Tuesday, April 5, 2011

Configuring Alfresco 3.4 for AD SSO

My apologies if this is a bit rough, but I wanted to get this out due to the intense interest related to Alfresco.  Also, I would highly recommend setting up Alfresco like this from the beginning if you can, since it allows you to manage login from one database (fewer passwords for your users to remember, fewer systems for you to manage).

Goal: configure Alfresco 3.4 Community Edition to authenticate users as follows:

Internal users use SSO through Active Directory
External users authenticate against Active Directory (non-SSO)
Account info is synchronized with Active Directory

This information is based on http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems

Also, I've done the standard install (everything) in the gui based installer available from Alfresco.org to a clean Centos 5.5 system

first, we have to update the authentication chain in alfresco-global.properties (see my previous post on this for location).  I added the following lines:

### Authentication Chain ###
authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad
alfresco.authentication.authenticateCIFS=false
passthru.authentication.domain=<domain_name>
ldap-ad.authentication.active=false

remember, passthru.authentication.useLocalServer, passthru.authentication.domain and passthru.authentication.servers are mutually exclusive, so only enable one of them.


Multiple Auth Servers of the same type
---------------------------------------
If I was using two different servers with the same authentication type (ie: two different ldap servers; not possible with passthru!), we need to copy the .properties files from:
/opt/alfresco-3.4.c/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/<auth_type>/<auth_type>.properties

to
/opt/alfresco-3.4.c/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/<auth_type>/<auth_type_instance#>/<auth_type>.properties

you will need to create the directory tree below the extension subdiretory, starting with subsystems.  Remember, this is only required if you have two auth servers using the same auth type.  Check the Alfresco wiki if you aren't sure.
---------------------------------------


in looking at the ntlm-filter.properties files in the passthru and ldap-ad folders, I found that the settings of these systems was already configured for passthru to have SSO enabled.  Also, I found that if you have passthru and alfrescoNtlm set up, after an unsuccessful SSO login, the "backdoor" URL (http://<hostname_or_IP>:8080/alfresco/faces/jsp/login.jsp) will automatically display (at least in Firefox).  So this is actually as expected, since it fails through to the local login.  Don't know how this would look to the outside world, since I'm mainly using this on a company intranet right now.

So, to recap; after doing everything above, this is where I'm at:

Goal: configure Alfresco 3.4 Community Edition to authenticate users as follows:

Internal users use SSO through Active Directory - this is completed and working fine
External users authenticate against Active Directory (non-SSO) - this is completed as far as I can tell
Account info is synchronized with Active Directory - this isn't working right now, so I've missed some settings for this authentication type.  I suspect I may not have the OU/CN/DC settings correct for what AD wants to see.

No comments:

Post a Comment