OpenDJ is a fork of the former Sun OpenDS. Is a free and Open Source LDAPv3 server. It is not under our Alfresco Supported Platforms umbrella but it works fine for demo porpuses and is very easy to install, configure and maintain. Since OpenDJ is a Java application you can run it in Linux, Mac or “even” Windows 馃槈
Lets see how how to start with OpenDJ from scratch.
- Installation and configuration of OpenDJ:
Download the application downloader and launcher here:聽http://download.forgerock.org/downloads/opendj/20130305020001/install/QuickSetup.jnlp聽(you may also download the entire package from here聽http://www.forgerock.org/opendj.html聽聽but I think聽with QuickSetup is the聽easier way)
Download this initial LDIF file with demo users and groups for the first population of our new聽brand聽LDAP server.
You must聽have installed Java in your system in order to execute file QuickSetup.jnlp. Then double click to open it. And follow as in the video:
Now lets configure our Alfresco Server (I did all this steps with Alfresco Enterprise 4.1.3 but should be valid for any 4.X version).
- 聽Alfresco configuration:
[bash]
# vi tomcat/shared/classes/alfresco-global.properties
[/bash]
Add next line with our new authentication system before the default chain.
[bash]
authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
[/bash]
Create the needed directory for our new settings:
[bash]
# mkdir -p tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1
[/bash]
Create your own config file, set as your needs:
[bash]
vi tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-authentication.properties
[/bash]
File:
[bash]
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=alfresco,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://localhost:1389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=
ldap.synchronization.active=false
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=cn\=Directory Manager
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.queryBatchSize=0
ldap.synchronization.attributeBatchSize=0
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou\=groups,dc\=alfresco,dc\=com
ldap.synchronization.userSearchBase=ou\=people,dc\=alfresco,dc\=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss’Z’
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.groupType=groupOfNames
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
[/bash]
To have a full control about what is happening during the LDAP authentication add next lines to your custome log configuration file like next one. If you don’t have a custom log file already you can create it:
[bash]
cp tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties tomcat/shared/classes/alfresco/extension/custom-log4j.properties
[/bash]
Add next options to the file:
[bash]
vi聽tomcat/shared/classes/alfresco/extension/custom-log4j.properties
[/bash]
Content:
[bash]
# LDAP
log4j.logger.org.alfresco.repo.importer.ImporterJob=debug
log4j.logger.org.alfresco.repo.importer.ExportSourceImporter=debug
log4j.logger.org.alfresco.repo.security.authentication.ldap=debug
[/bash]
Now reboot and try.聽Also you can do that easily and without reboot using JMX with console
Remember to keep watching your logs:
[bash]
tail -f tomcat/logs/catalina.out
[/bash]
When Alfresco is starting after our changes, you must see something like this:
[bash]
2013-03-07 09:46:26,175聽 INFO聽 [management.subsystems.ChildApplicationContextFactory] [main] Starting ‘Authentication’ subsystem, ID: [Authentication, managed, ldap1]
2013-03-07 09:46:26,212聽 WARN聽 [authentication.ldap.LDAPInitialDirContextFactoryImpl] [main] LDAP server supports anonymous bind ldap://localhost:1389
2013-03-07 09:46:26,234聽 INFO聽 [authentication.ldap.LDAPInitialDirContextFactoryImpl] [main] LDAP server does not support simple string user ids and invalid credentials at ldap://localhost:1389
2013-03-07 09:46:26,235聽 INFO聽 [authentication.ldap.LDAPInitialDirContextFactoryImpl] [main] LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://localhost:1389
2013-03-07 09:46:26,237聽 INFO聽 [authentication.ldap.LDAPInitialDirContextFactoryImpl] [main] LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://localhost:1389
2013-03-07 09:46:26,247聽 INFO聽 [management.subsystems.ChildApplicationContextFactory] [main] Startup of ‘Authentication’ subsystem, ID: [Authentication, managed, ldap1] complete
[/bash]
And after your first login:
[bash]
2013-03-07 09:47:34,404聽 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-8080-5] Authenticating user "toni"
2013-03-07 09:47:34,421聽 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-8080-5] Setting the current user to "toni"
2013-03-07 09:47:34,422聽 DEBUG [authentication.ldap.LDAPAuthenticationComponentImpl] [http-8080-5] User "toni" authenticated successfully
[/bash]
Remember to change your LDAP log debug level before going live, something like INFO could be enough.
Hi Toni,
Me gusta este post.
Estoy trabajando con openDJ en varios proyectos y puedo asegurar que es un producto estable y que no tiene nada que envidiar a otros LDAPs como ODSEE o el antiguo SunLDAP. Clientes est谩n migrando de versiones SunLDAP 5.2 贸 6.x, incluso de ODSEE 7.x y 11.1.1.x.x, a openDJ.
Ser铆a buena idea que Alfresco certificara openDJ como producto de autenticaci贸n. Muchos clientes optar铆an por esta opci贸n frente a soluciones como ODSEE.
Greetings from Andalusia (Spain) 馃槈
Gracias Tommy! 馃槈 no sab铆a q era tan conocido pero si es un fork de un fork de un viejo amigo nuestro verdad?