Monthly Archives: July 2013

Configuring Authentication with Alfresco: OpenLDAP

Screen Shot 2013-01-15 at 8.22.49 AM

When it comes to authentication, the Alfresco NTLM authentication that comes out of the box will only get you so far in terms of efficiency. In almost all serious Enterprise environments you’re going to use a directory service for managing users and groups and for authentication. It’s likely you may use more than one directory service or type of directory service. This article focuses on how to set up Alfresco to work with an OpenLDAP directory service.

You may already have an LDAP system you can work with but in case you don’t, I’ll provide directions on how to get one up and running so you can see how this works with Alfresco

My server for this test is a RHEL server. I’ve managed to install the OpenLDAP server by issuing these commands:

# yum install openldap-servers openldap openldap-clients

After this finishes, you can open up /etc/openldap/slapd.conf and ensure these settings exist in the file:

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database bdb
suffix "dc=<domain>,dc=com"
rootdn "cn=Manager,dc=<domain>,dc=com"
rootpw secret
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

After saving, you can then run /etc/init.d/ldap restart.

To populate the OpenLDAP server with a few users you can use a sample ldiff import file I have here:

dn: dc=<domain>,dc=com
objectClass: dcObject
objectClass: organization
dc: <domain>
o: support

dn: ou=people,dc=<domain>,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people

dn: cn=<firstname lastname>,ou=people,dc=<domain>,dc=com
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn: <firstname lastname>
sn: <lastname>
mail: <email address>
uid: <username>
userPassword:: c2VjcmV0aHM= <- this is actually "secreths"

dn: cn=<firstname lastname>,ou=people,dc=<domain>,dc=com
objectClass: person
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn: <firstname lastname>
sn: <lastname>
mail: <email address>
uid: <username>
userPassword:: c2VjcmV0aHM= <- this is actually "secreths"

dn: ou=groups,dc=<domain>,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: cn=all,ou=groups,dc=<domain>,dc=com
objectClass: groupOfNames
objectClass: top
cn: all
member: cn=<cn name from users above>,ou=people,dc=<domain>,dc=com
member: cn=<cn name from users above>,ou=people,dc=<domain>,dc=com

The <domain> name is a simple domain and not a fully qualified domain name. So, if you’re fqdn was called alfresodemo.com, your domain in this case would be called “alfrescodemo”. Fill in the firstname, lastname, email address and username placeholders. Be aware the passwords I have set translate to “secreths” if you want to authenticate with them. From the command line you do this to import the ldif file:

# ldapadd -x -D "cn=Manager,dc=<domain>,dc=com" -W -f example.ldif

If you wish, you can use Apache Directory Studio to connect to this LDAP server and check the structure. It’s very simple to use and the best part is it’s free.

Once you’re satisfied with your LDAP server, you can move on to configuring Alfresco to communicate with this LDAP server.

Open alfresco-global.properties and add these settings:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap # Tells Alfresco to add LDAP to the authentication chain.

ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=cn\=%s,ou\=people,dc\=<domain>,dc\=com
ldap.authentication.java.naming.provider.url=ldap://<domain>.com:389
ldap.authentication.allowGuestLogin=false
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUID=false

# Below this we set up the synchronization to run. If you update your OpenLDAP, the changes in Alfresco will be reflected when the synchronization is run.
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=<domain>,dc\=com
ldap.synchronization.java.naming.security.credentials=secret

ldap.synchronization.groupSearchBase=ou\=groups,dc\=<domain>,dc\=com
ldap.synchronization.groupType=groupOfNames
ldap.synchronization.groupQuery=(objectclass=groupOfNames)
ldap.synchronization.groupMemberAttributeName=member

ldap.synchronization.userSearchBase=ou\=people,dc\=<domain>,dc\=com
ldap.synchronization.userIDAttributeName=uid
ldap.synchronization.personQuery=(& (objectclass\=inetOrgPerson) (uid\=*))
ldap.synchronization.personType=inetOrgPerson

Save the global properties file and restart Alfresco. You should now be able to log in with any of the users that you put in your ldif file.

Cheers! – H.S.