It is very powerful to have alfresco JavaScript APIs accesible in node event scripts in jBPM workflows.
Most of the workflow variables are accesible in jBPM process definition in alfresco.
Such as bpm:assignee is available as bpm_assignee, bpm:workflowDueDate is available as bpm_workflowDueDate, bpm:workflowPriority as bpm_workflowPriority etc
But the task Comments entered by the user is unfortunately not available directly. However, you can still access it by the following syntax in the script.
var comment = "";
if (token.comments.size() > 0)
comment = token.comments.get(0).message;
The comment variable is now available in your script.
Tuesday, January 25, 2011
Saturday, January 15, 2011
Alfresco Authentication and Integration with Active Directory
One of the main features of the Alfresco ECM System is the ability to integrate user authentication and synchronization with almost all popular LDAP directory servers, such as Microsoft Active Directory.
However, the integration is error prone and requires understanding of your LDAP environment settings and configuration. Moreover, as a warning, I must say the error messages you will face during the integration are most of the time mis-leading and subjective.
In this article, we will see how we can integrate alfresco with AD; and also how to synchronize alfresco users and groups with the existing entities of your AD. I have used alfresco 3.3.4 in this case.
Be prepared with the settings of your AD so that you can understand and configure your alfresco as well.
You define the authentication chain in alfresco-global.properties file or in repository.properties file.
By default, the authentication chain is defined as (in repository.properties file)
Thus, only
For enabling AD authentication, we put it as
Now alfresco will try to authenticate the user first from the configured AD, and if the user is not present there, alfrescoNtlm will be tried. If you put only
This file is used to set the configurations on Authentication as well as Synchronization with AD.
This value should be true in order to make the authentication mode activated.
This value pattern will be used when users will put the user name in the alfresco login dialog and try to be authenticated. This value should be full User Principal Name (UPN) or DN.
No need to change this line. We use the default Sun Java LDAP libraries.
Put your AD server name or IP here. 389 is the default port for LDAP services, consult your administrator in case you have different port.
This value can be
Put your administrator user name here.
These values and settings are enough to make alfresco authenticate against your Active Directory. However, we also need synchronization between your AD and alfresco, so that users and groups are imported into alfresco and you can manage the permissions and restrictions of the users.
True means alfresco will try to import AD users and groups into local system.
Put your administrator user DN here.
Put your user password here - in plain text.
We do not change these values for now.
The objectclass of your Groups in AD.
The objectclass of your Users in AD.
Pretty standard, change the objectclass only, if required.
Again pretty standard, change the objectclass of users only, if required.
Put your AD domain configuration here for Groups query search base. I have used a generic search base here, it would probably search everything.
Put your AD domain configuration here for Users query search base. I have used a generic search base here, it would probably search everything.
We won't change these values now. These are used to populate the user attributes from AD.
These values also may not be changed for now.
That's it!
Restart your server, alfresco should connect to your AD and import all users and groups. For authentication, it should go to your AD and validate the credentials.
Under the following tag -
Add this entry -
However, the integration is error prone and requires understanding of your LDAP environment settings and configuration. Moreover, as a warning, I must say the error messages you will face during the integration are most of the time mis-leading and subjective.
In this article, we will see how we can integrate alfresco with AD; and also how to synchronize alfresco users and groups with the existing entities of your AD. I have used alfresco 3.3.4 in this case.
Be prepared with the settings of your AD so that you can understand and configure your alfresco as well.
Alfresco Subsystems
There are a few subsystems offered in alfresco installation.- Audit
- Authentication
- File Server
- IMAP
- Synchronization
Authentication Subsystem
For authentication purpose, alfresco can be configured with AD, LDAP, Kerberos, alfrescoNtlm or other external servers. You can configure alfresco to authenticate from a number of systems - this is known as Authentication Chain.You define the authentication chain in alfresco-global.properties file or in repository.properties file.
By default, the authentication chain is defined as (in repository.properties file)
authentication.chain=alfrescoNtlm1:alfrescoNtlm
Thus, only
alfrescoNtlm authentication is activated.For enabling AD authentication, we put it as
authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
Now alfresco will try to authenticate the user first from the configured AD, and if the user is not present there, alfrescoNtlm will be tried. If you put only
ldap-ad1:ldap-ad, alfresco local authentication will be fully stopped. In this way, you can integrate a number of systems into alfresco authentication chain.Configuring Active Directory Authentication
In webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication, we have separate folders for separate servers. For our Active Directory integration, our settings should be populated in theldap-ad-authentication.properties file in ldap-ad folder.This file is used to set the configurations on Authentication as well as Synchronization with AD.
ldap.authentication.active=trueThis value should be true in order to make the authentication mode activated.
ldap.authentication.userNameFormat=%s@mydomain.comThis value pattern will be used when users will put the user name in the alfresco login dialog and try to be authenticated. This value should be full User Principal Name (UPN) or DN.
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryNo need to change this line. We use the default Sun Java LDAP libraries.
ldap.authentication.java.naming.provider.url=ldap://<<server-name or ip>>:389Put your AD server name or IP here. 389 is the default port for LDAP services, consult your administrator in case you have different port.
ldap.authentication.java.naming.security.authentication=simpleThis value can be
simple, digest-5 etc. Again, depends on your AD setup.
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=administratorPut your administrator user name here.
These values and settings are enough to make alfresco authenticate against your Active Directory. However, we also need synchronization between your AD and alfresco, so that users and groups are imported into alfresco and you can manage the permissions and restrictions of the users.
Configuring Active Directory Synchronization
Same file is used to populate the synchronization settings.ldap.synchronization.active=trueTrue means alfresco will try to import AD users and groups into local system.
ldap.synchronization.java.naming.security.principal=CN=Administrator,CN=Users,DC=domain,DC=comPut your administrator user DN here.
ldap.synchronization.java.naming.security.credentials=****Put your user password here - in plain text.
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
We do not change these values for now.
ldap.synchronization.groupQuery=(objectclass\=group)The objectclass of your Groups in AD.
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))The objectclass of your Users in AD.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))Pretty standard, change the objectclass only, if required.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))Again pretty standard, change the objectclass of users only, if required.
ldap.synchronization.groupSearchBase=DC\=domain,DC\=comPut your AD domain configuration here for Groups query search base. I have used a generic search base here, it would probably search everything.
ldap.synchronization.userSearchBase=DC\=domain,DC\=comPut your AD domain configuration here for Users query search base. I have used a generic search base here, it would probably search everything.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
We won't change these values now. These are used to populate the user attributes from AD.
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
These values also may not be changed for now.
That's it!
Restart your server, alfresco should connect to your AD and import all users and groups. For authentication, it should go to your AD and validate the credentials.
Important!
In community version, you need to add this XMl tag incommon-ldap-context.xml file in subsystems\Authentication folder.Under the following tag -
<bean id="ldapInitialDirContextFactory">
<property name="initialDirContextEnvironment">
<map>Add this entry -
<entry key="java.naming.referral">
<value>follow</value>
</entry>
Subscribe to:
Posts (Atom)