My last article on Alfresco integration with Active Directory brought up a lot of interest and what’s the most important positive feedback. That article is based on Alfresco Community version 3.2r2 so if you are using that version please continue reading that article.
This article will cover the latest community release 3.3g. On one hand I’m going to leave out most of the explanations that you can find in the original article and I’ll focus on getting things done in a focused article. You can also refer to the chapter 6 of the Professional Alfresco: Practical Solutions for Enterprise Content Management (Wrox Programmer to Programmer)
Still, plan is to provide newcomers clear guides what has to be changed or to be more precise what is domain specific so I’ll make sure to insert “(domain specific property)” in code comments. Also, since version 3.3g supports document editing via Google Docs I’ll cover configuration of Google Docs integration as well. Again, I’ll repeat myself, for detailed explanation how stuff works refer to the original article as concept is the same. So let’s begin…
Authentication
Edit file \Alfresco\tomcat\shared\classes\alfresco-global.properties and modify:
authentication.chain=passthru1:passthru,ldap-ad1:ldap-ad
Then, create the file \Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\passthru\passthru1\changes.properties and put the following inside:
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
# (domain specific property): NetBIOS name of your domain and
# domain controller’s IP address, add more separated by commas
passthru.authentication.servers=DOMAIN\\192.168.0.1,192.168.0.1
ntlm.authentication.sso.enabled=true
alfresco.authentication.allowGuestLogin=false
ntlm.authentication.mapUnknownUserToGuest=false
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=false
passthru.authentication.guestAccess=false
# (domain specific property): list of usernames from AD
# that are to be Alfresco administrators
passthru.authentication.defaultAdministratorUserNames=AD_username1,AD_username2
Next, edit \Alfresco\tomcat\webapps\share.war\WEB-INF\web.xml:
<filter>
<filter-name>Authentication Filter</filter-name>
<filter-class>org.alfresco.web.site.servlet.NTLMAuthenticationFilter</filter-class>
<init-param>
<param-name>endpoint</param-name>
<param-value>alfresco</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/page/*</url-pattern>
</filter-mapping><filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/p/*</url-pattern>
</filter-mapping><filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/s/*</url-pattern>
</filter-mapping>
Copy and rename the file \Alfresco\tomcat\shared\classes\alfresco\web-extension\share-config-custom.xml.sample to \tomcat\shared\classes\alfresco\web-extension\share-config-custom.xml then edit it and make sure the following section is uncommented:
<!–
NTLM authentication config for Share
NOTE: you will also need to enable the NTLM authentication filter in Share web.xml
change localhost:8080 below to appropriate alfresco server location if required
–>
<config evaluator="string-compare" condition="Remote">
<remote>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.springframework.extensions.webscripts.connector.AlfrescoConnector</class>
</connector><endpoint>
<id>alfresco</id>
<name>Alfresco – user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoCookie</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>
If Share is not on the same server as Alfresco then edit the endpoint-url to match your configuration.
Single Sign On via Active Directory should be fully functional now for Alfresco Explorer and Alfresco Share. Next, we turn our focus to LDAP.
Users and groups synchronization
For user synchronization to work we must configure Alfresco to hit the Active Directory domain controller with the appropriate LDAP queries. Queries are highly dependant of ones AD structure so the following configuration covers the scenario where:
- All groups that I want in Alfresco are members of a single group called Alfresco Groups,
- Users that I want synchronized to Alfresco are members of the above mentioned member groups.
This structure is nice if you have users in different OUs but don’t want them all to be also present in Alfresco.
So, edit the \Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad\ldap-ad1\changes.properties file and add the following inside:
#
# LDAP Sync
#
# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=false
ldap.authentication.java.naming.security.authentication=simple# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsystem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=true
# (domain specific property)
ldap.authentication.java.naming.provider.url=ldap://domain.local:389# The default principal to bind with (only used for LDAP sync). This should be a UPN or DN
# (domain specific property)
ldap.synchronization.java.naming.security.principal=user@domain.local# The password for the default principal (only used for LDAP sync)
# (domain specific property)
ldap.synchronization.java.naming.security.credentials=YourPass# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=1000# The query to select all objects that represent the groups to import.
# (domain specific property)
ldap.synchronization.groupQuery=(&(objectclass\=group)(memberOf\=cn\=Alfresco Groups,ou\=user,dc\=domain,dc\=local))# The query to select objects that represent the groups to import that have changed since a certain time.
# (domain specific property)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(memberOf\=cn\=Alfresco Groups,ou\=user,dc\=domain,dc\=local)(!(modifyTimestamp<\={0}))) # The query to select all objects that represent the users to import. # (domain specific property) ldap.synchronization.personQuery=(&(objectclass\=user)(|(memberOf\=CN\=Developers,OU\=user,DC\=domain,DC\=local)(memberOf\=CN\=Sales,OU\=user,DC\=domain,DC\=local))(userAccountControl\:1.2.840.113556.1.4.803\:\=512)) # The query to select objects that represent the users to import that have changed since a certain time. # (domain specific property) ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(|(memberOf\=CN\=Developers,OU\=user,DC\=domain,DC\=local)(memberOf\=CN\=Sales,OU\=user,DC\=domain,DC\=local))(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0}))) # The group search base restricts the LDAP group query to a sub section of tree on the LDAP server. # (domain specific property) ldap.synchronization.groupSearchBase=dc\=domain,dc\=local # The user search base restricts the LDAP user query to a sub section of tree on the LDAP server. # (domain specific property) ldap.synchronization.userSearchBase=dc\=domain,dc\=local # The name of the operational attribute recording the last update time for a group or user. ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp # The timestamp format. Unfortunately, this varies between directory servers. ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z' # The attribute name on people objects found in LDAP to use as the uid in Alfresco ldap.synchronization.userIdAttributeName=sAMAccountName # The attribute on person objects in LDAP to map to the first name property in Alfresco ldap.synchronization.userFirstNameAttributeName=givenName # The attribute on person objects in LDAP to map to the last name property in Alfresco ldap.synchronization.userLastNameAttributeName=sn # The attribute on person objects in LDAP to map to the email property in Alfresco ldap.synchronization.userEmailAttributeName=mail # The attribute on person objects in LDAP to map to the organizational id property in Alfresco ldap.synchronization.userOrganizationalIdAttributeName=company # The default home folder provider to use for people created via LDAP import ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider # The attribute on LDAP group objects to map to the gid property in Alfrecso ldap.synchronization.groupIdAttributeName=cn # The group type in LDAP ldap.synchronization.groupType=group # The person type in LDAP ldap.synchronization.personType=user # The attribute in LDAP on group objects that defines the DN for its members ldap.synchronization.groupMemberAttributeName=member synchronization.synchronizeChangesOnly=true
Default synchronization happens at midnight so to change schedule if required configure synchronization.import.cron property.
CIFS configuration
If using Windows, copy Win32NetBIOS.dll and Win32Utils.dll (or respective Win32NetBIOSx64.dll and Win32Utilsx64.dll if you are on 64-bit platform) to C:\Windows\System32 folder.
Edit \Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\fileServers\default\default\changes.properties:
cifs.enabled=true
# (domain specific property): change to match alfresco hostname + ‘A’
cifs.serverName=HOSTNAMEA
# (domain specific property): NetBIOS domain name
cifs.domain=DOMAIN
cifs.hostannounce=true
cifs.sessionTimeout=900
# (domain specific property): network broadcast address
cifs.broadcast=192.168.0.255
# (domain specific property): change to match alfresco hostname
cifs.urlfile.prefix=http://hostname:8080/alfresco/
One thing to note is that I had trouble mapping Alfresco CIFS drive on Windows Servers from Vista/Windows 7 clients and had resolved them by adding a dummy, non-existing IP address for HOSTNAMEA value like 1.2.3.4. You can add this entry in Windows hosts file or in DNS server so that you don’t have to configure each client. I haven’t investigated details why this happens but it seems somehow related how Windows does name resolution and putting dummy address somehow forces Windows to use NetBIOS though documentation says when UNC paths are used it should use NetBIOS first and then fall back to DNS if it can’t find the share via NetBIOS.
Google Docs integration
Edit \Alfresco\tomcat\shared\classes\alfresco-global.properties:
# Google Docs configuration
googledocs.googleeditable.enabled=true
googledocs.username=yourname@youraddress.com
googledocs.password=yourgooglepassword
That should be it. Refer to this post if you want more details.
Sharepoint protocol client setup
Make sure to implement fix from this knowledge base article.
Other resources
- Original Alfresco integration with Active directory article for version 3.2r2
- Chapter 6 of the Professional Alfresco: Practical Solutions for Enterprise Content Management (Wrox Programmer to Programmer)
- Chapter 4 of the Alfresco 3 Enterprise Content Management Implementation
- Alfresco authentication using Kerberos
- Alfresco Authentication Subsystems
- Alfresco File Server Subsystems
- Alfresco Synchronization Subsystem
June 21, 2010 at 16:24
Good article, but is there a reason why you’re making config changes in the subsystem changes.properties, rather than putting them in alfresco-global.properties?
June 21, 2010 at 23:05
You got me thinking there for a while because I’m not sure if it would all work fine if it is all in alfresco-global.properties. To be honest I’ve never tried that. Now for the reasons why:
1. Keeping things clean, Alfresco separates various subsystems so why not separate their respective configurations?
2. There are situations when you can’t put everything in one file, for example if you need to synchronize with 2 LDAP servers you need 2 separate LDAP subsystem instances so you can’t use just alfresco-global.properties.
To conclude, while it might work I like to keep things clean and more by-the-book.
June 23, 2010 at 07:13
Hi Ivan, everyone,
Is anyone having problems getting LDAP sync on 3.3g?
Been trying to solve synchronisation issue, I was not having with 3.3 (with the same LDAP query).
Symptoms:
– user can authenticate no problem
– no sync in either Alfresco explorer, or Share
Log:
13:43:27,699 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting ‘Synchronization’ subsystem, ID: [Synchronization, default]
13:43:27,714 INFO [org.alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
13:43:27,746 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry ‘ldap-ad1’
13:43:27,746 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving groups changed since 01/06/2010 10:12:55 AM from user registry ‘ldap-ad1’
13:43:28,574 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Found 0
13:43:28,574 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 Group Analysis: Commencing batch of 0 entries
13:43:28,574 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 Group Analysis: Completed batch of 0 entries
13:43:28,574 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry ‘ldap-ad1’
13:43:28,589 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 User Creation and Association: Commencing batch of 0 entries
13:43:28,605 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 User Creation and Association: Completed batch of 0 entries
13:43:28,605 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry ‘ldap-ad1’
13:43:28,605 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed
13:43:28,621 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of ‘Synchronization’ subsystem, ID: [Synchronization, default] complete
Which tells me the LDAP query isn’t finding my users.
Has there been any change in the syntax? As I said, the same query works for 3.3.
Scratching my head over this one?
Cheers,
Tim.
June 23, 2010 at 08:23
Tim,
are you sure it’s not finding users? “Retrieving groups changed since 01/06/2010 10:12:55 AM from user registry ‘ldap-ad1?” could mean it’s rather doing differential query and not finding any changes since specified time.
Differential sync by default is triggered whenever a user is successfully authenticated that does not yet exist in Alfresco while full sync occurs every 24h, by default at midnight. You can change this behavior with following properties:
synchronization.import.cron
synchronization.synchronizeChangesOnly
Regards
June 30, 2010 at 22:03
As some readers already warned in comments you might get LDAP related errors like:
08:53:31,375 User:System ERROR [security.sync.ChainingUserRegistrySynchronizer]
Synchronization aborted due to error
org.alfresco.error.AlfrescoRuntimeException: 01180001 User and group import failed
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:895)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:623)
…..
Caused by: javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ‘DC=testdomain,DC=foo’
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2793)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2767)
at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumer
ation.java:129)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumera
tion.java:198)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration
.java:171)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LD
APUserRegistry.java:885)
… 50 more
This can be worked around modifying the bean ldapInitialDirContextFactory
<bean id=”ldapInitialDirContextFactory” class=”org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl”>
defined in the file common-ldap-context.xml, adding the entry:
<entry key=”java.naming.referral”>
<value>follow</value>
</entry>
July 1, 2010 at 05:21
Hi Ivan,
The users may be valid on ldap-ad but if we want to control access to Alfresco server, how do you disable some of the valid ldap-ad users on Alfresco-3.3?
Br,
Guan Bee
July 1, 2010 at 09:57
Hi Guan,
If I understand you correctly you’d like to deny access to Alfresco to non-synced users. Note that I have not tested this but there might be two ways to do this:
1) In alfresco-global.properties add:
server.allowedusers=jsmith,jdoe,etc
A comma-separated list of users who are allowed to log in. Leave empty if all users are allowed to log in.
2) In \alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\authentication-services-context.xml there is this defined property:
<property name="createMissingPeople">
<value>${server.transaction.allow-writes}</value>
</property>
If you put <value>false</value> it might bring up a failure when non-synced user tries to login.
Please let me know if any of these methods work.
Ivan
July 13, 2010 at 09:52
Hi Ivan,
Thanks for this web page, it was very helpful for my work 😀
I’ve done all you say but I’ve an error for the synchronisation…
ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error
org.alfresco.error.AlfrescoRuntimeException: 06130000 User and group import failed
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1039)
[…]
Caused by: javax.naming.LimitExceededException: Referral limit exceeded [Root exception is com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 – 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: ‘domain’
]; remaining name ”]; remaining name ”
[…]
Caused by: com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 – 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: ‘domain’
]; remaining name ”
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2881)
… 104 more
Do you know why I have this error. In fact, I’ve had this error in first Caused by: javax.naming.PartialResultException: Unprocessed Continuation Reference(s); and I’ve done what you have said.
Thanks again for your very very very helpful website 😀
July 13, 2010 at 17:48
Hi Arnaud,
thanks for feedback.
Actually I’ve never seen this. Can you confirm that ldap.synchronization.userSearchBase and ldap.synchronization.groupSearchBase are setup correctly? “ref 1: ‘domain'” in error message might indicate configuration problem wherein you didn’t modify all required properties to match your environment.
Also, how many users are you trying to import? Perhaps lowering down ldap.synchronization.queryBatchSize to something small like 50-100 might help.
Hope this helps.
July 15, 2010 at 08:28
Hi Ivan,
Thanks for the help, I’ve re-configured the ldap.synchronization.userSearchBase and ldap.synchronization.groupSearchBase and change the ldap.synchronization.queryBatchSize to 50 and now it works, thanks a lot 😀
I’ve another problem, I doesn’t understand how it will import my users and groups.
If my AD is like this :
fr
domain
groups
Alfresco groups
[group list]
Users
[user list]
City
[user list]
Do I have to configure my file like this to import all the groups in Alfresco groups and all the users in City?
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(memberOf\=cn\=Alfresco Groups,ou\=Groups,dc\=domain,dc\=fr)(!(modifyTimestamp<\={0})))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf\ou\=city,DC\=domain,DC\=fr)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
I'm asking this question because the synchronization works but doesn't import anything
08:11:54,421 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap-ad1'
08:11:54,421 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving groups changed since 9 juil. 2010 09:52:38 from user registry 'ldap-ad1'
08:11:54,515 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 Group Analysis: Commencing batch of 0 entries
08:11:54,515 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 Group Analysis: Completed batch of 0 entries
08:11:54,515 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'ldap-ad1'
08:11:54,531 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 User Creation and Association: Commencing batch of 0 entries
08:11:54,531 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 User Creation and Association: Completed batch of 0 entries
08:11:54,546 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap-ad1'
08:11:54,546 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed
Thanks again for your help and website 😀
July 19, 2010 at 04:34
Hello again Ivan,
I have still not resolved the issue I mentioned above (June 23). I have followed your advice and set the:
synchronization.synchronizeChangesOnly=false
The probelm persists – my users can authenticate, but no synchronisation is happening. I’ve been playing around to try and diagnose. I can change the values of, e.g., “ldap.synchronization.userIdAttributeName” and no corresponding change happens – my uid is always my sAMAccountName, can’t set it to be my cn.
I’ve been working on this for quite a while now. I would greatly appreciate any more advice/recommendations you may have?
Cheers,
Tim.
July 19, 2010 at 08:28
Well, you can turn on debugging (not sure exactly which lines but they should already be there) through log4j.properties. It might give you more info on what’s happening.
July 23, 2010 at 16:36
Your post is great it seems that all the settings are fine, no logging errors, but i have the exact same problem as Tim. No users are synchronised.
I started with version 3.3g and changed from standard authorisation to AD. So now i can’t login cause there is no synchronisation.
Any suggestion?
July 24, 2010 at 10:58
Authorization is separate from authentication so you can use LDAP to authenticate but not synchronize users. In any case, I’d need to see your configs to give you any further advice. Again, enable debugging to get more information what is exactly happening with your sync and authentication.
July 26, 2010 at 22:41
I’m 99% sure that my (and likely Ivan and others) problems lie in how we’re telling Alfresco to query LDAP to get users and groups. I can see my utility user that I’m specifying as the principal successfully bind to LDAP, but it says it syncs 0 users and 0 groups. If anyone would care to take a look I would be incredibly grateful.
I have a very simple LDAP tree:
ou=People,dc=mydomain,dc=com — contains users (uid=…)
ou=groups,dc=mydomain,dc=com — contains groups
I have the following set in alfresco:
# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(&(objectclass\=groups)(memberOf\=ou\=groups,dc\=mydomain,dc\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groups)(memberOf\=ou\=groups,dc\=mydomain,dc\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(&(objectclass\=People)(memberOf\=ou\=People,dc\=mydomain,dc\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=People)(memberOf\=ou\=People,dc\=mydomain,dc\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
July 26, 2010 at 22:43
sorry, i mis-referenced Ivan’s name. simple typo. he doesn’t have problems. He has answers. His Alfresco walkthroughs are the best I’ve seen.
July 28, 2010 at 19:16
I’m trying to synchronize with our AD (authentication is working). However I’m a bit confused regarding the above instructions.
The “\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad\ldap-ad1\changes.properties” does not exist at this location on my 3.3g installation. I have a “\Alfresco\tomcat\webapps\alfresco\web-inf\classes\alfresco\subsystems\Authentication\ldap-ad\” directory (no ldap-ad1). The only thing present in the “extension” directory are “bootstap” and “mt” folders. Clearly I’ve gone astray somewhere.
Can you provide a nudge in the right direction?
Thank you.
August 5, 2010 at 16:20
Ken (and to anyone else who is getting started with Alfresco)-
You need to create those directories under c:\Alfresco\tomcat\shared\classes\alfresco\extension\.
August 26, 2010 at 21:06
I think that you should make the:
defined in the file common-ldap-context.xml, adding the entry:
follow
Part of the How-To because I was scratching my head trying to find that one, but thanks for all your help. It works pretty sweet.
August 27, 2010 at 19:32
If I understand you correctly you’d like to deny access to Alfresco to non-synced users. Note that I have not tested this but there might be two ways to do this:
1) In alfresco-global.properties add:
server.allowedusers=jsmith,jdoe,etc
A comma-separated list of users who are allowed to log in. Leave empty if all users are allowed to log in.
2) In \alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\authentication-services-context.xml there is this defined property:
<property name="createMissingPeople">
<value>${server.transaction.allow-writes}</value>
</property>
If you put <value>false</value> it might bring up a failure when non-synced user tries to login.
Please let me know if any of these methods work.
Just wanted to let you know that I used the second method and it gave the desired effect of preventing users that were not synched from logging in. If the user tries to log in, they get an error message that their credentials were not recognized.
August 28, 2010 at 12:16
Thanks for feedback and glad it worked!
August 31, 2010 at 13:34
Hello,
Thank you very much for your explanations.
I have tried to add AlfrescoNTLM in my authentification chain to have user not from my domain. It works very well with Alfresco Explorer (I have SSO so I use http://alfresco:8080/alfresco/faces/jsp/login.jsp))
but I can’t connect to share with Alfresco Users.
Have you an idea?
bye
October 22, 2010 at 02:35
Hello All,
I’m new to alfresco and am trying to get sso working with ad and goole apps, I am currently working on the community version 3.4 so maybe a few things are different from 3.3g. Anyway I followed everything until the step:
Next, edit \Alfresco\tomcat\webapps\share.war\WEB-INF\web.xml:
There is a \Alfresco\tomcat\webapps\share.war file but not a folder. ( I can’t make a folder called share.war here because a file exist with the same name) Also there is a existing web.xml, but it is in the \Alfresco\tomcat\webapps\alfresco\WEB-INF folder. So I’m not sure what to do here.
Next what is in the existing web.xml file looks as if it may have a some of the stuff called for in the insructions, so is this the correct file to be looking at? if so has the required editing been added or changed in 3.4?
Anyway thanks in advance for any help you can offer me
Pete
December 10, 2010 at 03:43
Hello Ivan,
I hope you could help me 😉
I’ve installed Alfresco 3.4.b and alf_data resides on NFS mount.
I’m syncronizing users from our AD.
The problem is that AD has ~150K users.
Alfresco apperently can’t cope with such a large number of users.
When I click on “Repository”->”User Homes” ,alfresco will try to display all User Homes and it will hog the server!
I’ve been thinking of moving from sync. mode to only auth. mode.
The thing is that we already have several users working with Alfresco and Share and I don’t want them to get any impact from this change.
So, I’ve change those parameters:
changed – ldap.synchronization.active=false
added – synchronization.autoCreatePeopleOnLogin=true
I’m testing it on dev. machine, replicated from live server.
I’ve change configuration but I still have all those sync-ed users and when clicking on “Repository”->”User Homes”, I’m getting approx. ~160 user homes displayed and message at the end.
Meaning that all those sync-ed users still there.
Almost all those users never logged in to the system.
How would I go about deleting/getting rid of those (never logged) users and their Homes and leave those that logged at least once?
Cheers,
Leon
December 10, 2010 at 12:42
Hi Leon,
I suggest you sync only the required users by using custom groups for this in AD and then try to do a full sync as described here: http://wiki.alfresco.com/wiki/The_Synchronization_Subsystem
This should remove the extra users although to be honest I’m not sure it would purge user homes. When you do a full sync if users’ homes remain you could try to write a script that would delete folders that don’t have associated users in the system.
Regards,
Ivan
December 12, 2010 at 03:49
Hello Ivan,
Thanks for your reply.
I can’t do such sync since we have many different groups.
I don’t really know all of them for all our users ;(
What I can do is write such a script as you described.
But for that I should know where Alfresco keeps “User Homes” folders and associates users.
Can you please tell where to look for users and “User Homes” folders?
I’ve tried to look in the DB but couldn’t find 🙁
Cheers,
Leon
December 12, 2010 at 13:09
Take a look at the Javascript API on wiki. I really don’t have the out of the box solution but you should definately try to avoid deleting anything directly in database or on disk. Use the APIs.
Two other things come to mind. You could modify the home folder provider. Default bean that creates user’s home folder is called UserHomesHomeFolderProvider. You could create your own that would create user homes in a subfolder structure that has for example two first letters of his username. Example:
User Homes-> js -> jsmith, jsanchez
User Homes-> bo -> bobama
This should divide 150k users into well enough sized, and alphabetically divided user homes.
Second possible solution is the property in repository properties:
# Create home folders as people are created (true) or create them lazily (false)
home.folder.creation.eager=true
I couldn’t find any details in documentation but I guess you could try to override it in alfresco-global.properties to false and see what happens.
Hope this helps.
December 15, 2010 at 02:22
Hello Ivan,
Thanks for your reply.
The first idea is great but I don’t have enough skills and knowledge in that area to configure new “home folder provider” ;(
The second one worth a try.
I’ll set “home.folder.creation.eager=false” and check on dev. server.
But those 150K folders already created, so have to find a way to delete them anyway.
Cheers,
Leon
February 3, 2011 at 18:01
Just out of curiosity … share.war is a compressed file, am I supposed to extract the file:
share.war\WEB-INF\web.xml
and then repackage it after editing?
February 4, 2011 at 09:11
Yes.
May 24, 2011 at 12:44
Hi,
Thanks for taking the time to write this guide, it’s really helped me get SSO and AD integration working.
Well nearly working.
SSO works perfectly for http://hostname/share
However for http://hostname.example.com/share the SSO portion fails. Manual authentication works fine however.
Has anyone come across this? or am I missing something obvious?
Regards,
Ed.
May 24, 2011 at 13:05
Hi Ed,
is hostname.example.com in Intranet zone? Credentials are not automatically propagated in all IE security zones.
Regards,
Ivan
May 24, 2011 at 14:55
Thanks Ivan,
That was the problem.
Ed.