Alfresco integration with LDAP directory server (For development)

Hi All, 

This is my first blog on Alfresco. I hope that this post will help you in configuring Alfresco with LDAP directory server for development purpose.

Alfresco can be configured with alfrescoNtlm, AD, LDAP, Kerberos or any other external servers. Authentication Chain is used to configure alfresco with a number of systems. By default, the authentication chain in repository.properties file is as below:
authentication.chain=alfrescoNtlm1:alfrescoNtlm

 
This indicates that only alfrescoNtlm is used for authentication. In order to configure AD authentication, we can need to modify the authentication chain.

For the development purpose of integrating Alfresco with LDAP, I am using using Alfresco 5.1 enterprise edition installed and linux to install ApacheDS LDAP server.

 

1. Install ApacheDS LDAP server on Linux

Download ApacheDS for Linux by navigating to

http://directory.apache.org/apacheds/download/download-linux-bin.html and copy the link location of the installer as shown.

Use the following commands from command line to install ldap server

Run the installer using the below commands

    chmod a+x apacheds-2.0.0-M23-64bit.bin

   ./apacheds-2.0.0-M23-64bit.bin start

Provide input to installer

Run the server using the following command
sudo /etc/init.d/apacheds-2.0.0-M12-default start

Check the status of the server

sudo /etc/init.d/apacheds-2.0.0-M12-default status

Once the server is up and running, connect to the ldap server server using Apache Directory Studio.

2. Connect to LDAP server on linux using Apache Directory Studio

In this case, I am installing Apache directory studio in windows.

After successful installation, run Apache Directory Studio.
Create a new connection to the LDAP server we just installed (ApacheDS on Windows)

Provide hostname (10.88.278.165 for me) and port 10389.

Set Bind DN or User to the value uid=admin,ou=system and Bind password to secret.
Press Check Authentication if you want to make sure and press Finish.

The LDAP directory browser is presented with the current contents of the (default, vanilla, out of the box) ApacheDS structure. Add user entries and group by following the below link.
https://access.redhat.com/documentation/en-US/Fuse_MQ_Enterprise/7.1/html/Security_Guide/files/LDAP-AddUserEntries.html

Here I have created 2 users and a group. And added the 2 users to the 'OrgGroup'. 

3. Alfresco configuration

For the integration, our settings should be populated in the ldap-authentication.properties file under 

alfresco-one/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/
Add the below mentioned configuration 

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=uid=%s,ou=User,ou=cignex,ou=system
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://10.88.278.165:10389 <Put your AD server name or IP here>
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.authenticateFTP=true
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=uid=admin,ou=system
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.queryBatchSize=0
ldap.synchronization.attributeBatchSize=0
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou=Group,ou=cignex,ou=system
ldap.synchronization.userSearchBase=ou=User,ou=cignex,ou=system
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=cn
ldap.synchronization.userLastNameAttributeName=
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=cn
ldap.synchronization.groupType=groupOfNames
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

Add the authentication chain in alfresco-one/tomcat/shared/classes/alfresco-global.properties as
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
In this case, Alfresco first tries to authenticate the user from alfrescoNtlm1 and if the user is not present, then ldap1 will be tried.

Now, Alfresco is ready for startup. You can find the below details on synchronization in the log files.

After the Alfresco start up , login into Alfresco to find the groups and users which are created in LDAP server.

 

4. Errors occured and its solutions

I kept getting the following unparseable date exception during Alfresco start up. 

The error comes from this line:
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

The error caused because the new entries(Groups and Users) which were created had a different timestamp. It was solved by removing 'Z'. 
ldap.synchronization.timestampFormat=yyyyMMddHHmmss

I hope that this post will help you. Any feedback and comments are always welcome :-)

Thanks,

Swetha Akula