Hello,
Alfresco 4.2.f is installed on Windows Server 2008 R2 x64bits, and I connect myself on Windows 7.
I have three questions :
I would like to know if SSO can allow automatic connection on Webdav?
If yes, if it is possible with passthru ?
If it can, how can I configure Alfresco (and my Windows server?) to succeed connection using SSO with passthru?
There is that I tried (helped by this french blog http://desaille.fr/alfresco-authentification-sso-ntlm-ldap-ad/ )
- In Internet Options I added the IP address and the domain name in trusted sites
- I added the self-signed certificate "browser.p12" in the trusted root certificate authorities
- I set the authentication level in send LM and NTLM use NTLMv2 session security if negotiated
In alfresco-global.properties, I updated the authentication chain and I added passthru and ntlm configuration to use SSO and LDAP authentication.
############################### ## Common Alfresco Properties # ############################### dir.root=C:/Alfresco/alf_data dir.contentstore=D:/Alfresco/contentstore/contentstore dir.contentstore.deleted=D:/Alfresco/contentstore/contentstore.deleted alfresco.context=alfresco alfresco.host=IP SERVER IP alfresco.port=8081 alfresco.protocol=http share.context=share share.host=SERVER IP share.port=8081 share.protocol=http ### database connection properties ### db.driver=org.postgresql.Driver db.username=alfresco db.password=admin db.name=alfresco db.url=jdbc:postgresql://localhost:5433/${db.name} ### FTP Server Configuration ### ftp.enabled=true ftp.port=22 ### RMI service ports ### alfresco.rmi.services.port=50501 avm.rmi.service.port=0 avmsync.rmi.service.port=0 attribute.rmi.service.port=0 authentication.rmi.service.port=0 repo.rmi.service.port=0 action.rmi.service.port=0 deployment.rmi.service.port=0 ### External executable locations ### ooo.exe=C:/Alfresco/libreoffice/App/libreoffice/program/soffice.exe ooo.enabled=true ooo.port=8101 img.root=C:\\Alfresco\\imagemagick img.coders=${img.root}\\modules\\coders img.config=${img.root}\\config img.gslib=${img.root}\\lib img.exe=${img.root}\\convert.exe swf.exe=C:/Alfresco/swftools/pdf2swf.exe swf.languagedir=C:/Alfresco/swftools/japanese jodconverter.enabled=false jodconverter.officeHome=C:/Alfresco/libreoffice/App/libreoffice jodconverter.portNumbers=8101 ### Initial admin password ### alfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634 ### E-mail site invitation setting ### notification.email.siteinvite=false ### License location ### dir.license.external=C:/Alfresco ### Solr indexing ### index.subsystem.name=solr dir.keystore=${dir.root}/keystore solr.port.ssl=8444 ### BPM Engine ### system.workflow.engine.jbpm.enabled=true ### Protocoles d’authentification ### authentication.chain=passthru1:passthru,ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm ntlm.authentication.sso.enabled=true passthru.authentication.defaultAdministratorUserNames=user1-ldap,user2-ldap,ldap-admin,admin passthru.authentication.domain=DOMAIN.local passthru.authentication.servers=DOMAIN\\LDAP SERVER IP #IMAP Configuration imap.server.enabled=true imap.server.port=143 imap.server.host=SERVER IP imap.config.home.folderPath=cm:Imap Home #--- imap.config.server.mountPoints.value.AlfrescoIMAP.mountPointName=Alfresco IMAP imap.config.server.mountPoints.value.AlfrescoIMAP.modeName=MIXED #configuration pour Sharepoint, port défini dans le fichier Alfresco2\configuration-manuelle-port-alf.txt vti.server.port=7071 vti.server.external.host=${localname} vti.server.external.port=${vti.server.port} #POUR TRANSFERT DE DOCUMENT #system.preserve.modificationData=true system.enableTimestampPropagation=false #system.auditableData.preserve=true #system.auditableData.FileFolderService=true #system.auditableData.ACLs=true #Tuning/Optimisation alfresco.cluster.enabled=false #customization transformers - openoffice #C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Transformers\default\transformers.properties content.transformer.OpenOffice.extensions.*.docx.supported=true content.transformer.OpenOffice.extensions.*.xlsx.supported=true content.transformer.OpenOffice.extensions.*.pptx.supported=true content.transformer.OpenOffice.extensions.*.txt.supported=true content.transformer.OpenOffice.extensions.html.pdf.supported=true content.transformer.OpenOffice.extensions.docx.pdf.maxSourceSizeKBytes=4096 content.transformer.OpenOffice.extensions.doc.pdf.maxSourceSizeKBytes=4096 content.transformer.OpenOffice.2Pdf.available=true content.transformer.complex.OpenOffice.Pdf2swf.extensions.docx.swf.maxSourceSizeKBytes=4096 content.transformer.Pdf2swf.maxSourceSizeKBytes=20480 #désactiver les notification feed emails activities.feed.notifier.enabled=false
I extended ldap subsystem creating :
C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad:
- ldap-ad1
|_ldap-ad-authentication.properties
|_ldap-ad-authentication-context.xml
- common-ldap-context.xml
ldap-ad-authentication.properties:
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=%s@domaine.local
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://IP SERVEUR LDAP:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrateur,alfresco
ldap.synchronization.active=false
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=alfresco@domaine.local
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
ldap.synchronization.groupSearchBase=dc\=domaine,dc=local
ldap.synchronization.userSearchBase=dc\=domaine,dc=local
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
In share-config-custom.xml, I added :
<config evaluator="string-compare" condition="Remote">
<remote>
<keystore>
<path>alfresco/web-extension/alfresco-system.p12</path>
<type>pkcs12</type>
<password>alfresco-system</password>
</keystore>
<connector>
<id>alfrescoCookie</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
</connector>
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SsoUserHeader</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoCookie</connector-id>
<endpoint-url>http://localhost:8081/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
</remote>
</config>