or Sign in

Home

Access via SMB/FTP thru LDAP authentication

You are here

Home » Forums » Installation, Upgrades, Configuration, & Integration » Configuration
9 posts / 0 new
Log in or register to post comments
Last post
Wed, 02/17/2010 - 09:03
#1
Access via SMB/FTP thru LDAP authentication

I have Alfresco configured with LDAP authentication.
I want to enable SMB/FTP access via LDAP authentication.
But I cant' access via FTP and via SMB only with the default Admin Alfresco user.

I changed some xml filesserver files but without success.

Which files I may modify for alterate the behavour?

best regards
Matteo

Top
Thu, 02/18/2010 - 16:53
Re: Access via SMB/FTP thru LDAP authentication

Other info are:
- I use OpenLdap as Ldap Server
- The encryption algorith is SSHA

Can this make problems with FTP?
The log report:

DEBUG [org.alfresco.ftp.protocol.auth] Using Write transaction
DEBUG [org.alfresco.ftp.protocol.auth] java.lang.NullPointerException
DEBUG [org.alfresco.ftp.protocol.auth] Authenticated user onlyfortest sts=false via MD4

Is the encryption algoritm MD4 mandatory?

Top
Mon, 03/01/2010 - 12:25
Re: Access via SMB/FTP thru LDAP authentication

file-servers.xml is not used in Alfresco v3.2.

To configure LDAP authentication you need

authentication.chain=ldap1:ldap

in alfresco-global.properties, along with all the other properties for your LDAP server. See http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2 for what these should be.

LDAP does not support CIFS/SMB authentication, so this would disable the CIFS server. The FTP server should still work fine, though.

To enable CIFS support, you would need to add the internal alfrescoNtlm authentication system to your chain

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

which would mean only the internal alfresco users such as admin would be able to use CIFS.

or if you have an active directory server, add the passthru subsystem

See http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Example_1:_Advanced_AD_Chain for an example.

Top
Wed, 03/24/2010 - 17:29
Re: Access via SMB/FTP thru LDAP authentication

Hi,
the ldap configuration works fine now but our project specification require a CIFS access to the Alfresco repository.
So we try a different authentication chain that involve ldap for sync repo user and alfresco for real authentication like:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

but when i try to log in alfresco explorer with a ldap user I encurred the following problem:

11:14:19,343 DEBUG [org.alfresco.repo.security.authentication.AuthenticationComponentImpl] Failed to authenticate user "ldapuser"
org.alfresco.repo.security.authentication.AuthenticationException: 02230001 net.sf.acegisecurity.BadCredentialsException: Bad credentials presented
net.sf.acegisecurity.BadCredentialsException: Bad credentials presented
	at net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider.getUserFromBackend(DaoAuthenticationProvider.java:393)

Any Ideas to find a solution?

Top
Thu, 03/25/2010 - 14:06
Re: Access via SMB/FTP thru LDAP authentication

I can add some info:

- I use OpenLdap
- I try to login with different user created with different Cryptographic hash function (md5/ssha/..) with same error

How can i investigate?

Top
Thu, 03/25/2010 - 15:35
Re: Access via SMB/FTP thru LDAP authentication

corbezzoli wrote:
I can add some info:

- I use OpenLdap
- I try to login with different user created with different Cryptographic hash function (md5/ssha/..) with same error

How can i investigate?

Can you post contents of your ldap-authentication.properties file?

** If this post was helpful, please click Yes on the Post Rating --> **

Top
Thu, 03/25/2010 - 15:44
Re: Access via SMB/FTP thru LDAP authentication

Hi,
This is my shared\classes\alfresco\extension\subsystems\Authentication\ldap\ldap1\ldap-authentication.properties

# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=false
 
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.allowGuestLogin=true
# How to map the user id entered by the user to that passed through to LDAP
# - simple 
#    - this must be a DN and would be something like
#      uid=%s,ou=People,dc=company,dc=com
# - digest
#    - usually pass through what is entered
#      %s
# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will 
# be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to
# appear in the DN.
ldap.authentication.userNameFormat=uid\=%s,ou\=People,dc\=dnsee,dc\=com
 
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 
# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://<omissis>:389
 
 
# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple
 
 
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain
 \
ldap.authentication.escapeCommasInUid=false
 
# Comma separated list of user names who should be considered administrators by default
ldap.authentication.defaultAdministratorUserNames=
 
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for 
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true
 
# The default principal to use (only used for LDAP sync)
#ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=company,dc\=com
ldap.synchronization.java.naming.security.principal=uid\=readonly,ou\=People,dc\=dnsee,dc\=com
 
# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=<omissis>
 
# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=1000
 
# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
 
# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
 
# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
 
# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
 
# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
#ldap.synchronization.groupSearchBase=ou\=Groups,dc\=company,dc\=com
ldap.synchronization.groupSearchBase=ou\=Groups,dc\=dnsee,dc\=com
 
# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
#ldap.synchronization.userSearchBase=ou\=People,dc\=company,dc\=com
ldap.synchronization.userSearchBase=ou\=People,dc\=dnsee,dc\=com
 
# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
 
# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
 
# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid
 
# The attribute on person objects in LDAP to map to the first name property in Alfresco
#ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userFirstNameAttributeName=displayName
 
 
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn
 
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
 
# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o
 
# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
 
# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronization.groupIdAttributeName=cn
 
# The group type in LDAP
ldap.synchronization.groupType=groupOfNames
 
# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson
 
# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member
 
# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true

Top
Thu, 03/25/2010 - 16:13
Re: Access via SMB/FTP thru LDAP authentication

If you would change ldap.authentication.active=false to ldap.authentication.active=true then you should be able to login using LDAP.
But of course then the CIFS won't work - I had a similar problem and the only way I could get things to work is follow these instructions http://wiki.alfresco.com/wiki/LDAP-CIFS_on_Alfresco_Enterprise_v3.0.0 which demand extra programming and adaption to your alfresco version (in my case version 3.2r). Using this adaption alfresco saves password in MD4 hash in the database when you successfully login in web interface through LDAP authentication. It then uses this MD4 hash in CIFS authentication.

** If this post was helpful, please click Yes on the Post Rating --> **

Top
Thu, 03/25/2010 - 18:10
Re: Access via SMB/FTP thru LDAP authentication

Thanks for the quickly response!

Ok, I will try to develop as wiki says.
I use Alfresco 3.2r Community Edition.

Top
Subscribe to Comments for "Access via SMB/FTP thru LDAP authentication"
Subscribe to All activity.