Monday, January 7, 2008

How to setup LDAP authentication in Alfresco

Synopsis: This articles describes a process of setting up an LDAP authentication in Afresco content management system.


OpenLDAP
Setting it up is pretty trivial, I used yum. It is important to add initial entries into fresh installation, since it comes totally empty and spits errors. This is how I did it:
#nano khaz.ldif
dn: dc=khaz-domain,dc=com
objectClass: domain
dc: khaz-domain

#slapadd -l khaz.ldif
#chown ldap:ldap /var/lib/ldap/objectClass.bdb
#/etc/rc.d/init.d/ldap restart

Atlassian Crowd
Crowd is a web-based single sign-on (SSO) tool that simplifies application provisioning and identity management. I used it as front-end tool for OpenLDAP to manage users.
Install the software and login into administration panel at something like http://yoursite.com:8095/crowd/console
choosing Directories tab and click on add directory. Choose "Crowd supports several connectors such as Active Directory, Sun ONE and Open Directory. " Connector button and fill in details (of OpenLDAP installation).

Alfresco
I used bundled version (tomcat + alfresco) with HSQL database, which might be switched to another one like MySQL.
Firstly, I tried it on my desktop in VMware server and then on Amazon EC2 instance, running under Fedora Core 6.
During initial stage I turned on debug mode to see exactly what was going on, and it really helped me to trace LDAP communication messages between my OpenLDAP server and Alfresco.
Use this settings as a guidance:
/opt/alfresco/tomcat/shared/classes/alfresco/extension/chaining-authentication-context.xml
/opt/alfresco/tomcat/shared/classes/alfresco/extension/ldap-authentication-context.xml

http://s3.amazonaws.com/khaz_download/chaining-authentication-context.xml

http://s3.amazonaws.com/khaz_download/ldap-authentication-context.xml

Adding users to Alfresco
Log in to Crowd panel.
Choose Principals tab > then OpenLDAPForAlfresco (this is how I named it, yours might have different name) in Directory dropdown and hit Search button
This should bring a list of users in directory. To add new user, locate Add Principal in Principal Browser tab and click on it. This will change to form, where you fill in user details and select proper directory for user to belong to.
Upon successful creation of user account, you can test it in Alfresco at http://youralfrescoinstallation.com:8080/alfresco At this point all users are managed outside of alfresco and might be easily attached to other services like single sign-on and OpenID.

4 comments:

Shibu said...

Does CiFS also work using this method?

Vicky said...

absolutely need to use the crowd sso for ldap auth ?

Khazret Sapenov said...

Vicky, not really, I just used it for as nice front-end for user administration with other useful add-ons. Of course you can go without it.

oernii.sk said...

Hi, the XML files are unavailable, could you please send them to ?

thank you.

oernii @@ gmail.com

Cloud Computing Google Group