liferay alfresco openldap opensso
TRANSCRIPT
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
1/35
Liferay + Alfresco+ OpenSSO +
LDAP Integration
By Uchit Vyas
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
2/35
Liferay + Alfresco + OpenSSO + LDAP Integration 1
About Author
Uchit Vyas a B.Tech. Graduate in Computer Science with a research
interest in ESB & Cloud and is a certified by Cisco (CCNA), VMware
(VSP) and Red Hat Linux (RHCE) professional. He has an energetic
strength to work on multiple platforms at a time and ability to integrate
open source technologies. He works as a Sr. Consultant and looking
afterAWS Cloud, Mule ESB, Alfresco, Liferay and deploying Portal,
ECM system. He was previously working with TCS as Assistant System
Engineer.
Over 3+ years of hands on experience on Open Source technologies, he
manages to guide the team and deliver the projects and trainings. He has
provided 13+ trainings on Cloud Computing, Continuous Delivery,
Alfresco and Liferay in couple of months. During past years he moved
over 80% of Attune Infocom business processes to the Cloud with
implementing agile SDLC methodology on Amazon, Rackspace andprivate clouds like Eucalyptus, Openstack. His skills are not limited as his
designing and managing Cloud environment/infrastructure, server
architecture. He is also active in shell scripting, auto deployment,
supporting hundreds of Linux and Windows physical & virtual servers
hosting databases, and applications with Continuous delivery using Jenkins
/ Cruise Control with Puppet / Chef scripting.
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
3/35
2 Liferay + Alfresco + OpenSSO + LDAP Integration
Table of Content
I. LDAP Integration with Liferay
II.
Integration OpenSSO/OpenAM with Liferay Portalon Tomcat
III. Alfresco Opensso Integration
IV. Enable LDAP Authentication and LDAP users importin Alfresco
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
4/35
Liferay + Alfresco + OpenSSO + LDAP Integration 3
LDAP Integration with Liferay
ApacheDS
http://directory.apache.org/apacheds/1.5/download/download-
windows.html
Download the ApacheDS from above link and install exe in windows
Now you just simply run the ApacheDS and follow the instructuin
and finish installation.
Check for the java version e.g.java version
To install and use ApacheDS require JRE 5 or later and windows xp
or vista
By default the LDAP server listens on port 10389 (unencrypted or
StartTLS) and 10636 (SSL).
Installing LDAP browser
Go towww.jxplorer.org.
Click Downloads>precompiled java package>Windows
platform.
Savefile.
Click on the LDAP browser icon and follow the installation
instruction
Open LDAP browser jxplorer and click file and than connect
Change the port to 10389
http://directory.apache.org/apacheds/1.5/download/download-windows.htmlhttp://directory.apache.org/apacheds/1.5/download/download-windows.htmlhttp://directory.apache.org/apacheds/1.5/download/download-windows.htmlhttp://directory.apache.org/apacheds/1.5/download/download-windows.htmlhttp://docs.liferay.com/portal/4.0/official/liferay-user-guide-4.0/ch05s02.htmlhttp://docs.liferay.com/portal/4.0/official/liferay-user-guide-4.0/ch05s02.htmlhttp://docs.liferay.com/portal/4.0/official/liferay-user-guide-4.0/ch05s02.htmlhttp://directory.apache.org/apacheds/1.5/download/download-windows.htmlhttp://directory.apache.org/apacheds/1.5/download/download-windows.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
5/35
4 Liferay + Alfresco + OpenSSO + LDAP Integration
In theLevel drop-down menu, choose User+Password
Insert uid=admin,ou=system in the User DN input field.
The password is secret.
Click Saveand enter a name for the template.
Right click on Exampleand click New
Addinetorgpersonto the Selected Class orselect Suggest Classes
(eg. For creating user) Enter cn=uchitin the Enter RDN field and
click OK.
http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
6/35
Liferay + Alfresco + OpenSSO + LDAP Integration 5
In the Table Editor enter Uchit in the SN line. Enter Uchit in the
givenName line.
For the mail [email protected] the user password enter
test. Click Submit.
mailto:[email protected]:[email protected]:[email protected]://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlhttp://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlmailto:[email protected] -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
7/35
6 Liferay + Alfresco + OpenSSO + LDAP Integration
Integration with liferay
Now you are suppose to integrate the ldap with liferay login in a
liferay as a administrator for [email protected] password test.
Once, you generated your profile in ldap than cofigure your liferay to
import/export users from ldap
In liferay go toControl PanelSettingthan Authentication
Now you will find ldap there are list of directories select your one.
Than configure your own connection url base dn, principleCredential and test this connection is working ok.(By clicking on Add
button)
mailto:[email protected]:[email protected]:[email protected]://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlmailto:[email protected] -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
8/35
Liferay + Alfresco + OpenSSO + LDAP Integration 7
In above example, If you check the box to enable ldap
Required mean login will require ldap to authenticate
Then set other properties search filter you change it to just name only
instead of email can change group name
You can also change group search filter
You can also enable import/export of user from ldap with liferay
And all of this properties you can also set portal-ext.properties file
which you can find in root/web-inf/classes/portal-ext.properties.
Portal-ext.properties File will override your setting from defaults one
Now just start Directory server and use ldap user in liferay
For Integrating liferay with ldap install directory server and start
Enable ldap in liferay select your DS from list for other use portal-
ext. properties
Use secret as password
http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
9/35
8 Liferay + Alfresco + OpenSSO + LDAP Integration
change search filter from email to (cn=@screen_name@)
If you want to import/export check the boxe
You can also check your connection and list of users
If you connection is replying than everything is working properly
When you use ldap user first liferay will ask for terms and condition
Portal.properties and override use portal-ext.properties
ldap.import.enabled=false
ldap.import.on.startup=false.
ldap.import.interval=10
ldap.import.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryldap.import.base.provider.url=ldap://localhost:10389ldap.import.base.dn=dc=example,dc=comldap.import.security.principal=uid=admin,ou=systemldap.import.security.credentials=secretldap.import.search.filter=(objectClass=inetOrgPerson)ldap.import.user.mappings=userId=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembershipldap.import.group.mappings=groupName=cn\ndescription=description
ldap.auth.enabled=false
ldap.auth.required=false
ldap.auth.method=bind
Integrating OpenSSO / OpenAM with Liferay
Portal on Tomcat
Liferay Portal and OpenSSO both require a minimum 1.5 JVM, but I
would recommend using Java 6 (as Java 1.5 reached its End of
Service Life in October, 2009). Make sure that your JAVA_HOME
http://www.objectpartners.com/2010/08/16/integrating-opensso-openam-with-liferay-portal-on-tomcat/http://www.objectpartners.com/2010/08/16/integrating-opensso-openam-with-liferay-portal-on-tomcat/http://www.objectpartners.com/2010/08/16/integrating-opensso-openam-with-liferay-portal-on-tomcat/http://www.objectpartners.com/2010/08/16/integrating-opensso-openam-with-liferay-portal-on-tomcat/ -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
10/35
Liferay + Alfresco + OpenSSO + LDAP Integration 9
environment variable is correctly set to point to your Java 6
installation.
For OpenSSO to work correctly with Liferay Portal, both serversneed to be running in the same domain. To solve this issue while
running both servers on a single machine, edit the hosts file (/etc/hosts
or %SystemRoot%\system32\drivers\etc\) and add/update your localhost
entry:
127.0.0.1 localhost localhost.example.com
where example.comis your actual domain.(uchit.info.com)
Install OpenSSO/OpenAM
Download the latest OpenAM (OpenAM Snapshot 9.5.1 RC1) build
fromhttp://www.forgerock.com/downloads.html
Downloaded the latest Tomcat (6.0.32) from
http://tomcat.apache.org/download-60.cgi
Installation of the Tomcat server consisted of:
Unzip apache-tomcat-6.0.32 zip file. This will create an apache-
tomcat-6.0.32 folder.
As both Liferay Portal and OpenAM will be running on the same
machine, I needed to update the ports that the OpenAM Tomcatserver was using.
Edit apache-tomcat-6.0.32/conf/server.xml. I changed all of the
ports from 8xxx to 9xxx. For example, 8080 to 9080, 8443 to 9443,
etc.
http://www.forgerock.com/downloads.htmlhttp://www.forgerock.com/downloads.htmlhttp://www.forgerock.com/downloads.htmlhttp://tomcat.apache.org/download-60.cgihttp://tomcat.apache.org/download-60.cgihttp://tomcat.apache.org/download-60.cgihttp://www.forgerock.com/downloads.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
11/35
10 Liferay + Alfresco + OpenSSO + LDAP Integration
On Linux/MacOS, you will need to add execute permissions to all of
the shell scripts in the bin directory: chmod +x *.sh
Installation of OpenAM consisted of:
Unzip openam_snapshot_951RC1.zip to a directory. This will create
an opensso folder.
Copy the opensso.war from opensso/deployable-war/ to apache-
tomcat-6.0.32/webapps/.
In apache-tomcat-6.0.32/bin/, execute startup.sh (or startup.bat) tostart Tomcat and deploy OpenAM.
After Tomcat has deployed OpenAM, you will see the exploded war
file as apache-tomcat-6.0.29/webapps/opensso.
Open a browser to http://uchit.info.com:9080/opensso, which
should redirect you to
http://uchit.info.com:9080/opensso/config/options.htm,
to complete the OpenAM configuration.
You should see the OpenAM configuration options page. Under
Custom Configuration click Create New Configuration. Enter the
following:
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
12/35
Liferay + Alfresco + OpenSSO + LDAP Integration 11
First step is to choose password for the default administrator account
(amAdmin). The password needs to be at least 8 characters long (eg.
upassword). Once a valid password has been entered twice, the next
button will appear and the configuration can proceed.
http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
13/35
12 Liferay + Alfresco + OpenSSO + LDAP Integration
On the server settings page, the Server URL and the Configuration
Directory both need some attention. By default the Server URL will
be the address that was typed to reach the server. The problem with
this being that it requires a fully qualified domain name, so if the page
was accessed via localhost or an IP Address it will cause problems.This is why it was configured to be accessible at uchit.info.com.
http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
14/35
Liferay + Alfresco + OpenSSO + LDAP Integration 13
The other setting on this page to take note of is the Configuration
Directory. It is important that the user that Apache Tomcat is
running under has write access to that directory. As a result~/openam/config is appropriate for this purpose.
Supported Platform Locales are en_US (English), de (German), es
(Spanish), fr (French), ja (Japanese), zh_CN (Simplified Chinese), or
zh_TW (Traditional Chinese).
http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
15/35
14 Liferay + Alfresco + OpenSSO + LDAP Integration
The Configuration Data Store Settings do not need to be changed
when working with a single server configuration.
The User Data Store Settings are what connect OpenAM to the
OpenDS data store. The side effect of this is that most of these
setting require some attention. Fields which require changing aremarked with an Asterisk (*).
*User Data Store Type : OpenDS
SSL/TLS Enabled : Not ticked
*Directory Name : uchit.info.com
*Port : 10389
*Root Suffix : dc=example,dc=com
http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
16/35
Liferay + Alfresco + OpenSSO + LDAP Integration 15
Login ID : uid=admin,ou=system*Password : secret
The configurator does not give the option to continue until all the
settings have been correctly specified and it has successfully
connected to the OpenDS instance.
OpenAM is not installed behind a load balancer in this test
deployment, so Site Configuration can be left as default.
http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
17/35
16 Liferay + Alfresco + OpenSSO + LDAP Integration
The policy agent password once again needs to be 8 characters or
more and it must also be different from the administrator password.
In this case we will use 'apassword', although the policy agent user is
not used in this tutorial.
http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
18/35
Liferay + Alfresco + OpenSSO + LDAP Integration 17
The Summary Page shows a brief summary of the settings that were
defined in the previous few steps before the configuration is created.
Clicking Create Configuration will begin the configuration process.
This will create the configuration for your OpenAM server under
~/opensso (or c:\Documents and Settings\{username}\opensso).
http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.html -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
19/35
18 Liferay + Alfresco + OpenSSO + LDAP Integration
The Configuration Progress Screen will display the progress of the
installation and take a couple of minutes to run through. All of the
output on this screen, as well as any errors, are written to the
file~/openam/config/install.log. Assuming success a Configuration
Complete! view will appear, providing a link to the login page.
In the case that it did not succeed check the troubleshooting guide at
https://wikis.forgerock.org/confluence/display/openam/Common
Install Issues
https://wikis.forgerock.org/confluence/display/openam/Common+Install+Issueshttps://wikis.forgerock.org/confluence/display/openam/Common+Install+Issueshttps://wikis.forgerock.org/confluence/display/openam/Common+Install+Issueshttp://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlhttps://wikis.forgerock.org/confluence/display/openam/Common+Install+Issueshttps://wikis.forgerock.org/confluence/display/openam/Common+Install+Issues -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
20/35
Liferay + Alfresco + OpenSSO + LDAP Integration 19
When this completes, in the Configuration Completedialog, click Proceed
to Login, which should now redirect you to
http://uchit.info.com:9080/opensso/UI/Login.
Type amAdminas the username,passwordas the password, and
click Log In. You should now see the OpenAM Console.
For detailed information about the OpenAM Console, seethis and
this. You can now delete the opensso.warfile from apache-tomcat-6.0.29/webapps/
directory.
https://wikis.forgerock.org/confluence/display/openam/Homehttp://wikis.sun.com/display/OpenSSO/Sun+OpenSSO+Enterprise+8.0+Documentation+Centerhttp://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlhttp://wikis.sun.com/display/OpenSSO/Sun+OpenSSO+Enterprise+8.0+Documentation+Centerhttps://wikis.forgerock.org/confluence/display/openam/Home -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
21/35
20 Liferay + Alfresco + OpenSSO + LDAP Integration
Additional OpenAM Configuration
To get OpenAM to work correctly with Liferay, you need to setEncode
Cookie ValuetoYes. This will prevent infinite redirection between Liferay
and OpenAM on login.
1.
In the OpenAM Console, select the Configurationtab.
2.
Select the Servers and Sitestab.
3.
Click Default Server Settings.
4. Select the Securitytab.
5.
In the Cookiesection, select theYescheckbox besideEncode Cookie
Value.
6.
Click Save.
To resolve the infinite redirection problem:
1. In the OpenAM Console, select the Configurationtab.
2.
Select the Servers and Sitestab.
3. Click Default Server Settings.
4. Select theAdvancedtab.
5. Find the com.iplanet.am.cookie.c66Encodeproperty, and set the value to true.
6. Click Save.
Before updating Liferay to use OpenAM, I recommend adding the defaultLiferay user, [email protected], to OpenAM.
1.
In the OpenAM Console, select theAccess Controltab.
2.
Click the / (Top Level Realm) realm.
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
22/35
Liferay + Alfresco + OpenSSO + LDAP Integration 21
3. Select the Subjectstab.
4.
Click New
5.
Setup the default Liferay user:6.
IDtest
7.
First Nametest
8.
Last Nametest
9.
Full Nametest
Passwordtest
Click OKto create the user.
10. Click testto add the email address. Enter [email protected] the
Email Address, and click Save.
[Note: Use uid to create new user in LDAP for OpenAM]
Integrate Liferay Portal with OpenAM
Now you are ready to update Liferay Portal to integrate with OpenAM for
authentication.
1.
If Liferay is running, shut it down (bin/shutdown).
2.
Create a new file, calledportal-ext.properties, in your Liferay
directory, under liferay-portal-5.2.3/tomcat-6.0.18/webapps/ROOT/WEB-INF/classes/.
3. Edit this file, and add the following properties:
open.sso.auth.enabled=true
open.sso.login.url=http://uchit.info.com:9080/opensso/UI/Login?goto=http://uchit.info.com:8080/c/portal/login
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
23/35
22 Liferay + Alfresco + OpenSSO + LDAP Integration
open.sso.logout.url=http://uchit.info.com:9080/opensso/UI/Logout?goto=http://uchit.info.com:8080/web/guest/home
open.sso.service.url=http://uchit.info.com:9080/opensso
open.sso.screen.name.attr=uid
open.sso.email.address.attr=mailopen.sso.first.name.attr=givennameopen.sso.last.name.attr=sn
Start Liferay (bin/startup).
Once Liferay has started, open a browser to
http://uchit.info.com/8080, and you should be redirected to the
OpenAM login page
(http://uchit.info.com:9080/opensso/UI/Login). Enter testfor the
User Name, and testfor the Password. Click Log In.
You will be authenticated against OpenAM, and redirected to Liferay.
Now that Liferay is using OpenAM for authentication, if you create a new
user in OpenAM, that user will also be created in Liferay on the first log in.
That newly created user in Liferay will only have the basic information
filled inFirst Name, Last Name, Screenname, Email Addressand will
have the default Roles, Groups, and Organizations assigned.
[Note: You can also Integrate Liferay and openSSO by going in Liferay
Control Panel-> Settings-> Authentication-> open SSO ]
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
24/35
Liferay + Alfresco + OpenSSO + LDAP Integration 23
Alfresco OpenSSO Integration
Download and Install Alfresco(3.4.d) from
http://wiki.alfresco.com/wiki/Download_Community_Edition
Now go to this linkhttp://uchit.info.com:8080/alfresco/
User Name:-admin Password:-password
http://wiki.alfresco.com/wiki/Download_Community_Editionhttp://wiki.alfresco.com/wiki/Download_Community_Editionhttp://attune.infocom.com:8080/alfresco/http://attune.infocom.com:8080/alfresco/http://attune.infocom.com:8080/alfresco/http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlhttp://attune.infocom.com:8080/alfresco/http://wiki.alfresco.com/wiki/Download_Community_Edition -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
25/35
24 Liferay + Alfresco + OpenSSO + LDAP Integration
DEPLOYMENT
============
1. Build the jar from the sources, or download the latest release of the
filter from:
2. http://repository.sourcesense.com/nexus/content/groups/public/c
om/sourcesense/alfresco/alfresco-opensso/
3. Download OpenSSO SDK from
4.
http://repository.sourcesense.com/nexus/content/repositories/thir
dparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-
8.0.jar
5. Copy both to /tomcat/webapps/alfresco/WEB-
INF/lib
6. Create the file AMConfig.properties to
/tomcat/webapps/alfresco/WEB-INF/classes
7.An example of this file can be:
com.iplanet.am.naming.url=http://uchit.info.com:9080/opensso/namingservicecom.iplanet.am.cookie.name=iPlanetDirectoryProcom.sun.identity.agents.app.username=amAdmincom.iplanet.am.service.password=upassword
8.
Change the values to reflect your OpenSSO installation.9.
Replace the authentication filter
/tomcat/webapps/alfresco/WEB-INF/web.xml:
Authentication Filter
http://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/http://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/http://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/http://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/http://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/http://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/ -
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
26/35
Liferay + Alfresco + OpenSSO + LDAP Integration 25
Authentication filter mapped only to faces URLs. OtherURLs generally use proprietary means to talk to theAuthenticationComponent
org.alfresco.repo.web.filter.beans.BeanProxyFilter
beanNameAuthenticationFilter
wit
Authentication Filtercom.sourcesense.alfresco.opensso.AlfrescoOpenSSOFilter
opensso.urlhttp://uchit.info.com:9080/opensso
USAGE
======
Accessing Alfresco's home will redirect the browser to OpenSSO login
page.
After a successful login, openSSO will redirect the browser back to
Alfresco.
If user does not exist in Alfresco, it'll be created. The groups associated
with the user in OpenSSO
will be created in Alfresco, and the user will be associated with this groups.
If the user's groups are changed in OpenSSO, the filter will reflect those
changes in the moment of login.
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
27/35
26 Liferay + Alfresco + OpenSSO + LDAP Integration
No group will bi deleted on Alfresco, just the user association with the
groups.
In order to access alfresco administration, the "admin" user must be
created in OpenSSO as well.
Enable LDAP Authentication and LDAP
users import in Alfresco
1.
To do Web-SSO is not necessary this step, but i recommend to do itbecause you can do users management from Alfresco Admin
Console (Browser/Explorer or Share) (edit, delete, to do groups and
give permissions).
2.Add following properties in
${ALF_HOME}\tomcat\shared\classes\alfresco-global.properties file.
# The default authentication chain
authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
# These options are for test purpose, to make full synchro every minuteat 15 seconds, you certainly should tune it for your need
synchronization.import.cron=15 * * * * ?
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=false
1.
Create the following folders in
\subsystems\Authentication\ldap\ldap1
in ${ALF_HOME}\tomcat\shared\classes\alfresco\extension
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
28/35
Liferay + Alfresco + OpenSSO + LDAP Integration 27
2. Copy the file ${ALF_HOME}\tomcat\webapps\alfresco\WEB-
INF\classes\alfresco\subsystems\Authentication\ldap\ldap-
authentication.properties in the folder before created.3.
Modify ldap-authentication.properties enabling LDAP authN and
sync. For example, you can use my file (This only works for my
LDAP tree UID as RDN and authN with CN.):
# this flag enables use of this LDAP subsystem for authentication. It may
be
# this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=true
# This properties file brings together the common options for LDAP
authentication rather than editing the bean definitions
ldap.authentication.allowGuestLogin=true
# How to map the user id entered by the user to that passed through to
LDAP
# - simple
# - this must be a DN and would be something like
# uid=%s,ou=People,dc=company,dc=com
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
29/35
28 Liferay + Alfresco + OpenSSO + LDAP Integration
# - digest
# - usually pass through what is entered
# %s
# If not set, an LDAP query involving ldap.synchronization.personQuery
and ldap.synchronization.userIdAttributeName will
# be performed to resolve the DN dynamically. This allows directories to
be structured and doesn't require the user ID to
# appear in the DN.
ldap.authentication.userNameFormat=uid\=%s,ou\=people,dc\=example
,dc\=com
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxF
actory
# The URL to connect to the LDAP server
#
ldap.authentication.java.naming.provider.url=ldap://openldap.domain.com
:389
ldap.authentication.java.naming.provider.url=ldap://uchit.info.com:10389
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
30/35
Liferay + Alfresco + OpenSSO + LDAP Integration 29
# The authentication mechanism to use for password validation
ldap.authentication.java.naming.security.authentication=simple
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN
and contains commas
ldap.authentication.escapeCommasInBind=false
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN
and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider
as space names can not contain \
ldap.authentication.escapeCommasInUid=false
# Comma separated list of user names who should be considered
administrators by default
ldap.authentication.defaultAdministratorUserNames=
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
31/35
30 Liferay + Alfresco + OpenSSO + LDAP Integration
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true
# The authentication mechanism to use for synchronization
ldap.synchronization.java.naming.security.authentication=simple
# The default principal to use (only used for LDAP sync)
###
ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=co
mpany,dc\=com
ldap.synchronization.java.naming.security.principal=uid\=admin,ou\=syst
em
# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=secret
# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=0
# If positive, this property indicates that range retrieval should be used to
fetch
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
32/35
Liferay + Alfresco + OpenSSO + LDAP Integration 31
# multi-valued attributes (such as member) in batches of the specified size.
# Overcomes any size limits imposed by Active Directory.
ldap.synchronization.attributeBatchSize=0
# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
# The query to select objects that represent the groups to import that have
changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfN
ames)(!(modifyTimestamp
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
33/35
32 Liferay + Alfresco + OpenSSO + LDAP Integration
ldap.synchronization.groupSearchBase=ou\=groups,dc\=example,dc\=co
m
# The user search base restricts the LDAP user query to a sub section of
tree on the LDAP server.
###
ldap.synchronization.userSearchBase=ou\=People,dc\=company,dc\=co
m
ldap.synchronization.userSearchBase=ou\=people,dc\=example,dc\=com
# The name of the operational attribute recording the last update time for
a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
# The timestamp format. Unfortunately, this varies between directory
servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
# The attribute name on people objects found in LDAP to use as the uid
in Alfresco
ldap.synchronization.userIdAttributeName=uid
# The attribute on person objects in LDAP to map to the first name
property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
34/35
Liferay + Alfresco + OpenSSO + LDAP Integration 33
# The attribute on person objects in LDAP to map to the last name
property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn
# The attribute on person objects in LDAP to map to the email property
in Alfresco
ldap.synchronization.userEmailAttributeName=mail
# The attribute on person objects in LDAP to map to the organizational id
property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o
# The default home folder provider to use for people created via LDAP
import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
# The attribute on LDAP group objects to map to the authority name
property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
# The attribute on LDAP group objects to map to the authority display
name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=description
# The group type in LDAP
-
8/10/2019 Liferay Alfresco OpenLDap OpenSSO
35/35
ldap.synchronization.groupType=groupOfNames
# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson
# The attribute in LDAP on group objects that defines the DN for its
members
ldap.synchronization.groupMemberAttributeName=member
# If true progress estimation is enabled. When enabled, the user query has
to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true