Hello,
I am using Alfresco 4.2.e on Windows Server 2008 R2.
I intent to configure LDAP authentication on Alfresco so that the users of my Windows AD could log on Alfresco.
My problem is the use of a certificate with StartTls encryption method. Anybody of my AD can log on Alfresco, and I haven't found in the documentation something about my case... How can I enforce Alfresco to choose StartTls encryption method?
In alfresco.log, I have the following error :
11:00:00,186 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 06200027 Echec de la connexion à ldap://SERVER.DOMAIN.local:389. Raison javax.naming.AuthenticationNotSupportedException, [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1 ]
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:192)
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:108)
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:89)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$3.(LDAPUserRegistry.java:688)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:685)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:969)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:714)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob$1.doWork(UserRegistrySynchronizerJob.java:51)
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob.execute(UserRegistrySynchronizerJob.java:47)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1 ]
Method applied :
1) Tests with Apache Directory Studio
* Failed with the previous error when:
server : SERVER.DOMAIN.local, port:389, encryption method : none, provider : JNDI
authentication method : simple, Bind DN/SASL : CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
or authentication method : simple, Bind DN/SASL :
* Succeed with
server : SERVER.DOMAIN.local, port:389, encryption method : StartTls, provider : JNDI
authentication method : simple, Bind DN/SASL : CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
or authentication method : simple, Bind DN/SASL :
2) Alfresco configuration
In alfresco-global.properties file I added in the end :
### Protocoles d’authentification ###
authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
### Synchronisation Active Directory ###
synchronization.import.cron=00/309-18?* MON-FRI
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
I added in the arborescence :
C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap
- file : common-ldap-context.xml (copy)
- directory : ldap-ad1
|
-------- files : ldap-ad-authentication.properties (copy), ldap-ad-authentication-context.xml (copy)
** copies from C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication...
I updated the copy of ldap-ad-authentication.properties like this :
ldap.authentication.active=true ldap.authentication.allowGuestLogin=false ldap.authentication.userNameFormat=%s@domain.local ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory ldap.authentication.java.naming.provider.url=ldap://SERVER.DOMAIN.local:389 ldap.authentication.java.naming.security.authentication=simple ldap.authentication.escapeCommasInBind=false ldap.authentication.escapeCommasInUid=false ldap.authentication.defaultAdministratorUserNames=user_alfresco,Administrateur,admin ldap.synchronization.active=true ldap.synchronization.java.naming.security.authentication=simple ldap.synchronization.java.naming.security.principal=CN=Alfresco,CN=Users,DC=DOMAIN,DC=local ldap.synchronization.java.naming.security.credentials=secret ldap.synchronization.queryBatchSize=1000 ldap.synchronization.attributeBatchSize=1000 ldap.synchronization.groupQuery=(objectclass\=group) ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0}))) ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)) ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0}))) ldap.synchronization.groupSearchBase=dc\=DOMAIN,dc=local ldap.synchronization.userSearchBase=dc\=DOMAIN,dc=local ldap.synchronization.modifyTimestampAttributeName=whenChanged ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z' ldap.synchronization.userIdAttributeName=sAMAccountName ldap.synchronization.userFirstNameAttributeName=givenName ldap.synchronization.userLastNameAttributeName=sn ldap.synchronization.userEmailAttributeName=mail ldap.synchronization.userOrganizationalIdAttributeName=company ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider ldap.synchronization.groupIdAttributeName=cn ldap.synchronization.groupDisplayNameAttributeName=displayName ldap.synchronization.groupType=group ldap.synchronization.personType=user ldap.synchronization.groupMemberAttributeName=member ldap.synchronization.enableProgressEstimation=true ldap.authentication.java.naming.read.timeout=0
3) Java configuration
Inspired by https://wiki.alfresco.com/wiki/Ldap_over_SSL
- I copied the certificate from Apache Directory Studio (Window>Preferences>Apache Directory Studio> Certificate validation> export on my PC the certificate CN=SERVER.DOMAIN.local and renamed "certificate.der")
- in a Windows batch console (Administrator mode):
C:\Alfresco\java\bin\keytool -import-alias 192.168.1.101 -keystore "C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts"-file C:\Users\user_alfresco\Documents\certificate.der
C:\Alfresco\java\bin\keytool -import-alias SERVER.DOMAIN.local-keystore "C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts"-file C:\Users\user_alfresco\Documents\certificate.der
I indicated my keystore password for each previous command.
I opened the properties of the tomcat service of Alfresco with the following command
C:\Alfresco\tomcat\bin\tomcat7w //ES//alfrescoTomcat
And in Java>Java Options, I added :
-Djavax.net.ssl.trustStore="C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts"
I restarted tomcat and... it I could not log on Alfresco.