Alfresco Process Services and Active Directory Integration
If you’ve ever configured Alfresco Content Services (ACS) to integrate with Active Directory (AD) for synchronizing and authenticating, configuring Alfresco Process Services (APS) will seem pretty familiar. However, there are some differences that are important to note.
Don’t use the ldap.authentication.active-directory properties
I never got these settings to work. The documentation mentions setting these for AD integration but, after failing with them, I fell back to using the LDAP-based ones that were similar to the settings in ACS as they worked without a problem. I did notice an older JIRA for APS 1.3.3 that mentioned problems, and I generally followed what was suggested there. Below you’ll find a sample activiti-ldap.properties file listed.
Specify default attributes that are mapped
Make sure you specify the AD attributes that map to user properties such as first name, last name, username, and email. The default values for all of these except mail is incorrect for out-of-the-box AD integration. A more complete list for APS can be found here.
ldap.synchronization.userIdAttributeName=sAMAccountName ldap.synchronization.userFirstNameAttributeName=givenName ldap.synchronization.userLastNameAttributeName=sn ldap.synchronization.userEmailAttributeName=mail
Turn off case sensitivity
Sometimes AD administrators will use mixed case in usernames. Generally, this doesn’t cause a problem with applications as they ignore case when authenticating. However, APS by default does not ignore case (unlike ACS). So, if you had a value such as ASmith for someone’s sAMAccountName property in AD and they tried to log on as asmith (all lower case), the authentication would fail.
ldap.authentication.casesensitive=false
May need to change naming referral
When starting up APS and AD synchronization is run, you may run into a referral error that occurs during the LDAP query. The ACS documentation mentions this and the APS documentation shows it in a sample file but doesn’t go into details of what it means. You might need to turn your referral to follow, depending on your AD setup. For the same AD environment, I had to explicitly set the referral to follow, but did not need to set anything in ACS as the referral default is set to follow.
ldap.synchronization.java.naming.referral=follow
Sample files
See sample activiti-ldap.properties below as well as a snippet of ACS alfresco-global.properties for authentication and synchronization.
Example activiti-ldap.properties for fictional company alfrescotest.org
# very important to set this if you have mixed case usernames set in AD (e.g., in our case in the sAMAccountName attribute) # see https://docs.alfresco.com/process-services1.9/topics/authentication.html ldap.authentication.casesensitive=false ldap.synchronization.java.naming.referral=follow ldap.allow.database.authenticaion.fallback=true ldap.authentication.enabled=true ldap.authentication.java.naming.provider.url=ldap://alfrescotest.org:389 ### LDAP synchronization settings ### ldap.synchronization.java.naming.security.principal=CN=alf_ad,OU=service accounts,OU=users,DC=alfrescotest,DC=org ldap.synchronization.java.naming.security.credentials=somepassword ldap.synchronization.java.naming.security.authentication=simple ldap.synchronization.userIdAttributeName=sAMAccountName ldap.synchronization.userFirstNameAttributeName=givenName ldap.synchronization.userLastNameAttributeName=sn # semicolon separated list of distinguished names of AD users to have administrative rights ldap.synchronization.tenantAdminDn=CN=Smith, A,OU=users,DC=alfrescotest,DC=org # group and user search bases - make as restrictive as possible ldap.synchronization.groupSearchBase=OU=alfresco,OU=groups,DC=alfrescotest,DC=org ldap.synchronization.userSearchBase=OU=users,DC=alfrescotest,DC=org kerberos.authentication.enabled=false # Run full sync every 4 hours. ldap.synchronization.full.enabled=true ldap.synchronization.full.cronExpression=0 0 0/4 * * ? # group query ldap.synchronization.groupQuery=(objectclass=group) # group differential query ldap.synchronization.groupDifferentialQuery=(&(objectclass=group)(!(whenchanged<={0}))) # user/person sync ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(|(memberof=CN=AlfrescoAdmins,OU=users,DC=alfrescotest,DC=org)(memberof=CN=AlfrescoUsers,OU=users,DC=alfrescotest,DC=org))) # user/person differential sync ldap.synchronization.personDifferentialQuery=(&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(whenchanged<\={0})(|(memberof=CN=AlfrescoAdmins,OU=users,DC=alfrescotest,DC=org)(memberof=CN=AlfrescoUsers,OU=users,DC=alfrescotest,DC=org)))
Example alfresco-global.properties for fictional company alfrescotest.org
# Authentication and syncing authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad ntlm.authentication.sso.enabled=false ldap.authentication.allowGuestLogin=false ldap.authentication.userNameFormat=%s@alfrescotest.org ldap.authentication.java.naming.provider.url=ldap://alfrescotest.org:389 ### LDAP synchronization settings ### ldap.synchronization.java.naming.security.principal=CN=alf_ad,OU=service accounts,OU=users,DC=alfrescotest,DC=org ldap.synchronization.java.naming.security.credentials=somepassword # group and user search bases - make as restrictive as possible ldap.synchronization.groupSearchBase=OU=alfresco,OU=groups,DC=alfrescotest,DC=org ldap.synchronization.userSearchBase=OU=users,DC=alfrescotest,DC=org # run sync every 4 hours.synchronization.import.cron=0 0 0/4 * * ? # do full sync only synchronization.synchronizeChangesOnly=false # don't delete users or groups based on full sync synchronization.allowDeletions=false # Don't run a differential sync if a user who doesn't exist is able to authenticate synchronization.syncWhenMissingPeopleLogIn=false # Creates local users with no group membership so we disable.synchronization.autoCreatePeopleOnLogin=false # group query ldap.synchronization.groupQuery=(objectclass=group) # group differential query ldap.synchronization.groupDifferentialQuery=(&(objectclass=group)(!(whenchanged<={0}))) # user/person sync ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(|(memberof=CN=AlfrescoAdmins,OU=users,DC=alfrescotest,DC=org)(memberof=CN=AlfrescoUsers,OU=users,DC=alfrescotest,DC=org))) # user/person differential sync ldap.synchronization.personDifferentialQuery=(&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(whenchanged<\={0})(|(memberof=CN=AlfrescoAdmins,OU=users,DC=alfrescotest,DC=org)(memberof=CN=AlfrescoUsers,OU=users,DC=alfrescotest,DC=org)))
For additional information on your integrations, contact us today.