+ <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
<property name="allowDeleteUser">
<value>true</value>
</property>
@@ -33,7 +33,7 @@
-->
- <bean id="authenticationComponentImplLDAP" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
+ <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
<property name="LDAPInitialDirContextFactory">
<ref bean="ldapInitialDirContextFactory"/>
</property>
@@ -97,4 +97,4 @@
</property>
</bean>
-</beans>
+</beans>
|
After this, you should now be able to log in as either LDAP users, or a local Alfresco user (such as "guest" or "admin").
Manually specifying admin users
Whether or not chaining is in effect, users with administrator rights are specified in the authority-services-context.xml.
Simply add the username under the "adminUsers" property under the "authorityService" bean.
Changing User Homes
When LDAP authentication is enabled, user homes are stored in the Company Home Folder by default. You can change this by making the following edit:
1 2 3 4 5 6 | authentication-services-context.xml ... <bean name="personalHomeFolderProvider" class="org.alfresco.repo.security.person.UIDBasedHomeFolderProvider"> ... - <value>/${spaces.company_home.childname}</value> + <value> /${spaces.company_home.childname}/${spaces.user_homes.childname}</value> |
The database and Lucene-indexes need to be rebuilt so this should be done when Alfresco is setup for the first time.
Ref: http://forums.alfresco.com/en/viewtopic.php?t=7133
Notes
-LDAP Groups
--The ldap.synchronisation.groupQuery in ldap-synchronisation.properties must match the object class of the groups in the ldap directory or ldap groups will not be found and therefore will not show up in Alfresco. This was changed from: groupOfNames to groupOfUniqueNames.
-- ldap queries are case sensitive. Attributes such as InetOrgPerson and UniqueMembers had to be changed to lower case in the ldap-synchronisation.properties to conform with our LDAP format. Before these items were changed, groups would import but would contain no members.
- LDAP Import Issues
- A good way to debug ldap import issues is to enable the ldap authentication debugger in the log4j properties file:
vim tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties ... #comment in this line log4j.logger.org.alfresco.repo.security.authentication.ldap=debug
- Index tracking
When LDAP syncs are made, a record of the transaction is written to the database in the alf_node_status table (alf_node, alf_transaction in 3.0 final release). The jobs are purged according to the following index tracking option set in custom-repository.properties.
index.tracking.minRecordPurgeAgeDays=30
This can be switched on at any time. Reference: https://issues.alfresco.com/jira/browse/ALFCOM-2583
- User Node does not exist:
When this occurs, users will not be able to login and will receive and error indicating the the Noderef does not exist. It's recommended that the indexes should be rebuilt: http://forums.alfresco.com/en/viewtopic.php?f=8&t=11964&p=39502&hilit=InvalidNodeRefException+alfrescoUserStore#p39502
- Cannot delete user
InvalidNodeRefException when attempting to delete user: http://forums.alfresco.com/en/viewtopic.php?f=9&t=13384