Alfresco on Windows Server with Active Directory Authentication

Alfresco LogoLet’s be honest about this: the documentation for Alfresco, the SharePoint-like Enterprise Content Management System is opaque.

Today, I installed the free Community Edition of Alfresco on a Windows Server 2008 R2 virtual machine. The first thing I wanted to do was connect it to Active Directory in order to delegate authentication duties to my domain controllers. I didn’t find the documentation particularly helpful. So here’s what I did:

  1. You won’t be able to do this until you’ve fired up the TomCat server at least once – that causes the creation of the necessary files and folders.
  2. Find the repository.properties file. In the default installation, it will be in the folder, C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco. Open it with your favourite text editor – preferably not Notepad, since the file has Unix line endings, which Notepad won’t handle correctly.
  3. In that file, find the line authentication.chain=alfrescoNtlm1:alfrescoNtlm. Change it to read authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm and save the file.
  4. Next, go to C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap-ad (or similar, if you chose to install in a different location). You need to edit the file ldap-ad-authentication.properties, but note that you may need to run your text editor as Administrator in order to be able to save your changes. Make the following edits:
    1. Insert your domain: ldap.authentication.userNameFormat=%s@mydomain.local
    2. Put connection details for your DC: ldap.authentication.java.naming.provider.url=ldap://pdc1.mydomain.local:389
    3. Choose an administrator for Alfresco, from your AD list of users: ldap.authentication.defaultAdministratorUserNames=superuser
    4. Insert the administrator’s UPN: ldap.synchronization.java.naming.security.principal=[email protected]
    5. Add the administrator’s password. Yes, in plain text. Yes, this is very bad. Take all necessary precautions: ldap.synchronization.java.naming.security.credentials=someP4ssword
    6. Put the search base (possibly a subset of your AD tree) for groups: ldap.synchronization.groupSearchBase=OU\=My Groups,DC\=mydomain,DC\=local – NB this is case sensitive, and the extra backslashes are required
    7. Put the search base (possibly a subset of your AD tree) for users: ldap.synchronization.userSearchBase=OU\=My Users,DC\=mydomain,DC\=local – again, this is case sensitive, and the extra backslashes are required
  5. Use the Alfresco Manager Tool to restart the services.

From Alfresco, you should now be able to browse users and groups from whichever OU you used.


Note: I initially did all the above using Alfresco 4.2c, only to discover there are some bugs relating to SharePoint in that release. The recommended solution until a later version is released is to try one of the nightly builds.

Alfresco logo copyright © Alfresco Software, Inc..

3 Replies to “Alfresco on Windows Server with Active Directory Authentication”

  1. Hi Rob,

    Nice post on how to get the AD connection up and running. I don’t agree with the negative tendency though. Alfresco is an enterprise grade platform. It is extremely open and connectable in many ways. The fact that it is not an ‘install-next-next-next setup’ (like good old WinZip) is true (for AD configuration). But consider that your setup is one of the many, many more that you can create using the platform.

    Did you consider taking a look at http://docs.alfresco.com? Other useful pointers are the wiki, in the context of authentication, you might take a look at http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration and/or http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems

    Enterprise IT landscape can vary a lot, and the tools needs the flexibility to fit in each of the configurations that organization thinks is ‘logical’. That implies that life sometimes is not as easy as installing WinZip.

    I agree with you that there are some plain text passwords in Alfresco’s config. The first impression is that that is bad. But then again, you have to connect to these other systems right? If it is the database, LDAP or whatever. You need to have credentials. Yes, you can store those encrypted. But the platform (don’t mind if it is Alfresco, Nuxeo, Liferay,….) does need to decrypt in order to connect. If the filesystem is compromised, you’re in trouble anyway. Your file store is accessible (all your content) and more. Decrypting the encrypted is a matter of knowledge/time then right? What do you actually gain by making it more complex? Your IT systems need to be secured. That is a job too. Don’t run the webapp as root-alike account, actually, pick an account that is the only account having access to the critical area’s of the file system!

    As usual there is room for improvements in documentation and security. I think Alfresco does a nice job in terms of both. It is just not as easy as installing WinZip…

  2. Hello,

    did you check http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems for configuring the Authentication subsystem? Or did you use http://docs.alfresco.com/4.1/topic/com.alfresco.enterprise.doc/concepts/auth-intro.html and / or any of its descendants? I am not that familiar with the last option, but I found the examples (e.g. http://docs.alfresco.com/4.1/topic/com.alfresco.enterprise.doc/tasks/auth-example-twoldap-ad.html) to be quite extensive. Though I must admit it can be a tad confusing to follow all the child pages to get to that point.

    One general note: You should never modify any files within the tomcat/webapps/alfresco/* directory tree. Any changes you perform here are not save when you upgrade Alfresco as this directory will be overwritten. Use tomcat/shared/classes/* instead. And instead of repository.properties you should use alfresco-global.properties (similar to the examples in the documentation).

    Regards
    Axel

    1. Axel,

      One of the problems with the current documentation is the disconnect between the current community and commercial versions of Alfresco. So not all the documentation I read applied to the community version I was trying to learn. And the documentation that does apply is laid out in a manner that seems to assume prior knowledge of the system/Tomcat.

      After I wrote this blog entry, I eventually abandoned Alfresco. I was setting it up as a proof of concept in a Windows AD estate. I found too many situations in which it didn’t work, or where the behaviour was erratic. The “online editing” using Office worked in only 50% of cases I tried and in all cases required a fair bit of hacking of the client. I suspect that a lot of these niggles are cleared up in the commercial version, but I wouldn’t commit my company to that having seen the roughness of the community version.

      I may return to Alfresco if the community edition sees significant improvements, but until then, it’s not for my enterprise. We would be more likely to pursue hosted Sharepoint, which has a lower barrier of entry.

      Thanks for your input though.

      Rob

Leave a Reply

Your email address will not be published. Required fields are marked *