You have a solution here : http://wiki.alfresco.com/wiki/LDAP-CIFS_on_Alfresco_Enterprise_v3.0.0

Hope the link will help you.

I have a question about authentication through Apache LDAP. I want the users to be able to authenticate with username and not distinguished name (because, alfresco tries to store distinguished name as author in the database and the character limit there is 100 chars which is a problem because our distinguished names exceed that limit – so we need it to be just username). We also want to be able to login with all users from LDAP which are stored in a big hierarchy structure.
So the problem is we cannot authenticate with username, because Alfresco doesn’t know how to do that and on the other hand we cannot use distinguished name to authenticate, which Alfresco knows how to do, but cannot store as author in the database. Version of Alfresco which we are using is Labs 3.0.
So, can you please suggest how this problem can be resolved.
Thank you in advance for all your suggestions.

You can extend the auth component and make it behave differently than how it does out-of-the-box. I believe it is just doing a bind by substituting in the user name provided into the pattern specified in the authentication properties. It sounds like that won’t work for you and that what you’ll have to do is do a search first, then bind if you return a hit, otherwise fail. That’s definitely a customization of the auth component but it shouldn’t be a big deal.

Regarding the second part of your question, I think what you are saying is that you want some extra properties from the LDAP directory pulled over and stored on the user object. That’s a change to the sync class as well as an extension to the user object.

Also note that the sync is one-way. If you want to write back to LDAP you’ll have to add that too.

Jeff

do you have a suggestion about restricting the access to alfresco through ldap authetication only to a subset of ldap users? As far as i found out the ldap athenticator only tries to login the user by %s and the user format. It does not allow me to formulate a query or add filters or parameters to restrict access to certain users only.

So every user stored in a certain path in ldap can access a alfresco.

Do you recommend reimplementing/extending the auth component? Does anyone have any exp with that?

And, the sync mechanism of alfresco should be enhanced too to add a special group or object type or attribute, whatever is used for filtering, to the new users created in alfresco and synced back to ldap.

Any hint, link or suggestion is higly welcome,

Robert

-Shrini

The steps are similar to extending any other piece of Alfresco such as creating an extension directory and using bean configuration files. In this case, the file you are looking for is called ldap-authentication-context.xml. There may be a .sample file in your distribution of Alfresco you can look at for an example.

I’d recommend you get it working on your local machine against something like OpenLDAP and then try it out on your server.

Can I accomplish this by setting the homeFolderProviderFolder to null in the ldap-authentication-context.xml? For example:

One major gotcha I ran into was that once I was using LDAP for an authenticator, CIFS would no longer work. It throws an authentication related error at startup.

After some research on the forums and wiki, sounds like CIFS requires an MD4 password hash, which is not supported by most LDAP servers. I verified Novell’s eDirectory certainly does not support it. Not 100% sure if OpenLDAP could.

Now looking for a workaround to use Samba and pass CIFS authentciation through Samba to the LDAP. Do-able, but not crazy about adding another link in the chain.

Just something to be aware of before making the change to LDAP.