One of the main features of the Alfresco ECM System is the ability to integrate user authentication and synchronization with almost all popular LDAP directory servers, such as Microsoft Active Directory.

However, the integration is error prone and requires understanding of your LDAP environment settings and configuration. Moreover, as a warning, I must say the error messages you will face during the integration are most of the time mis-leading and subjective.

In this article, we will see how we can do alfresco integration with AD; and also how to synchronize alfresco users and groups with the existing entities of your AD. I have used alfresco 3.3.4 in this case.

Be prepared with the settings of your AD so that you can understand and configure your alfresco as well.

Alfresco Subsystems

There are a few subsystems offered in alfresco installation.

1. Audit
2. Authentication
3. File Server
4. IMAP
5. Synchronization
6. EMail

We will use the Authentication and Synchronization subsystems for this purpose.

Authentication Subsystem

For authentication purpose, alfresco can be configured with AD, LDAP, Kerberos, alfrescoNtlm or other external servers. You can configure alfresco to authenticate from a number of systems – this is known as Authentication Chain.
You define the authentication chain in alfresco-global.properties file or in repository.properties file.

By default, the authentication chain is defined as (in repository.properties file)

authentication.chain=alfrescoNtlm1:alfrescoNtlm


Thus, only alfrescoNtlm authentication is activated.
For enabling AD authentication, we put it as

authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm


Now alfresco will try to authenticate the user first from the configured AD, and if the user is not present there, alfrescoNtlm will be tried. If you put only ldap-ad1:ldap-ad, alfresco local authentication will be fully stopped. In this way, you can integrate a number of systems into alfresco authentication chain.

Configuring Active Directory Authentication

In webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication, we have separate folders for separate servers. For our Active Directory integration, our settings should be populated in the ldap-ad-authentication.properties file in ldap-ad folder.

This file is used to set the configurations on Authentication as well as Synchronization with AD.

ldap.authentication.active=true
This value should be true in order to make the authentication mode activated.

ldap.authentication.userNameFormat=%s@mydomain.com
This value pattern will be used when users will put the user name in the alfresco login dialog and try to be authenticated. This value should be full User Principal Name (UPN) or DN.

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
No need to change this line. We use the default Sun Java LDAP libraries.

ldap.authentication.java.naming.provider.url=ldap://<<server-name or ip>>:389
Put your AD server name or IP here. 389 is the default port for LDAP services, consult your administrator in case you have different port.

ldap.authentication.java.naming.security.authentication=simple
This value can be simple, digest-5 etc. Again, depends on your AD setup.


ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
We won’t change these values.

ldap.authentication.defaultAdministratorUserNames=administrator
Put your administrator user name here.

These values and settings are enough to make alfresco authenticate against your Active Directory. However, we also need synchronization between your AD and alfresco, so that users and groups are imported into alfresco and you can manage the permissions and restrictions of the users.

Configuring Active Directory Synchronization

Same file is used to populate the synchronization settings.

ldap.synchronization.active=true
True means alfresco will try to import AD users and groups into local system.

ldap.synchronization.java.naming.security.principal=CN=Administrator,CN=Users,DC=domain,DC=com
Put your administrator user DN here.

ldap.synchronization.java.naming.security.credentials=****
Put your user password here – in plain text.


ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000

We do not change these values for now.

ldap.synchronization.groupQuery=(objectclass\=group)
The objectclass of your Groups in AD.

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
The objectclass of your Users in AD.

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
Pretty standard, change the objectclass only, if required.

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
Again pretty standard, change the objectclass of users only, if required.

ldap.synchronization.groupSearchBase=DC\=domain,DC\=com
Put your AD domain configuration here for Groups query search base. I have used a generic search base here, it would probably search everything.

ldap.synchronization.userSearchBase=DC\=domain,DC\=com
Put your AD domain configuration here for Users query search base. I have used a generic search base here, it would probably search everything.


ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

We won’t change these values now. These are used to populate the user attributes from AD.


ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member

These values also may not be changed for now.

That’s it!
Restart your server, alfresco should connect to your AD and import all users and groups. For authentication, it should go to your AD and validate the credentials.

Important!

In community version, you need to add this XMl tag in common-ldap-context.xml file in subsystems\Authentication folder.
Under the following tag -
<bean id="ldapInitialDirContextFactory">
<property name="initialDirContextEnvironment">
<map>

Add this entry -
<entry key="java.naming.referral">
<value>follow</value>
</entry>