However, the integration is error prone and requires understanding of your LDAP environment settings and configuration. Moreover, as a warning, I must say the error messages you will face during the integration are most of the time mis-leading and subjective.
In this article, we will see how we can integrate alfresco with AD; and also how to synchronize alfresco users and groups with the existing entities of your AD. I have used alfresco 3.3.4 in this case.
Be prepared with the settings of your AD so that you can understand and configure your alfresco as well.
Alfresco Subsystems
There are a few subsystems offered in alfresco installation.- Audit
- Authentication
- File Server
- IMAP
- Synchronization
Authentication Subsystem
For authentication purpose, alfresco can be configured with AD, LDAP, Kerberos, alfrescoNtlm or other external servers. You can configure alfresco to authenticate from a number of systems - this is known as Authentication Chain.You define the authentication chain in alfresco-global.properties file or in repository.properties file.
By default, the authentication chain is defined as (in repository.properties file)
authentication.chain=alfrescoNtlm1:alfrescoNtlm
Thus, only
alfrescoNtlm authentication is activated.For enabling AD authentication, we put it as
authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
Now alfresco will try to authenticate the user first from the configured AD, and if the user is not present there, alfrescoNtlm will be tried. If you put only
ldap-ad1:ldap-ad, alfresco local authentication will be fully stopped. In this way, you can integrate a number of systems into alfresco authentication chain.Configuring Active Directory Authentication
In webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication, we have separate folders for separate servers. For our Active Directory integration, our settings should be populated in theldap-ad-authentication.properties file in ldap-ad folder.This file is used to set the configurations on Authentication as well as Synchronization with AD.
ldap.authentication.active=trueThis value should be true in order to make the authentication mode activated.
ldap.authentication.userNameFormat=%s@mydomain.comThis value pattern will be used when users will put the user name in the alfresco login dialog and try to be authenticated. This value should be full User Principal Name (UPN) or DN.
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryNo need to change this line. We use the default Sun Java LDAP libraries.
ldap.authentication.java.naming.provider.url=ldap://<<server-name or ip>>:389Put your AD server name or IP here. 389 is the default port for LDAP services, consult your administrator in case you have different port.
ldap.authentication.java.naming.security.authentication=simpleThis value can be
simple, digest-5 etc. Again, depends on your AD setup.
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=administratorPut your administrator user name here.
These values and settings are enough to make alfresco authenticate against your Active Directory. However, we also need synchronization between your AD and alfresco, so that users and groups are imported into alfresco and you can manage the permissions and restrictions of the users.
Configuring Active Directory Synchronization
Same file is used to populate the synchronization settings.ldap.synchronization.active=trueTrue means alfresco will try to import AD users and groups into local system.
ldap.synchronization.java.naming.security.principal=CN=Administrator,CN=Users,DC=domain,DC=comPut your administrator user DN here.
ldap.synchronization.java.naming.security.credentials=****Put your user password here - in plain text.
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
We do not change these values for now.
ldap.synchronization.groupQuery=(objectclass\=group)The objectclass of your Groups in AD.
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))The objectclass of your Users in AD.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))Pretty standard, change the objectclass only, if required.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))Again pretty standard, change the objectclass of users only, if required.
ldap.synchronization.groupSearchBase=DC\=domain,DC\=comPut your AD domain configuration here for Groups query search base. I have used a generic search base here, it would probably search everything.
ldap.synchronization.userSearchBase=DC\=domain,DC\=comPut your AD domain configuration here for Users query search base. I have used a generic search base here, it would probably search everything.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
We won't change these values now. These are used to populate the user attributes from AD.
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
These values also may not be changed for now.
That's it!
Restart your server, alfresco should connect to your AD and import all users and groups. For authentication, it should go to your AD and validate the credentials.
Important!
In community version, you need to add this XMl tag incommon-ldap-context.xml file in subsystems\Authentication folder.Under the following tag -
<bean id="ldapInitialDirContextFactory">
<property name="initialDirContextEnvironment">
<map>Add this entry -
<entry key="java.naming.referral">
<value>follow</value>
</entry>
Thanks,
ReplyDeleteIt is working fine on 3.4d.
But something has changed in 4.0a.
No groups, no users.
Any help would be appreciated.
Regards,
Peter
Hi Peter
DeleteNothing much has been changed in 4.0a from 3.4d in this context.
Can you see any errors in your log file?
Snig.
Thanks for this very useful post.
ReplyDeleteI do have one concern that is related to this. Users are now able to login using their Active Directory account. However, if they try to use the Edit Online function, it prompts to enter user credentials. Even if they enter their correct user name and password, it doesn't accept it. But if we try to edit online using the default alfresco admin, it works. Any other configuration that I need to set?
Thanks in advanced,
Rubie
Hi Rubie
DeleteThe Edit Online feature uses MS SharePoint protocol for opening the document in MS Office.
Though I haven't tried this, however, I think for that you would need Kerberos auto-login, SSO etc.
Do share your investigation results please !!!
This comment has been removed by the author.
ReplyDeleteldap online training| ldap training| call us+919000444287 ...
ReplyDeletehttp://www.21cssindia.com/courses/ldap-online-training-103.html
ఈ పేజీని అనువదించు
LDAP Online Training, LDAP training, LDAP course contents, LDAP , call us: +919000444287,dharani@21cssindia.com.
course contents, biztalk admin enquiry, ...Courses at 21st Century Software Solutions
Talend Online Training -Hyperion Online Training - IBM Unica Online Training -
Siteminder Online Training - SharePoint Online Training - Informatica Online Training
SalesForce Online Training - Many more… | Call Us +917386622889
Visit: http://www.21cssindia.com/courses.html
Thank you for your deep understanding document. It worked for me.
ReplyDeletePast two weeks i am working on alfresco 4.2 integration with liferay 6.2 for document management. I imported AD users success in both tools and they are all able to login individually. I would like to set up SSO and auto login in browsers. Please guide me to set up auto login and SSO for alfresco with liferay.
All your words valuable for me.Thank you