Alfresco 5.0 & LDAP Authentication


If you have only one Alfresco server, then you might just use the in-built Alfresco authentication system, but if you have multiple Alfresco servers, and want to maintain only one list of users, then creating an LDAP server is a way to achieve this.  This tutorial describes how to install OpenLDAP on Ubuntu and then configure Alfresco 5.0 to use OpenLDAP as its authentication mechanism.

Install OpenLDAP

  • Install LDAP

sudo apt-get update
sudo apt-get install slapd ldap-utils

  • Configure LDAP

sudo dpkg-reconfigure slapd

Omit OpenLDAP server configuration? No
DNS domain name? (choose an appropriate DNS-style name for your user database)
Organization name? MyOrg (will be displayed in the LDAP admin tool)
Administrator password? (this will be used to connect to the LDAP admin tool)
Database backend to use? HDB
Remove the database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No

  • Install PHPldapadmin – will install Apache2 if not already installed

sudo apt-get install phpldapadmin
sudo nano /etc/phpldapadmin/config.php

$config->custom->appearance['hide_template_warning'] = true;
  • Modify TemplateRender.php to avoid an error message when running PHP LDAP Admin

sudo nano /usr/share/phpldapadmin/lib/TemplateRender.php

// change ..
 $default = $this->getServer()->getValue('appearance','password_hash');
// .. to ..
 $default = $this->getServer()->getValue('appearance','password_hash_custom');
  • Browse to http://localhost/phpldapadmin
    • login as cn=admin,dc=domain,dc=xxx,dc=yyy
    • create organizational units using the “Generic: Organizational Unit” template
      • ou=groups
      • ou=users
    • create groups in ‘ou=groups’ with the ‘User Group’ template
    • create users in ‘ou=users’ using the ‘Default’ template
      • create a user of type inetOrgPerson
      • set ‘rdn‘ to ‘uid‘ – important! – this will create user names starting with ‘uid=’
      • populate cn, givenName, last name (sn), password, mail and uid

Configure Alfresco to use LDAP for Authentication

  • Create the following folder

mkdir -p /opt/alfresco-5.0.d/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1

  • Copy a default ‘’ file into the folder above
  • Edit ‘’ paying attention to the following properties.
    • Many of these will already be correct – adjust the lines that need it.
# User name format ..,ou=users,dc=domain,dc=xxx,dc=yyy

# IP address or name of your LDAP server - (port 389 is the default for LDAP)

# Enable synchronisation ..

# Security ..\=admin,dc\=domain,dc\=xxx,dc\=yyy

# Object class names, OUs ..

# The attribute name on people objects to use as the uid in Alfresco
# The attribute on person objects in LDAP to map to the first name property in Alfresco
# The attribute on person objects in LDAP to map to the last name property in Alfresco
# The attribute on person objects in LDAP to map to the email property in Alfresco
# The attribute on group objects to map to the authority name property in Alfresco
# The attribute on group objects to map to the authority display name property in Alfresco
# The group type
# The person type
# The attribute on group objects that defines the DN for its members
  • Edit ‘/opt/alfresco-5.0.d/tomcat/shared/classes/’
### Use Alfresco authentication for admin accounts and LDAP for users ###
## When TESTING, set synchronizeChangesOnly to false
## - this will give FULL synchronization for scheduled synchs
## Set up regular synchronization with the LDAP server ##
# When TESTING, synchronise every 5 minutes
# secs min hour dom mon dow
synchronization.import.cron=0 */5 * * * ?
  • Restart Alfresco, and then watch the log file as it starts up
sudo service alfresco restart
tail -f /opt/alfresco-5.0.d/tomcat/logs/catalina.out
  • Within Alfresco Share, choose ‘Admin Tools’, then ‘Users’
  • Search for all users by entering an under-score (_) in the search text field
  • You should now see the users that you created in LDAP.

Other Useful Software

LAM Pro is a very tidy system for allowing users to create their own LDAP accounts, update their details, change their passwords, or get their password reset if they forget it.

Further Reading

The Alfresco manual

Order of the Bee – an independent organisation of the Alfresco community. Web-site includes good technical and non-technical posts and other information, focussed mainly on Alfresco Community Edition (CE).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s