Can’t believe I once hired an Indy IT mercenary to configure this for MS/AD, sad really. Anyways was bored today and had some time so dug up my DEV server for Alfresco and found it was still using an internal database for authentication. So I took the trouble of configuring it to use the OpenLdap server we now use for all Authentications down here.
So how to get to it, firstly out Alfresco sits in /opt/alfresco (that might be different for you) from here make a folder for the ldap class like so:
mkdir -P /opt/alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1
Now if you want to go from a template get the 5.0.d binary from GitHub and extract the ldap-authentication.properties to work on, like so:
wget https://github.com/Alfresco/community-edition/archive/V5.0.d.tar.gz
tar -zxvf V5.0.d.tar.gz -C ~/tmp --wildcards --no-anchored 'ldap-authentication.properties'
find tmp -type f -exec mv -i {} . \;
You can also just copy and paste this below to modify to your liking
# LDAP Settings for OpenLDAP sync and auth
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=users,dc=integrative,dc=it
# The LDAP context factory to use
#ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://ldap.legal-it.net:389
# The authentication mechanism to use for password validation
ldap.authentication.java.naming.security.authentication=simple
# Escape commas entered by the user at bind time Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
# Comma separated list of user names who should be considered administrators by default
ldap.authentication.defaultAdministratorUserNames=admin
# Enable FTP authentication using LDAP
ldap.authentication.authenticateFTP=true
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=cn\=admin,dc\=integrative,dc\=it
ldap.synchronization.java.naming.security.credentials=supersecretpassword
ldap.synchronization.queryBatchSize=50
ldap.synchronization.attributeBatchSize=0
# The query to select all objects that represent the groups to import.
ldap.synchronization.groupSearchBase=ou\=groups,dc\=integrative,dc\=it
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\==groupOfNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.userSearchBase=ou\=users,dc\=integrative,dc\=it
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupType==groupOfNames
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
The path for this file should be
/opt/alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-authentication.properties
Now edit your alfresco global properties to call the new class for authentication and sync, just add the following to the top
### Use Alfresco authentication for admin accounts and LDAP for users ### authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap ## For DEV, set synchronizeChangesOnly to false for FULL SYNC synchronization.synchronizeChangesOnly=true ## Set up regular synchronization with the LDAP server ## synchronization.syncWhenMissingPeopleLogIn=true synchronization.syncOnStartup=true synchronization.import.cron=0 */15 * * * ?
And ce’st ca., you will be synchronizing with LDAP every 15 mins or on startup, so maybe a good time to restart the alfresco server and see if it works.
{the Document (F)ault} 