/* InfoAxon GA Code */
Alfresco One: Content Management in the Cloud (Part II)
December 18, 2012 – 1:55 pm | No Comment

Alfresco Universe has a number of client applications and protocols available which can be used by your external users making this a truly Cloud Content Enterprise Content Management System.
For example,

Alfresco iOS Client App: for iPhone …

Read the full story »
Home » Experiences, Innovations, Open Source Tutorials

Alfresco Authentication and Integration with Active Directory

Submitted bySnig Bhaumik on January 20, 2011 – 11:15 am57 Comments

One of the main features of the Alfresco ECM System is the ability to integrate user authentication and synchronization with almost all popular LDAP directory servers, such as Microsoft Active Directory.

However, the integration is error prone and requires understanding of your LDAP environment settings and configuration. Moreover, as a warning, I must say the error messages you will face during the integration are most of the time mis-leading and subjective.

In this article, we will see how we can do alfresco integration with AD; and also how to synchronize alfresco users and groups with the existing entities of your AD. I have used alfresco 3.3.4 in this case.

Be prepared with the settings of your AD so that you can understand and configure your alfresco as well.

Alfresco Subsystems

There are a few subsystems offered in alfresco installation.

  1. Audit
  2. Authentication
  3. File Server
  4. IMAP
  5. Synchronization
  6. EMail

We will use the Authentication and Synchronization subsystems for this purpose.

Authentication Subsystem

For authentication purpose, alfresco can be configured with AD, LDAP, Kerberos, alfrescoNtlm or other external servers. You can configure alfresco to authenticate from a number of systems – this is known as Authentication Chain.
You define the authentication chain in alfresco-global.properties file or in repository.properties file.

By default, the authentication chain is defined as (in repository.properties file)

authentication.chain=alfrescoNtlm1:alfrescoNtlm

Thus, only alfrescoNtlm authentication is activated.
For enabling AD authentication, we put it as

authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm

Now alfresco will try to authenticate the user first from the configured AD, and if the user is not present there, alfrescoNtlm will be tried. If you put only ldap-ad1:ldap-ad, alfresco local authentication will be fully stopped. In this way, you can integrate a number of systems into alfresco authentication chain.

Configuring Active Directory Authentication

In webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication, we have separate folders for separate servers. For our Active Directory integration, our settings should be populated in the ldap-ad-authentication.properties file in ldap-ad folder.

This file is used to set the configurations on Authentication as well as Synchronization with AD.

ldap.authentication.active=true
This value should be true in order to make the authentication mode activated.

ldap.authentication.userNameFormat=%s@mydomain.com
This value pattern will be used when users will put the user name in the alfresco login dialog and try to be authenticated. This value should be full User Principal Name (UPN) or DN.

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
No need to change this line. We use the default Sun Java LDAP libraries.

ldap.authentication.java.naming.provider.url=ldap://<<server-name or ip>>:389
Put your AD server name or IP here. 389 is the default port for LDAP services, consult your administrator in case you have different port.

ldap.authentication.java.naming.security.authentication=simple
This value can be simple, digest-5 etc. Again, depends on your AD setup.


ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
We won’t change these values.

ldap.authentication.defaultAdministratorUserNames=administrator
Put your administrator user name here.

These values and settings are enough to make alfresco authenticate against your Active Directory. However, we also need synchronization between your AD and alfresco, so that users and groups are imported into alfresco and you can manage the permissions and restrictions of the users.

Configuring Active Directory Synchronization

Same file is used to populate the synchronization settings.

ldap.synchronization.active=true
True means alfresco will try to import AD users and groups into local system.

ldap.synchronization.java.naming.security.principal=CN=Administrator,CN=Users,DC=domain,DC=com
Put your administrator user DN here.

ldap.synchronization.java.naming.security.credentials=****
Put your user password here – in plain text.


ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000

We do not change these values for now.

ldap.synchronization.groupQuery=(objectclass\=group)
The objectclass of your Groups in AD.

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
The objectclass of your Users in AD.

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
Pretty standard, change the objectclass only, if required.

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
Again pretty standard, change the objectclass of users only, if required.

ldap.synchronization.groupSearchBase=DC\=domain,DC\=com
Put your AD domain configuration here for Groups query search base. I have used a generic search base here, it would probably search everything.

ldap.synchronization.userSearchBase=DC\=domain,DC\=com
Put your AD domain configuration here for Users query search base. I have used a generic search base here, it would probably search everything.


ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

We won’t change these values now. These are used to populate the user attributes from AD.


ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member

These values also may not be changed for now.

That’s it!
Restart your server, alfresco should connect to your AD and import all users and groups. For authentication, it should go to your AD and validate the credentials.

Important!

In community version, you need to add this XMl tag in common-ldap-context.xml file in subsystems\Authentication folder.
Under the following tag -
<bean id="ldapInitialDirContextFactory">
<property name="initialDirContextEnvironment">
<map>

Add this entry -
<entry key="java.naming.referral">
<value>follow</value>
</entry>

About The Author

Snig Bhaumik

Mr. Snigdhendu Bikas Bhaumik is the Technical Director and Heads the Research and Development for InfoAxon. As an Open Source enthusiast, Snig is an active contributor of several open source communities such as - Alfresco ECM (Author of Alfresco Calendar components now included and distributed in Alfresco version 3.0), Liferay Portal and Pentaho Business Intelligence Suite. Snig has just completed a book on Alfresco published by Packtpub - http://www.packtpub.com/alfresco-3-cookbook/book. Snig specializes in Knowledge Management and Business Intelligence domains, and responsible for designing and architecting InfoAxon’s KM and BI solution offerings. He holds an enriching experience of around 12 years in designing, architecting and developing various solutions on open source technologies. Follow him on twitter - @snigbb.

57 Comments »

  • Snig Bhaumik says:

    @Rakesh, apparently these settings seem to be fine.

    However, you can still check security credentials, personQuery, differentialQuery, userSearchBase, personType etc attributes.

  • Rakesh says:

    @Snig,

    1. credentials that I mentioned are correct and personQuery, groupQuery and differentialQuery are just copied from your blog as it is. Is there any changes that I have to do for the personQuery, groupQuery and differentialQuery, personType..?

    2. Whether we can search all the LDAP users by using admin account… I mean to say that, even before my LDAP users logging into the alfresco, I should able to search for all the users, rt?

    3. I am able to search (from admin account) for those who have logged into alfresco only. For example, If I want to share a particular document to the LDAP user who is not logged into alfresco.. Do we have such a feature? So, that once he get the notification through mail, then he’ll login.

    Kindly explain me the above points briefly..

  • Snig Bhaumik says:

    1. These settings provided in the blog are just working examples, however, not necessarily will be true and same in your case.

    2. Yes, if the sync works correctly, there is no need for the user to logon into the system to get searched.

    3. Same.

  • Matthieu R. says:

    Thanks a lot for your tutorial ! Works like a charm ! ;)

  • ankur says:

    Hi,

    I am new to alfresco and would like to know how to authenticate users who have been migrated to a new domain. Actually we were using domX\username & password for authentication and all users have been migrated to domY. Where do I make these changes? We are using a windows server for alfresco enterprise. I know this comes as a veryy basic question and any suggestions would be highly appreciated.

    Also do I need to take any precautionary steps before making the changes?

    Regards,
    Ankur

  • Ramesh says:

    Hi Snig,

    Thanks for the nice article. I followed the steps and AD authentication part working fine. But synchronization is not happening as I get the error message “Synchronization aborted due to error”. Below I mention the ldap-ad properties file and alfresco log file.
    ldap-ad file content:
    # This flag enables use of this LDAP subsystem for authentication. It may be
    # that this subsytem should only be used for synchronization, in which case
    # this flag should be set to false.
    ldap.authentication.active=true

    #
    # This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
    #
    ldap.authentication.allowGuestLogin=true

    # How to map the user id entered by the user to taht passed through to LDAP
    # In Active Directory, this can either be the user principal name (UPN) or DN.
    # UPNs are in the form @domain and are held in the userPrincipalName attribute of a user
    ldap.authentication.userNameFormat=%s@***.co.in

    # The LDAP context factory to use
    ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

    # The URL to connect to the LDAP server
    ldap.authentication.java.naming.provider.url=ldap://Domain Name:389

    # The authentication mechanism to use for password validation
    ldap.authentication.java.naming.security.authentication=simple

    # Escape commas entered by the user at bind time
    # Useful when using simple authentication and the CN is part of the DN and contains commas
    ldap.authentication.escapeCommasInBind=false

    # Escape commas entered by the user when setting the authenticated user
    # Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
    # pulled in as part of an LDAP sync
    # If this option is set to true it will break the default home folder provider as space names can not contain \
    ldap.authentication.escapeCommasInUid=false

    # Comma separated list of user names who should be considered administrators by default
    ldap.authentication.defaultAdministratorUserNames=Alfresco

    # This flag enables use of this LDAP subsystem for user and group
    # synchronization. It may be that this subsytem should only be used for
    # authentication, in which case this flag should be set to false.
    ldap.synchronization.active=true

    # The authentication mechanism to use for synchronization
    ldap.synchronization.java.naming.security.authentication=simple

    # The default principal to bind with (only used for LDAP sync). This should be a UPN or DN
    ldap.synchronization.java.naming.security.principal=CN=Administrator,CN=Alfresco,DC=***,DC=co.in

    # The password for the default principal (only used for LDAP sync)
    ldap.synchronization.java.naming.security.credentials=******

    # If positive, this property indicates that RFC 2696 paged results should be
    # used to split query results into batches of the specified size. This
    # overcomes any size limits imposed by the LDAP server.
    ldap.synchronization.queryBatchSize=1000

    # If positive, this property indicates that range retrieval should be used to fetch
    # multi-valued attributes (such as member) in batches of the specified size.
    # Overcomes any size limits imposed by Active Directory.
    ldap.synchronization.attributeBatchSize=1000

    # The query to select all objects that represent the groups to import.
    ldap.synchronization.groupQuery=(objectclass\=group)

    # The query to select objects that represent the groups to import that have changed since a certain time.
    #ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
    ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

    # The query to select all objects that represent the users to import.
    ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

    # The query to select objects that represent the users to import that have changed since a certain time.
    #ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
    ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

    # The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
    #ldap.synchronization.groupSearchBase=ou\=Security Groups,ou\=Alfresco,dc=***.co.in
    ldap.synchronization.groupSearchBase=DC\=***,DC\=co.in

    # The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
    #ldap.synchronization.userSearchBase=ou\=User Accounts,ou=\Alfresco,dc=***.co.in
    ldap.synchronization.userSearchBase=DC\=***,DC\=co.in

    # The name of the operational attribute recording the last update time for a group or user.
    ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

    # The timestamp format. Unfortunately, this varies between directory servers.
    ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

    # The attribute name on people objects found in LDAP to use as the uid in Alfresco
    ldap.synchronization.userIdAttributeName=sAMAccountName

    # The attribute on person objects in LDAP to map to the first name property in Alfresco
    ldap.synchronization.userFirstNameAttributeName=givenName

    # The attribute on person objects in LDAP to map to the last name property in Alfresco
    ldap.synchronization.userLastNameAttributeName=sn

    # The attribute on person objects in LDAP to map to the email property in Alfresco
    ldap.synchronization.userEmailAttributeName=mail

    # The attribute on person objects in LDAP to map to the organizational id property in Alfresco
    ldap.synchronization.userOrganizationalIdAttributeName=company

    # The default home folder provider to use for people created via LDAP import
    ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

    # The attribute on LDAP group objects to map to the authority name property in Alfresco
    ldap.synchronization.groupIdAttributeName=cn

    # The attribute on LDAP group objects to map to the authority display name property in Alfresco
    ldap.synchronization.groupDisplayNameAttributeName=displayName

    # The group type in LDAP
    ldap.synchronization.groupType=group

    # The person type in LDAP
    ldap.synchronization.personType=user

    # The attribute in LDAP on group objects that defines the DN for its members
    ldap.synchronization.groupMemberAttributeName=member

    # If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.
    ldap.synchronization.enableProgressEstimation=true

    # Requests timeout, in miliseconds, use 0 for none (default)
    ldap.authentication.java.naming.read.timeout=0

    And my Alfresco log file content is,

    13:43:09,215 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'sysAdmin' subsystem, ID: [sysAdmin, default]
    13:43:09,262 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'sysAdmin' subsystem, ID: [sysAdmin, default] complete
    13:43:17,904 WARN [org.alfresco.util.AbstractTriggerBean] Job ehCacheTracerJob is not active
    13:43:21,944 INFO [org.springframework.extensions.webscripts.TemplateProcessorRegistry] Registered template processor Repository Template Processor for extension ftl
    13:43:21,944 INFO [org.springframework.extensions.webscripts.ScriptProcessorRegistry] Registered script processor Repository Script Processor for extension js
    13:43:28,824 INFO [org.alfresco.repo.domain.schema.SchemaBootstrap] Connecting to database: jdbc:postgresql://localhost:5432/alfresco, UserName=alfresco, PostgreSQL Native Driver
    13:43:28,824 INFO [org.alfresco.repo.domain.schema.SchemaBootstrap] Schema managed by database dialect org.hibernate.dialect.PostgreSQLDialect.
    13:43:31,928 INFO [org.alfresco.repo.domain.schema.SchemaBootstrap] No changes were made to the schema.
    13:43:32,224 DEBUG [org.alfresco.repo.module] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@ae506e, name=log4j:logger=org.alfresco.repo.module
    13:43:32,224 DEBUG [org.alfresco.repo.module.ModuleComponentHelper] preRegister called. Server=com.sun.jmx.mbeanserver.JmxMBeanServer@ae506e, name=log4j:logger=org.alfresco.repo.module.ModuleComponentHelper
    13:43:32,568 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Search' subsystem, ID: [Search, managed, solr]
    13:43:32,677 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Search' subsystem, ID: [Search, managed, solr] complete
    13:43:33,410 INFO [org.alfresco.enterprise.repo.sync.SyncAdminServiceImpl] There is no key for cloud sync, cloud sync turned off
    13:43:33,426 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'thirdparty' subsystem, ID: [thirdparty, default]
    13:43:33,816 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'thirdparty' subsystem, ID: [thirdparty, default] complete
    13:43:33,816 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'OOoDirect' subsystem, ID: [OOoDirect, default]
    13:43:33,862 WARN [org.alfresco.util.AbstractTriggerBean] Job openOfficeConnectionTesterTrigger is not enabled
    13:43:34,034 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'OOoDirect' subsystem, ID: [OOoDirect, default] complete
    13:43:34,034 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'OOoJodconverter' subsystem, ID: [OOoJodconverter, default]
    13:43:36,031 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'OOoJodconverter' subsystem, ID: [OOoJodconverter, default] complete
    13:43:36,031 INFO [org.alfresco.repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: C:\Alfresco\alf_data
    13:43:36,046 INFO [org.alfresco.repo.admin.patch.PatchExecuter] Checking for patches to apply …
    13:43:36,998 INFO [org.alfresco.repo.admin.patch.PatchExecuter] No patches were required.
    13:43:37,014 INFO [org.alfresco.repo.module.ModuleServiceImpl] Found 1 module(s).
    13:43:37,060 INFO [org.alfresco.repo.module.ModuleServiceImpl] Starting module 'org.alfresco.module.vti' version 1.2.
    13:43:37,060 DEBUG [org.alfresco.repo.module.ModuleComponentHelper] Started module 'ModuleDetails[{module.version=1.2, module.description=Alfresco Vti Extension, module.id=org.alfresco.module.vti, module.repo.version.max=999, module.title=Vti, module.repo.version.min=0, module.installState=INSTALLED, module.installDate=2013-03-12T11:44:23.568+05:30}]' including 0components.
    13:43:37,060 DEBUG [org.alfresco.repo.module.ModuleComponentHelper] Installed module found in distribution: org.alfresco.module.vti
    13:43:37,076 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'fileServers' subsystem, ID: [fileServers, default]
    13:43:37,606 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [Authentication, managed, ldap-ad1]
    13:43:38,012 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap-ad1] complete
    13:43:38,012 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [Authentication, managed, alfrescoNtlm1]
    13:43:38,152 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [Authentication, managed, alfrescoNtlm1] complete
    13:43:38,199 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'fileServers' subsystem, ID: [fileServers, default] complete
    13:43:38,199 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'imap' subsystem, ID: [imap, default]
    13:43:38,324 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'imap' subsystem, ID: [imap, default] complete
    13:43:38,324 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'email' subsystem, ID: [email, outbound]
    13:43:38,355 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'email' subsystem, ID: [email, outbound] complete
    13:43:38,355 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'email' subsystem, ID: [email, inbound]
    13:43:38,402 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'email' subsystem, ID: [email, inbound] complete
    13:43:38,402 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'googledocs' subsystem, ID: [googledocs, default]
    13:43:38,464 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'googledocs' subsystem, ID: [googledocs, default] complete
    13:43:38,464 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Subscriptions' subsystem, ID: [Subscriptions, default]
    13:43:38,464 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Subscriptions' subsystem, ID: [Subscriptions, default] complete
    13:43:38,464 INFO [org.alfresco.repo.usage.UserUsageTrackingComponent] Disabled – clear non-missing user usages …
    13:43:38,480 INFO [org.alfresco.repo.usage.UserUsageTrackingComponent] Found 0 users to clear
    13:43:38,480 INFO [org.alfresco.repo.usage.UserUsageTrackingComponent] … cleared non-missing usages for 0 users
    13:43:38,480 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Synchronization' subsystem, ID: [Synchronization, default]
    13:43:38,511 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap-ad1'
    13:43:38,527 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldap-ad1'
    13:43:38,605 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error
    org.alfresco.repo.security.authentication.AuthenticationException: 02190000 LDAP authentication failed.
    at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:119)
    at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:94)
    at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:87)
    at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$3.(LDAPUserRegistry.java:678)
    at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:675)
    at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:796)
    at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:587)
    at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer$7.doWork(ChainingUserRegistrySynchronizer.java:1919)
    at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:529)
    at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onBootstrap(ChainingUserRegistrySynchronizer.java:1913)
    at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:97)
    at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ChildApplicationContext.publishEvent(ChildApplicationContextFactory.java:513)
    at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:911)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:428)
    at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ApplicationContextState.start(ChildApplicationContextFactory.java:714)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:667)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.onApplicationEvent(AbstractPropertyBackedBean.java:473)
    at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEventInternal(SafeApplicationEventMulticaster.java:209)
    at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:180)
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:303)
    at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:911)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:428)
    at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
    at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:63)
    at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4206)
    at org.apache.catalina.core.StandardContext.start(StandardContext.java:4705)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:675)
    at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:601)
    at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
    at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1317)
    at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:324)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1065)
    at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
    at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
    at org.apache.catalina.core.StandardService.start(StandardService.java:525)
    at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
    Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3067)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2815)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2729)
    at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:296)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
    at javax.naming.InitialContext.init(InitialContext.java:223)
    at javax.naming.InitialContext.(InitialContext.java:197)
    at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)
    at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:114)
    … 50 more
    13:43:38,620 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Failed initial synchronize with user registries
    org.alfresco.repo.security.authentication.AuthenticationException: 02190000 LDAP authentication failed.
    at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:119)
    at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:94)
    at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:87)
    at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$3.(LDAPUserRegistry.java:678)
    at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:675)
    at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:796)
    at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:587)
    at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer$7.doWork(ChainingUserRegistrySynchronizer.java:1919)
    at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:529)
    at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onBootstrap(ChainingUserRegistrySynchronizer.java:1913)
    at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56)
    at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:97)
    at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ChildApplicationContext.publishEvent(ChildApplicationContextFactory.java:513)
    at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:911)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:428)
    at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ApplicationContextState.start(ChildApplicationContextFactory.java:714)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:667)
    at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.onApplicationEvent(AbstractPropertyBackedBean.java:473)
    at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEventInternal(SafeApplicationEventMulticaster.java:209)
    at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:180)
    at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:303)
    at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:911)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:428)
    at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:276)
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:197)
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:47)
    at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:63)
    at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4206)
    at org.apache.catalina.core.StandardContext.start(StandardContext.java:4705)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:675)
    at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:601)
    at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
    at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1317)
    at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:324)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1065)
    at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
    at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1057)
    at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
    at org.apache.catalina.core.StandardService.start(StandardService.java:525)
    at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:595)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
    Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3067)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2815)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2729)
    at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:296)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
    at javax.naming.InitialContext.init(InitialContext.java:223)
    at javax.naming.InitialContext.(InitialContext.java:197)
    at javax.naming.directory.InitialDirContext.(InitialDirContext.java:82)
    at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:114)
    … 50 more
    13:43:38,620 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of ‘Synchronization’ subsystem, ID: [Synchronization, default] complete
    13:43:38,683 INFO [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM – v1.6.0_33-b03; maximum heap size 682.688MB
    13:43:38,776 INFO [org.alfresco.service.descriptor.DescriptorService] Alfresco license: Mode ENTERPRISE granted to Trial User limited to 30 days expiring Thu Apr 11 00:00:00 IST 2013 (23 days remaining).
    13:43:38,776 INFO [org.alfresco.service.descriptor.DescriptorService] Alfresco started (Enterprise). Current version: 4.1.2 (372) schema 5,118. Originally installed version: 4.1.2 (372) schema 5,118.
    13:43:38,776 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting ‘ActivitiesFeed’ subsystem, ID: [ActivitiesFeed, default]
    13:43:38,854 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of ‘ActivitiesFeed’ subsystem, ID: [ActivitiesFeed, default] complete
    13:43:38,854 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting ‘Replication’ subsystem, ID: [Replication, default]
    13:43:38,854 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of ‘Replication’ subsystem, ID: [Replication, default] complete
    13:43:40,695 INFO [org.alfresco.module.vti.VtiServer] Vti server started successfully on port: 7070
    13:43:40,695 INFO [org.alfresco.module.vti.VtiServer] Vti server SessionIdManagerWorkerName: jetty1
    13:43:52,817 INFO [org.springframework.extensions.webscripts.DeclarativeRegistry] Registered 511 Web Scripts (+0 failed), 794 URLs
    13:43:52,817 INFO [org.springframework.extensions.webscripts.DeclarativeRegistry] Registered 2 Package Description Documents (+0 failed)
    13:43:52,817 INFO [org.springframework.extensions.webscripts.DeclarativeRegistry] Registered 1 Schema Description Documents (+0 failed)
    13:43:52,819 INFO [org.springframework.extensions.webscripts.AbstractRuntimeContainer] Initialised Repository Web Script Container (in 12096.066ms)
    13:43:52,834 INFO [org.springframework.extensions.webscripts.TemplateProcessorRegistry] Registered template processor freemarker for extension ftl
    13:43:52,835 INFO [org.springframework.extensions.webscripts.ScriptProcessorRegistry] Registered script processor javascript for extension js

    I guess that the admin credentials are not correct in the line (especially CN).

    ldap.synchronization.java.naming.security.principal=CN=Administrator,CN=Alfresco,DC=***,DC=co.in

    please check my files and inform me if you could find the root cause of the issue.

    Thanks and Regards,
    Ramesh.

  • JoelChire says:

    Thanks Thanks Thanks!
    After 4 weeks your post really helps me.

Leave a comment!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.