OpenDJ (LDAP Server) and how to configure with Alfresco for your best demos

marzo 7th, 2013

OpenDJ is a fork of the former Sun OpenDS. Is a free and Open Source LDAPv3 server. It is not under our Alfresco Supported Platforms umbrella but it works fine for demo porpuses and is very easy to install, configure and maintain. Since OpenDJ is a Java application you can run it in Linux, Mac or “even” Windows ;)

Lets see how how to start with OpenDJ from scratch.

  • Installation and configuration of OpenDJ:

Download the application downloader and launcher here: http://download.forgerock.org/downloads/opendj/20130305020001/install/QuickSetup.jnlp (you may also download the entire package from here http://www.forgerock.org/opendj.html  but I think with QuickSetup is the easier way)

Download this initial LDIF file with demo users and groups for the first population of our new brand LDAP server.

You must have installed Java in your system in order to execute file QuickSetup.jnlp. Then double click to open it. And follow as in the video:

Now lets configure our Alfresco Server (I did all this steps with Alfresco Enterprise 4.1.3 but should be valid for any 4.X version).

  •  Alfresco configuration:
# vi tomcat/shared/classes/alfresco-global.properties

Add next line with our new authentication system before the default chain.

authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm

Create the needed directory for our new settings:

# mkdir -p tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1

Create your own config file, set as your needs:

vi tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-authentication.properties

File:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=alfresco,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://localhost:1389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=
ldap.synchronization.active=false
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=cn\=Directory Manager
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.queryBatchSize=0
ldap.synchronization.attributeBatchSize=0
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou\=groups,dc\=alfresco,dc\=com
ldap.synchronization.userSearchBase=ou\=people,dc\=alfresco,dc\=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.groupType=groupOfNames
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0

To have a full control about what is happening during the LDAP authentication add next lines to your custome log configuration file like next one. If you don’t have a custom log file already you can create it:

cp tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties tomcat/shared/classes/alfresco/extension/custom-log4j.properties

Add next options to the file:

vi tomcat/shared/classes/alfresco/extension/custom-log4j.properties

Content:

# LDAP
log4j.logger.org.alfresco.repo.importer.ImporterJob=debug
log4j.logger.org.alfresco.repo.importer.ExportSourceImporter=debug
log4j.logger.org.alfresco.repo.security.authentication.ldap=debug

Now reboot and try. Also you can do that easily and without reboot using JMX with console

Remember to keep watching your logs:

tail -f tomcat/logs/catalina.out

When Alfresco is starting after our changes, you must see something like this:

2013-03-07 09:46:26,175  INFO  [management.subsystems.ChildApplicationContextFactory] [main] Starting 'Authentication' subsystem, ID: [Authentication, managed, ldap1]
2013-03-07 09:46:26,212  WARN  [authentication.ldap.LDAPInitialDirContextFactoryImpl] [main] LDAP server supports anonymous bind ldap://localhost:1389
2013-03-07 09:46:26,234  INFO  [authentication.ldap.LDAPInitialDirContextFactoryImpl] [main] LDAP server does not support simple string user ids and invalid credentials at ldap://localhost:1389
2013-03-07 09:46:26,235  INFO  [authentication.ldap.LDAPInitialDirContextFactoryImpl] [main] LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://localhost:1389
2013-03-07 09:46:26,237  INFO  [authentication.ldap.LDAPInitialDirContextFactoryImpl] [main] LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://localhost:1389
2013-03-07 09:46:26,247  INFO  [management.subsystems.ChildApplicationContextFactory] [main] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap1] complete

And after your first login:

2013-03-07 09:47:34,404  DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-8080-5] Authenticating user "toni"
2013-03-07 09:47:34,421  DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-8080-5] Setting the current user to "toni"
2013-03-07 09:47:34,422  DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-8080-5] User "toni" authenticated successfully

Remember to change your LDAP log debug level before going live, something like INFO could be enough.

2 Respuestas to “OpenDJ (LDAP Server) and how to configure with Alfresco for your best demos”

  1. Tomason 08 mar 2013 at 8:21 am

    Hi Toni,

    Me gusta este post.

    Estoy trabajando con openDJ en varios proyectos y puedo asegurar que es un producto estable y que no tiene nada que envidiar a otros LDAPs como ODSEE o el antiguo SunLDAP. Clientes están migrando de versiones SunLDAP 5.2 ó 6.x, incluso de ODSEE 7.x y 11.1.1.x.x, a openDJ.

    Sería buena idea que Alfresco certificara openDJ como producto de autenticación. Muchos clientes optarían por esta opción frente a soluciones como ODSEE.

    Greetings from Andalusia (Spain) ;-)

  2. Tonion 08 mar 2013 at 12:06 pm

    Gracias Tommy! ;) no sabía q era tan conocido pero si es un fork de un fork de un viejo amigo nuestro verdad?

Trackback URI | RSS de Comentarios

Escribir comentario/respuesta

css.php