Getting Alfresco to authenticate against LDAP is a pretty straightforward task that’s documented on the Alfresco wiki. But this week I’ve had to play around with a few specific implementation details beyond just users in a directory with plain-text passwords and simple authentication. Here are some rough notes that might save others some time.
Alfresco-LDAP notes
- If “admin” is still your administrative user, don’t forget to set up a corresponding entry for the admin user in your LDAP directory.
- “Simple” authentication works when OpenLDAP stores either plain text passwords or MD5 passwords (Base64-encoded). If your MD5 passwords happen to be in hex you can convert them to Base64 using your favorite programming language. I used perl.
- “DIGEST-MD5” authentication works when OpenLDAP stores plain text passwords but I could not get it to work when using MD5 passwords.
- “DIGEST-MD5” authentication only works when OpenLDAP is configured to support DIGEST-MD5 as a SASL mechanism. Query the LDAP server’s “Supported SASL Mechanisms” property to see if DIGEST-MD5 is listed.
- If you are compiling OpenLDAP from source, you must configure it with the –with-cyrus-sasl flag. In order to be able to do this, you must already have Cyrus SASL installed.
- There are two ways user home folders can get created: (1) When a user logs in for the first time, but before a user sync has occurred or (2) When a user sync occurs. How the user folder gets created is configured differently in each case. In the first case, the bean referenced by the defaultProvider property of the homeFolderManager bean configured in authentication-services-context.xml is used. For the sync, the cm:homeFolderProvider key value in the ldap authentication context XML file references the HomeFolderProvider bean. If you want the behavior to be consistent, you’ll need to make sure to point to the same HomeFolderProvider bean in both places.
- There are several HomeFolderProvider beans configured OOTB. For example, the userHomesHomeFolderProvider bean creates the user’s home folder as a folder under User Homes named using the user’s user ID.
- If you want to store a password in SASL’s database, use saslpasswd2 -c
- If a user does not exist in SASL’s database it will look for the userPassword attribute in the LDAP directory.
- You must add authz-regexp entries to slapd.conf to map the SASL authorization requests to actual LDAP entries.
- Once your openldap server is running with SASL enabled, you may need to use the -x command-line switch when using things like ldapsearch, ldapadd, and ldapmodify if you still want to use simple authentication.
If I get some time I may reorganize these rough notes into an easier-to-follow step-by-step setup guide.
Timely blog as I was just connecting Alfresco to a Novell LDAP today.
One major gotcha I ran into was that once I was using LDAP for an authenticator, CIFS would no longer work. It throws an authentication related error at startup.
After some research on the forums and wiki, sounds like CIFS requires an MD4 password hash, which is not supported by most LDAP servers. I verified Novell’s eDirectory certainly does not support it. Not 100% sure if OpenLDAP could.
Now looking for a workaround to use Samba and pass CIFS authentciation through Samba to the LDAP. Do-able, but not crazy about adding another link in the chain.
Just something to be aware of before making the change to LDAP.
A follow-up question related to the user home folders during import. If I want to import users from an LDAP, but I don’t want them to have a home folder until/if they actually sign in.
Can I accomplish this by setting the homeFolderProviderFolder to null in the ldap-authentication-context.xml? For example:
We have configured NTLM,but unable to procedd further.In wiki or forums they said to configure ldap but stpes were not clear i mean like which files & what are the changes required at different places.Please anybody help out us in these regard.it is very important to us.
@Archana, the Alfresco wiki has a section on configuring LDAP that should help you if you have not seen it already: http://wiki.alfresco.com/w/index.php?title=Enterprise_Security_and_Authentication_Configuration
The steps are similar to extending any other piece of Alfresco such as creating an extension directory and using bean configuration files. In this case, the file you are looking for is called ldap-authentication-context.xml. There may be a .sample file in your distribution of Alfresco you can look at for an example.
I’d recommend you get it working on your local machine against something like OpenLDAP and then try it out on your server.
Hi Jeff, when we were trying to configure LDAP we are getting the CIFS error you mentioned. Were you able get this working? Can you please post the workaround?
We tried in both 2.2 and 3.1 labs versions. No luck.
-Shrini
Hi Jeff,
do you have a suggestion about restricting the access to alfresco through ldap authetication only to a subset of ldap users? As far as i found out the ldap athenticator only tries to login the user by %s and the user format. It does not allow me to formulate a query or add filters or parameters to restrict access to certain users only.
So every user stored in a certain path in ldap can access a alfresco.
Do you recommend reimplementing/extending the auth component? Does anyone have any exp with that?
And, the sync mechanism of alfresco should be enhanced too to add a special group or object type or attribute, whatever is used for filtering, to the new users created in alfresco and synced back to ldap.
Any hint, link or suggestion is higly welcome,
Robert
Robert,
You can extend the auth component and make it behave differently than how it does out-of-the-box. I believe it is just doing a bind by substituting in the user name provided into the pattern specified in the authentication properties. It sounds like that won’t work for you and that what you’ll have to do is do a search first, then bind if you return a hit, otherwise fail. That’s definitely a customization of the auth component but it shouldn’t be a big deal.
Regarding the second part of your question, I think what you are saying is that you want some extra properties from the LDAP directory pulled over and stored on the user object. That’s a change to the sync class as well as an extension to the user object.
Also note that the sync is one-way. If you want to write back to LDAP you’ll have to add that too.
Jeff
Hi Jeff,
I have a question about authentication through Apache LDAP. I want the users to be able to authenticate with username and not distinguished name (because, alfresco tries to store distinguished name as author in the database and the character limit there is 100 chars which is a problem because our distinguished names exceed that limit – so we need it to be just username). We also want to be able to login with all users from LDAP which are stored in a big hierarchy structure.
So the problem is we cannot authenticate with username, because Alfresco doesn’t know how to do that and on the other hand we cannot use distinguished name to authenticate, which Alfresco knows how to do, but cannot store as author in the database. Version of Alfresco which we are using is Labs 3.0.
So, can you please suggest how this problem can be resolved.
Thank you in advance for all your suggestions.
Hi Shrini,
You have a solution here : http://wiki.alfresco.com/wiki/LDAP-CIFS_on_Alfresco_Enterprise_v3.0.0
Hope the link will help you.
hi,
i want to configure NTLM with alfresco, i have followed steps from alfresco wiki.. but i am not able to login using my system user .. through which i am logged in to my windows system..
when i debug the code.. in BaseNTLMAuthenticationFilter.java > authenticateRequest() method i am getting variable “String authHdr” value as null… please suggest what should i do to make it work.
Hi Jeff
am using alfresco community Edition 4.0D
I have authenticate the user by LDAP configuartion.
I have created a user in LDAP
I have created a group in LDAP.
Using LDAP i want to add that user in that group that i have created.
What should i do for that?
Simply add the user to the group in the LDAP directory using an API, a web app, or a custom LDAP client. When you do that, Alfresco will pick up the change.
Jeff