Alfresco 5.0 & LDAP Authentication

Introduction

If you have only one Alfresco server, then you might just use the in-built Alfresco authentication system, but if you have multiple Alfresco servers, and want to maintain only one list of users, then creating an LDAP server is a way to achieve this.  This tutorial describes how to install OpenLDAP on Ubuntu and then configure Alfresco 5.0 to use OpenLDAP as its authentication mechanism.

Install OpenLDAP

  • Install LDAP

sudo apt-get update
sudo apt-get install slapd ldap-utils

  • Configure LDAP

sudo dpkg-reconfigure slapd

Omit OpenLDAP server configuration? No
DNS domain name? domain.xxx.yyy (choose an appropriate DNS-style name for your user database)
Organization name? MyOrg (will be displayed in the LDAP admin tool)
Administrator password? (this will be used to connect to the LDAP admin tool)
Database backend to use? HDB
Remove the database when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No

  • Install PHPldapadmin – will install Apache2 if not already installed

sudo apt-get install phpldapadmin
sudo nano /etc/phpldapadmin/config.php

$servers->setValue('server','name','MyOrg');
$servers->setValue('server','host','127.0.0.1');
$servers->setValue('server','base',array('dc=domain,dc=xxx,dc=yyy'));
$servers->setValue('login','bind_id','cn=admin,dc=domain,dc=xxx,dc=yyy');
$config->custom->appearance['hide_template_warning'] = true;
  • Modify TemplateRender.php to avoid an error message when running PHP LDAP Admin

sudo nano /usr/share/phpldapadmin/lib/TemplateRender.php

// change ..
 $default = $this->getServer()->getValue('appearance','password_hash');
// .. to ..
 $default = $this->getServer()->getValue('appearance','password_hash_custom');
  • Browse to http://localhost/phpldapadmin
    • login as cn=admin,dc=domain,dc=xxx,dc=yyy
    • create organizational units using the “Generic: Organizational Unit” template
      • ou=groups
      • ou=users
    • create groups in ‘ou=groups’ with the ‘User Group’ template
    • create users in ‘ou=users’ using the ‘Default’ template
      • create a user of type inetOrgPerson
      • set ‘rdn‘ to ‘uid‘ – important! – this will create user names starting with ‘uid=’
      • populate cn, givenName, last name (sn), password, mail and uid

Configure Alfresco to use LDAP for Authentication

  • Create the following folder

mkdir -p /opt/alfresco-5.0.d/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1

  • Copy a default ‘ldap-authentication.properties’ file into the folder above
  • Edit ‘ldap-authentication.properties’ paying attention to the following properties.
    • Many of these will already be correct – adjust the lines that need it.
# User name format ..
ldap.authentication.active=trueldap.authentication.userNameFormat=uid=%s,ou=users,dc=domain,dc=xxx,dc=yyy

# IP address or name of your LDAP server - (port 389 is the default for LDAP)
ldap.authentication.java.naming.provider.url=ldap://172.31.1.216:389

# Enable synchronisation ..
ldap.synchronization.active=true

# Security ..
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=cn\=admin,dc\=domain,dc\=xxx,dc\=yyy
ldap.synchronization.java.naming.security.credentials=secret_password

# Object class names, OUs ..
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.groupSearchBase=ou\=groups,dc\=domain,dc\=xxx,dc\=yyy
ldap.synchronization.userSearchBase=ou\=users,dc\=domain,dc\=xxx,dc\=yyy

# The attribute name on people objects to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid
# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
# The attribute on group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
# The attribute on group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=cn
# The group type
ldap.synchronization.groupType=groupOfNames
# The person type
ldap.synchronization.personType=inetOrgPerson
# The attribute on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member
  • Edit ‘/opt/alfresco-5.0.d/tomcat/shared/classes/alfresco-global.properties’
### Use Alfresco authentication for admin accounts and LDAP for users ###
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
## When TESTING, set synchronizeChangesOnly to false
## - this will give FULL synchronization for scheduled synchs
synchronization.synchronizeChangesOnly=false
## Set up regular synchronization with the LDAP server ##
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true
# When TESTING, synchronise every 5 minutes
# secs min hour dom mon dow
synchronization.import.cron=0 */5 * * * ?
  • Restart Alfresco, and then watch the log file as it starts up
sudo service alfresco restart
tail -f /opt/alfresco-5.0.d/tomcat/logs/catalina.out
  • Within Alfresco Share, choose ‘Admin Tools’, then ‘Users’
  • Search for all users by entering an under-score (_) in the search text field
  • You should now see the users that you created in LDAP.

Other Useful Software

LAM Pro https://www.ldap-account-manager.org/lamcms/ is a very tidy system for allowing users to create their own LDAP accounts, update their details, change their passwords, or get their password reset if they forget it.

Further Reading

The Alfresco manual http://docs.alfresco.com/community/concepts/auth-ldap-intro.html

Order of the Bee – an independent organisation of the Alfresco community. Web-site includes good technical and non-technical posts and other information, focussed mainly on Alfresco Community Edition (CE).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s