Saturday, January 15, 2011

Alfresco Authentication and Integration with Active Directory

One of the main features of the Alfresco ECM System is the ability to integrate user authentication and synchronization with almost all popular LDAP directory servers, such as Microsoft Active Directory.



However, the integration is error prone and requires understanding of your LDAP environment settings and configuration. Moreover, as a warning, I must say the error messages you will face during the integration are most of the time mis-leading and subjective.

In this article, we will see how we can integrate alfresco with AD; and also how to synchronize alfresco users and groups with the existing entities of your AD. I have used alfresco 3.3.4 in this case.

Be prepared with the settings of your AD so that you can understand and configure your alfresco as well.

Alfresco Subsystems

There are a few subsystems offered in alfresco installation.
  1. Audit
  2. Authentication
  3. File Server
  4. IMAP
  5. Synchronization
  6. EMail
We will use the Authentication and Synchronization subsystems for this purpose.

Authentication Subsystem

For authentication purpose, alfresco can be configured with AD, LDAP, Kerberos, alfrescoNtlm or other external servers. You can configure alfresco to authenticate from a number of systems - this is known as Authentication Chain.
You define the authentication chain in alfresco-global.properties file or in repository.properties file.

By default, the authentication chain is defined as (in repository.properties file)

authentication.chain=alfrescoNtlm1:alfrescoNtlm


Thus, only alfrescoNtlm authentication is activated.
For enabling AD authentication, we put it as

authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm


Now alfresco will try to authenticate the user first from the configured AD, and if the user is not present there, alfrescoNtlm will be tried. If you put only ldap-ad1:ldap-ad, alfresco local authentication will be fully stopped. In this way, you can integrate a number of systems into alfresco authentication chain.

Configuring Active Directory Authentication

In webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication, we have separate folders for separate servers. For our Active Directory integration, our settings should be populated in the ldap-ad-authentication.properties file in ldap-ad folder.

This file is used to set the configurations on Authentication as well as Synchronization with AD.

ldap.authentication.active=true
This value should be true in order to make the authentication mode activated.

ldap.authentication.userNameFormat=%s@mydomain.com
This value pattern will be used when users will put the user name in the alfresco login dialog and try to be authenticated. This value should be full User Principal Name (UPN) or DN.

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
No need to change this line. We use the default Sun Java LDAP libraries.

ldap.authentication.java.naming.provider.url=ldap://<<server-name or ip>>:389
Put your AD server name or IP here. 389 is the default port for LDAP services, consult your administrator in case you have different port.

ldap.authentication.java.naming.security.authentication=simple
This value can be simple, digest-5 etc. Again, depends on your AD setup.


ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
We won't change these values.

ldap.authentication.defaultAdministratorUserNames=administrator
Put your administrator user name here.

These values and settings are enough to make alfresco authenticate against your Active Directory. However, we also need synchronization between your AD and alfresco, so that users and groups are imported into alfresco and you can manage the permissions and restrictions of the users.

Configuring Active Directory Synchronization

Same file is used to populate the synchronization settings.

ldap.synchronization.active=true
True means alfresco will try to import AD users and groups into local system.

ldap.synchronization.java.naming.security.principal=CN=Administrator,CN=Users,DC=domain,DC=com
Put your administrator user DN here.

ldap.synchronization.java.naming.security.credentials=****
Put your user password here - in plain text.


ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000

We do not change these values for now.

ldap.synchronization.groupQuery=(objectclass\=group)
The objectclass of your Groups in AD.

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
The objectclass of your Users in AD.

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
Pretty standard, change the objectclass only, if required.

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
Again pretty standard, change the objectclass of users only, if required.

ldap.synchronization.groupSearchBase=DC\=domain,DC\=com
Put your AD domain configuration here for Groups query search base. I have used a generic search base here, it would probably search everything.

ldap.synchronization.userSearchBase=DC\=domain,DC\=com
Put your AD domain configuration here for Users query search base. I have used a generic search base here, it would probably search everything.


ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

We won't change these values now. These are used to populate the user attributes from AD.


ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member

These values also may not be changed for now.

That's it!
Restart your server, alfresco should connect to your AD and import all users and groups. For authentication, it should go to your AD and validate the credentials.

Important!

In community version, you need to add this XMl tag in common-ldap-context.xml file in subsystems\Authentication folder.
Under the following tag -
<bean id="ldapInitialDirContextFactory">
<property name="initialDirContextEnvironment">
<map>


Add this entry -
<entry key="java.naming.referral">
<value>follow</value>
</entry>

8 comments:

  1. Thanks,
    It is working fine on 3.4d.
    But something has changed in 4.0a.
    No groups, no users.
    Any help would be appreciated.
    Regards,
    Peter

    ReplyDelete
    Replies
    1. Hi Peter

      Nothing much has been changed in 4.0a from 3.4d in this context.
      Can you see any errors in your log file?

      Snig.

      Delete
  2. Thanks for this very useful post.

    I do have one concern that is related to this. Users are now able to login using their Active Directory account. However, if they try to use the Edit Online function, it prompts to enter user credentials. Even if they enter their correct user name and password, it doesn't accept it. But if we try to edit online using the default alfresco admin, it works. Any other configuration that I need to set?

    Thanks in advanced,
    Rubie

    ReplyDelete
    Replies
    1. Hi Rubie

      The Edit Online feature uses MS SharePoint protocol for opening the document in MS Office.

      Though I haven't tried this, however, I think for that you would need Kerberos auto-login, SSO etc.

      Do share your investigation results please !!!

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
  4. ldap online training| ldap training| call us+919000444287 ...
    http://www.21cssindia.com/courses/ldap-online-training-103.html
    ఈ పేజీని అనువదించు
    LDAP Online Training, LDAP training, LDAP course contents, LDAP , call us: +919000444287,dharani@21cssindia.com.
    course contents, biztalk admin enquiry, ...Courses at 21st Century Software Solutions
    Talend Online Training -Hyperion Online Training - IBM Unica Online Training -
    Siteminder Online Training - SharePoint Online Training - Informatica Online Training
    SalesForce Online Training - Many more… | Call Us +917386622889
    Visit: http://www.21cssindia.com/courses.html

    ReplyDelete
  5. Thank you for your deep understanding document. It worked for me.

    Past two weeks i am working on alfresco 4.2 integration with liferay 6.2 for document management. I imported AD users success in both tools and they are all able to login individually. I would like to set up SSO and auto login in browsers. Please guide me to set up auto login and SSO for alfresco with liferay.

    All your words valuable for me.Thank you

    ReplyDelete
  6. Hi,

    We are conducting Free Webinar on ALFRESCO in coming 20th July.For more details Kindly contact
    Saurabh +918553576305
    Email-saurabh@maxmunus.com
    Skype-saurabhmaxmunus
    Website- www.maxmunus.com

    ReplyDelete