Home > Content Management System > Alfresco with Active Directory

Alfresco with Active Directory

If you have not read my Basic Alfresco Installation read it now before going here.

We will going to configure Alfresco to authenticate using Active Directory so that our Windows users can use Alfresco.  We will not have any Alfresco account.

Alfresco’s configuration file is alfresco-global.properties, you can find it  in /opt/alfresco/tomcat/shared/classes.  Make sure to backup the original file, in case you mess up with it.

Basic configuration is already defined and we will add our configuration at the bottom of the file.

Authentication Chain will be passthru with ldap

authentication.chain=passthru1:passthru,ldap1:ldap

Passthru configuration.  I don’t want guest users to login into my Alfresco and access my files.

passthru.authentication.sso.enabled=false
passthru.authentication.allowGuestLogin=false

Passthru authentication.  We are not going to use CIFS/Samba and FTP, thus we are going to disable it.

passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false

We have to define the Active Directory server where Alfresco users will be authenticated and define the Administrator account who’s going to configure our Alfresco.

passthru.authentication.servers=<Your.AD.Server.IP.Address>
passthru.authentication.domain=<Netbios Domain>
passthru.authentication.useLocalServer=false
passthru.authentication.defaultAdministratorUserNames=<Your.Active.Directory.Administrator.Account>
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS

Ldap authentication configuration.  I don’t want an LDAP authentication rather I want a passthru authentication

ldap.authentication.active=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://<Your.AD.Server.IP.Address>:389
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false

Ldap Synchronization.  You have to define the user that has an administrative account in your Active Directory.  This account will login to your Active Directory Server to pull all your users.

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=<Netbios Domain>\\<administrator.privilege.account>
ldap.synchronization.java.naming.security.credentials=<administrator.privilege.account.password>
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=nogroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)

We are going to synchronize all users and groups from your Domain.

ldap.synchronization.groupSearchBase=cn\=users,dc=<company.domain>,dc=com
ldap.synchronization.userSearchBase=cn\=users,dc=<company.domain>,dc=com

Other default ldap synchronization configuration

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss’.0Z’
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=Nogroup
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member

We want to synchronize the changes that we made from our Active Directory

synchronization.synchronizeChangesOnly=true

We are not going to use CIFS/Samba

cifs.enabled=false

Start your Alfresco and monitor your log.

$ cd /opt/alfresco
$ ./alf_start.sh
$ tail -f alfresco.log

Everything seems to be ok.

From your browser, type in your Alfresco server with port 8080

http://<Your.Alfresco.Server.IPAddress&gt;:8080/alfresco

Login using your Active Directory account

while your Alfresco Share is

http://<Your.Alfresco.Server.IPAddress&gt;:8080/share

Next time, I will configure Alfresco with CIFS/Samba.  I read that this is tough to configure.

Wish me luck!

  1. November 4, 2011 at 1:48 pm

    Thanks!!!!! This document is very useful!!!!!!!!!!!!!!!!!!!!!!!!!!
    Thanks, we are using alfresco in Almeria, Spain, if you want contact with us.

  2. January 18, 2012 at 4:02 am

    Thanks a lot for your post. I had to configure LDAP authentication for other systems so I thought doing Alfresco would be a pain. Thanks to your instructions, I did this in 5 minutes – literally. Thanks again for sharing
    Cheers,
    Fred

  3. February 25, 2012 at 1:05 pm

    You should be change sentence that “passthru.authentication.sso.enabled” to “ntlm.authentication.sso.enabled” ; )

  4. July 20, 2012 at 6:44 am

    Excellent post thank you very much, with some minor changes got it working on Windows Server 2008R2.

  5. May 13, 2013 at 10:11 pm

    Fantastic post however , I was wanting to know if you could write a litte
    more on this topic? I’d be very grateful if you could elaborate a little bit more. Kudos!

  6. May 18, 2013 at 12:44 am

    What’s up, all is going fine here and ofcourse every one is sharing information, that’s really fine, keep up writing.

  7. August 29, 2013 at 8:24 am

    Excellent article, still relevant, only thing is that on this line:

    ldap.synchronization.timestampFormat=yyyyMMddHHmmss’.0Z’

    the quotes are not proper single quotes and that confuses alfresco.

  8. Uttam Singh
    October 4, 2013 at 1:37 pm

    Woooow… this worked at the first shot for me!

  9. February 26, 2014 at 2:28 am

    Greetings! Very helpful advice within this article! It’s
    the little changes that will make the most important changes.
    Thanks a lot for sharing!

  10. April 25, 2014 at 9:03 am

    I visit daily a few web pages and sites to read posts,
    except this web site gives feature based writing.

  11. Adonis
    May 23, 2014 at 3:59 am

    Unbelievable, After Extensive searching : brutalizing hours , this WORKED LIKE A CHARM. Thanks for the Glorious : Detailed Information…
    Fa real Andoy Lang, Thanks

  1. July 20, 2010 at 2:30 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: