Cool Solution - Alfresco

Version 4.1

This article describes how to configure LDAP authentication to use Alfresco with domain users.

Requirements

This article requires an already working installation of Alfresco.

Installation

Automatic installation

Follow the download instructions on this site: http://wiki.alfresco.com/wiki/Download_and_Install_Alfresco. After downloading make the binary file executable and run it:

chmod +x alfresco-community-5.0.d-installer-linux-x64.bin
./alfresco-community-5.0.d-installer-linux-x64.bin

Follow the instructions and Alfresco will be installed with all needed dependencies.

After the installation, configure the Univention Firewall to allow access to Port 8080 (see section Configure the firewall) for details.

Alfresco can be accessed through http://<name or IP adress of your server>:8080/share.

Manual installation

To manually install, follow the instructions in the Alfresco wiki.

In order to install Tomcat7, the unmaintained repository must be activated:

ucr set repository/online/unmaintained=yes
univention-install tomcat7

After the installation, configure the Univention Firewall to allow access to Port 8080 (see section Configure the firewall) for details.

Configuration

Configure the firewall

To access Alfresco, the Tomcat port must be opened in your local firewall, and the firewall must be restarted:

ucr set \
security/packetfilter/tcp/8080/all="ACCEPT" \
security/packetfilter/tcp/8080/all/en="Tomcat for Alfresco"
invoke-rc.d univention-firewall restart

LDAP authentication

To enable LDAP-Authentication for users not created in Alfresco, add the following line to $CATALINA_BASE/shared/classes/alfresco-global.properties:

# Add LDAP support
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

Next, create the following directory path:

mkdir -p $CATALINA_BASE/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1

Create a new file called ldap-authentication.properties with the following content in the created directory:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid\=%s,cn\=users,LDAP_BASE
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://localhost:7389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=univentionGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=univentionGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=cn\=groups,LDAP_BASE
ldap.synchronization.userSearchBase=cn\=users,LDAP_BASE
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mailPrimaryAddress
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=univentionGroup
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

Replace LDAP_BASE with your ldap base (obtainable via ucr get ldap/base. Escape equality sign with a backslash.

Users from the LDAP are not synced into the Alfresco database.