Alfresco on Windows Server with Active Directory Authentication

Alfresco LogoLet’s be honest about this: the documentation for Alfresco, the SharePoint-like Enterprise Content Management System is opaque.

Today, I installed the free Community Edition of Alfresco on a Windows Server 2008 R2 virtual machine. The first thing I wanted to do was connect it to Active Directory in order to delegate authentication duties to my domain controllers. I didn’t find the documentation particularly helpful. So here’s what I did:

  1. You won’t be able to do this until you’ve fired up the TomCat server at least once – that causes the creation of the necessary files and folders.
  2. Find the repository.properties file. In the default installation, it will be in the folder, C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco. Open it with your favourite text editor – preferably not Notepad, since the file has Unix line endings, which Notepad won’t handle correctly.
  3. In that file, find the line authentication.chain=alfrescoNtlm1:alfrescoNtlm. Change it to read authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm and save the file.
  4. Next, go to C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap-ad (or similar, if you chose to install in a different location). You need to edit the file ldap-ad-authentication.properties, but note that you may need to run your text editor as Administrator in order to be able to save your changes. Make the following edits:
    1. Insert your domain: ldap.authentication.userNameFormat=%s@mydomain.local
    2. Put connection details for your DC: ldap.authentication.java.naming.provider.url=ldap://pdc1.mydomain.local:389
    3. Choose an administrator for Alfresco, from your AD list of users: ldap.authentication.defaultAdministratorUserNames=superuser
    4. Insert the administrator’s UPN: ldap.synchronization.java.naming.security.principal=[email protected]
    5. Add the administrator’s password. Yes, in plain text. Yes, this is very bad. Take all necessary precautions: ldap.synchronization.java.naming.security.credentials=someP4ssword
    6. Put the search base (possibly a subset of your AD tree) for groups: ldap.synchronization.groupSearchBase=OU\=My Groups,DC\=mydomain,DC\=local – NB this is case sensitive, and the extra backslashes are required
    7. Put the search base (possibly a subset of your AD tree) for users: ldap.synchronization.userSearchBase=OU\=My Users,DC\=mydomain,DC\=local – again, this is case sensitive, and the extra backslashes are required
  5. Use the Alfresco Manager Tool to restart the services.

From Alfresco, you should now be able to browse users and groups from whichever OU you used.


Note: I initially did all the above using Alfresco 4.2c, only to discover there are some bugs relating to SharePoint in that release. The recommended solution until a later version is released is to try one of the nightly builds.

Alfresco logo copyright © Alfresco Software, Inc..