Setting up an LDAP directory server for Alfresco development

The following video explains how to set up the Apache Directory Studio, create users and groups and import them into Alfresco. This allows you to run your own LDAP server for testing and development purposes for Alfresco.

Here is the alfresco-global.properties configuration that I have used for the LDAP sync:

###############################################################################
# The default authentication chain
# To configure external authentication subsystems see:
# http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
#-------------

######AUTHENTIFICATION CHAIN####
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

######SUBSYSTEM AUTHENTIFICATION####

### SIMPLE AUTHENTIFICATION ###
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=uid=%s,ou=users,ou=system

ldap.authentication.active=true
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://localhost:10389
ldap.authentication.allowGuestLogin=true

#####################################
###### SUBSYSTEM SYNCHRONISATION ####
#####################################

ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=uid=admin,ou=system
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.queryBatchSize=1000

ldap.synchronization.groupQuery=(objectclass=groupOfNames)
ldap.synchronization.groupDifferentialQuery=(&(objectclass=groupOfNames)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=(objectclass=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass=inetOrgPerson)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=ou=groups,ou=system
ldap.synchronization.userSearchBase=ou=users,ou=system

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

################# ATTRIBUTE MAPPING #############
#### mapping to unique username in username attribute###
ldap.synchronization.userIdAttributeName=uid
#ldap.synchronization.userLastNameAttributeName=cn
#ldap.synchronization.userEmailAttributeName=mail
#ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.groupIdAttributeName=cn
#ldap.synchronization.groupType=
#ldap.synchronization.personType=
ldap.synchronization.groupMemberAttributeName=member
#ldap.synchronization.userOrganizationalIdAttributeName=company

ldap.synchronization.enableProgressEstimation=true
####################################
###### SYNCHRONISATION SETTINGS ####
####################################

synchronization.autoCreatePeopleOnLogin=false
#synchronization.import.group.clearAllChildren=true
# full sync or only changes?
synchronization.synchronizeChangesOnly=false

# to sync on each alfresco startup
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=false

### DONT USE UNIX CRON EXPRESSION- USE QUARTZ CRON EXPRESSIONS!!!
### look here http://www.quartz-scheduler.org/docs/tutorials/crontrigger.html
### synchronisation starts every 15 minutes!
synchronization.import.cron=0 0/15 * * * ?

5 thoughts on “Setting up an LDAP directory server for Alfresco development

  3. Excellent video and demo I found it very? helpful. Have you attempted configuring Kerberos with ApacheDS and Alfresco yet?

  4. Hi,

    I used alfresco community 4.0.d and l configured the ldap authentication and synchronization in it. Here my code
    ldap.authentication.active=true
    ldap.authentication.allowGuestLogin=false
    # Base DN containing users
    ldap.authentication.userNameFormat=uid\=%s,ou\=people,o\=im
    ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
    ldap.authentication.java.naming.provider.url=ldap://localhost:10389
    ldap.authentication.java.naming.security.authentication=simple
    ldap.authentication.escapeCommasInBind=false
    ldap.authentication.escapeCommasInUid=false
    ldap.authentication.defaultAdministratorUserNames=
    ldap.synchronization.active=true
    ldap.synchronization.java.naming.security.principal= uid\=admin,ou\=system
    ldap.synchronization.java.naming.security.credentials=*******
    ldap.synchronization.groupQuery=(objectclass\=groupOfUniqueNames)
    ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfUniqueNames)(!(modifyTimestamp<\={0})))

    ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
    ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
    ldap.synchronization.groupSearchBase=ou\=groups,o\=im
    ldap.synchronization.userSearchBase=ou\=people,o\=im
    ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
    ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
    ldap.synchronization.groupQuery=(objectclass\=groupOfUniqueNames)
    ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfUniqueNames)(!(modifyTimestamp<\={0})))
    ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
    ldap.synchronization.userIdAttributeName=uid
    ldap.synchronization.userFirstNameAttributeName=givenName
    ldap.synchronization.userLastNameAttributeName=sn
    ldap.synchronization.userOrganizationalIdAttributeName=o
    ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
    ldap.synchronization.groupIdAttributeName=cn
    ldap.synchronization.groupType=groupOfUniqueNames
    ldap.synchronization.personType=inetOrgPerson
    ldap.synchronization.groupMemberAttributeName=uniqueMemeber
    ldap.synchronization.enableProgressEstimation=true

    I didn't access login with ldap user id on alfresco share. Where's wrong?. Please give me advice.
    with regards,
    ksh

  5. hi guys ,

    now I am trying to authenticating the users with LDAP in Alfresco for that I made the configuration but I am unable to login to that user.I am using alfresco community 5.2.
    I will place my configuration file please check and let me know what I need to change in configuration.

    ———————properties file———————
    ldap.authentication.active=true
    ldap.authentication.allowGuestLogin=true
    ldap.authentication.userNameFormat=uid=%s,ou=Users,dc=nrda,dc=in
    ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
    ldap.authentication.java.naming.provider.url=ldap://192.168.100.188:389
    ldap.authentication.java.naming.security.authentication=simple
    ldap.authentication.escapeCommasInBind=false
    ldap.authentication.escapeCommasInUid=false
    ldap.authentication.defaultAdministratorUserNames=
    ldap.authentication.authenticateFTP=true
    ldap.synchronization.active=true
    ldap.synchronization.java.naming.security.authentication=simple
    ldap.synchronization.java.naming.security.principal=cn=Manager,dc=nrda,dc=in
    ldap.synchronization.java.naming.security.credentials=admin@2017
    ldap.synchronization.queryBatchSize=0
    ldap.synchronization.attributeBatchSize=0
    ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
    ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
    ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
    ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
    ldap.synchronization.groupSearchBase=dc\=nrda,dc\=in
    ldap.synchronization.userSearchBase=ou\=Users,dc\=nrda,dc\=in
    ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
    ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
    ldap.synchronization.userIdAttributeName=uid
    ldap.synchronization.userFirstNameAttributeName=givenName
    ldap.synchronization.userLastNameAttributeName=sn
    ldap.synchronization.userEmailAttributeName=mail
    ldap.synchronization.userOrganizationalIdAttributeName=o
    ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
    ldap.synchronization.groupIdAttributeName=cn
    ldap.synchronization.groupDisplayNameAttributeName=description
    ldap.synchronization.groupType=groupOfNames
    ldap.synchronization.personType=inetOrgPerson
    ldap.synchronization.groupMemberAttributeName=member
    ldap.synchronization.enableProgressEstimation=true
    ldap.authentication.java.naming.read.timeout=0
    ldap.synchronization.com.sun.jndi.ldap.connect.pool=true

    ldap.pooling.com.sun.jndi.ldap.connect.pool.authentication=none simple
    ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=
    ldap.pooling.com.sun.jndi.ldap.connect.pool.initsize=1
    ldap.pooling.com.sun.jndi.ldap.connect.pool.maxsize=
    ldap.pooling.com.sun.jndi.ldap.connect.pool.prefsize=
    ldap.pooling.com.sun.jndi.ldap.connect.pool.protocol=plain
    ldap.pooling.com.sun.jndi.ldap.connect.pool.timeout=
    ldap.pooling.com.sun.jndi.ldap.connect.timeout=
    ldap.synchronization.userAccountStatusProperty=nsAccountLock
    ldap.synchronization.disabledAccountPropertyValue=true
    ldap.synchronization.disabledAccountPropertyValueCanBeNull=true
    ldap.synchronization.userAccountStatusInterpreter=ldapUserAccountStatusInterpreter

    ———-in log file while trying to login getting error————'

    Failed to authenticate user "kirti"
    org.alfresco.repo.security.authentication.AuthenticationException: 03130018 Failed to authenticate, username or password is wrong. User name:uid=kirti,ou=Users,dc=nrda,dc=in Reason [LDAP: error code 49 - Invalid Credentials].

    Please help me in this.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>