liferay alfresco openldap opensso

8/10/2019 Liferay Alfresco OpenLDap OpenSSO

1/35

Liferay + Alfresco+ OpenSSO +

LDAP Integration

By Uchit Vyas

[email protected]


2/35

Liferay + Alfresco + OpenSSO + LDAP Integration 1

About Author

Uchit Vyas a B.Tech. Graduate in Computer Science with a research

interest in ESB & Cloud and is a certified by Cisco (CCNA), VMware

(VSP) and Red Hat Linux (RHCE) professional. He has an energetic

strength to work on multiple platforms at a time and ability to integrate

open source technologies. He works as a Sr. Consultant and looking

afterAWS Cloud, Mule ESB, Alfresco, Liferay and deploying Portal,

ECM system. He was previously working with TCS as Assistant System

Engineer.

Over 3+ years of hands on experience on Open Source technologies, he

manages to guide the team and deliver the projects and trainings. He has

provided 13+ trainings on Cloud Computing, Continuous Delivery,

Alfresco and Liferay in couple of months. During past years he moved

over 80% of Attune Infocom business processes to the Cloud with

implementing agile SDLC methodology on Amazon, Rackspace andprivate clouds like Eucalyptus, Openstack. His skills are not limited as his

designing and managing Cloud environment/infrastructure, server

architecture. He is also active in shell scripting, auto deployment,

supporting hundreds of Linux and Windows physical & virtual servers

hosting databases, and applications with Continuous delivery using Jenkins

/ Cruise Control with Puppet / Chef scripting.


3/35

2 Liferay + Alfresco + OpenSSO + LDAP Integration

Table of Content

I. LDAP Integration with Liferay

II.

Integration OpenSSO/OpenAM with Liferay Portalon Tomcat

III. Alfresco Opensso Integration

IV. Enable LDAP Authentication and LDAP users importin Alfresco


4/35


LDAP Integration with Liferay

ApacheDS

http://directory.apache.org/apacheds/1.5/download/download-

windows.html

Download the ApacheDS from above link and install exe in windows

Now you just simply run the ApacheDS and follow the instructuin

and finish installation.

Check for the java version e.g.java version

To install and use ApacheDS require JRE 5 or later and windows xp

or vista

By default the LDAP server listens on port 10389 (unencrypted or

StartTLS) and 10636 (SSL).

Installing LDAP browser

Go towww.jxplorer.org.

Click Downloads>precompiled java package>Windows

platform.

Savefile.

Click on the LDAP browser icon and follow the installation

instruction

Open LDAP browser jxplorer and click file and than connect

Change the port to 10389
http://directory.apache.org/apacheds/1.5/download/download-windows.htmlhttp://directory.apache.org/apacheds/1.5/download/download-windows.htmlhttp://directory.apache.org/apacheds/1.5/download/download-windows.htmlhttp://directory.apache.org/apacheds/1.5/download/download-windows.htmlhttp://docs.liferay.com/portal/4.0/official/liferay-user-guide-4.0/ch05s02.htmlhttp://docs.liferay.com/portal/4.0/official/liferay-user-guide-4.0/ch05s02.htmlhttp://docs.liferay.com/portal/4.0/official/liferay-user-guide-4.0/ch05s02.htmlhttp://directory.apache.org/apacheds/1.5/download/download-windows.htmlhttp://directory.apache.org/apacheds/1.5/download/download-windows.html


5/35


In theLevel drop-down menu, choose User+Password

Insert uid=admin,ou=system in the User DN input field.

The password is secret.

Click Saveand enter a name for the template.

Right click on Exampleand click New

Addinetorgpersonto the Selected Class orselect Suggest Classes

(eg. For creating user) Enter cn=uchitin the Enter RDN field and

click OK.
http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.html


6/35


In the Table Editor enter Uchit in the SN line. Enter Uchit in the

givenName line.

For the mail [email protected] the user password enter

test. Click Submit.
mailto:[email protected]:[email protected]:[email protected]://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlhttp://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlmailto:[email protected]


7/35


Integration with liferay

Now you are suppose to integrate the ldap with liferay login in a

liferay as a administrator for [email protected] password test.

Once, you generated your profile in ldap than cofigure your liferay to

import/export users from ldap

In liferay go toControl PanelSettingthan Authentication

Now you will find ldap there are list of directories select your one.

Than configure your own connection url base dn, principleCredential and test this connection is working ok.(By clicking on Add

button)
mailto:[email protected]:[email protected]:[email protected]://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlmailto:[email protected]


8/35


In above example, If you check the box to enable ldap

Required mean login will require ldap to authenticate

Then set other properties search filter you change it to just name only

instead of email can change group name

You can also change group search filter

You can also enable import/export of user from ldap with liferay

And all of this properties you can also set portal-ext.properties file

which you can find in root/web-inf/classes/portal-ext.properties.

Portal-ext.properties File will override your setting from defaults one

Now just start Directory server and use ldap user in liferay

For Integrating liferay with ldap install directory server and start

Enable ldap in liferay select your DS from list for other use portal-

ext. properties

Use secret as password


9/35


change search filter from email to (cn=@screen_name@)

If you want to import/export check the boxe

You can also check your connection and list of users

If you connection is replying than everything is working properly

When you use ldap user first liferay will ask for terms and condition

Portal.properties and override use portal-ext.properties

ldap.import.enabled=false

ldap.import.on.startup=false.

ldap.import.interval=10

ldap.import.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryldap.import.base.provider.url=ldap://localhost:10389ldap.import.base.dn=dc=example,dc=comldap.import.security.principal=uid=admin,ou=systemldap.import.security.credentials=secretldap.import.search.filter=(objectClass=inetOrgPerson)ldap.import.user.mappings=userId=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembershipldap.import.group.mappings=groupName=cn\ndescription=description

ldap.auth.enabled=false

ldap.auth.required=false

ldap.auth.method=bind

Integrating OpenSSO / OpenAM with Liferay

Portal on Tomcat

Liferay Portal and OpenSSO both require a minimum 1.5 JVM, but I

would recommend using Java 6 (as Java 1.5 reached its End of

Service Life in October, 2009). Make sure that your JAVA_HOME
http://www.objectpartners.com/2010/08/16/integrating-opensso-openam-with-liferay-portal-on-tomcat/http://www.objectpartners.com/2010/08/16/integrating-opensso-openam-with-liferay-portal-on-tomcat/http://www.objectpartners.com/2010/08/16/integrating-opensso-openam-with-liferay-portal-on-tomcat/http://www.objectpartners.com/2010/08/16/integrating-opensso-openam-with-liferay-portal-on-tomcat/


10/35


environment variable is correctly set to point to your Java 6

installation.

For OpenSSO to work correctly with Liferay Portal, both serversneed to be running in the same domain. To solve this issue while

running both servers on a single machine, edit the hosts file (/etc/hosts

or %SystemRoot%\system32\drivers\etc\) and add/update your localhost

entry:

127.0.0.1 localhost localhost.example.com

where example.comis your actual domain.(uchit.info.com)

Install OpenSSO/OpenAM

Download the latest OpenAM (OpenAM Snapshot 9.5.1 RC1) build

fromhttp://www.forgerock.com/downloads.html

Downloaded the latest Tomcat (6.0.32) from

http://tomcat.apache.org/download-60.cgi

Installation of the Tomcat server consisted of:

Unzip apache-tomcat-6.0.32 zip file. This will create an apache-

tomcat-6.0.32 folder.

As both Liferay Portal and OpenAM will be running on the same

machine, I needed to update the ports that the OpenAM Tomcatserver was using.

Edit apache-tomcat-6.0.32/conf/server.xml. I changed all of the

ports from 8xxx to 9xxx. For example, 8080 to 9080, 8443 to 9443,

etc.
http://www.forgerock.com/downloads.htmlhttp://www.forgerock.com/downloads.htmlhttp://www.forgerock.com/downloads.htmlhttp://tomcat.apache.org/download-60.cgihttp://tomcat.apache.org/download-60.cgihttp://tomcat.apache.org/download-60.cgihttp://www.forgerock.com/downloads.html


11/35


On Linux/MacOS, you will need to add execute permissions to all of

the shell scripts in the bin directory: chmod +x *.sh

Installation of OpenAM consisted of:

Unzip openam_snapshot_951RC1.zip to a directory. This will create

an opensso folder.

Copy the opensso.war from opensso/deployable-war/ to apache-

tomcat-6.0.32/webapps/.

In apache-tomcat-6.0.32/bin/, execute startup.sh (or startup.bat) tostart Tomcat and deploy OpenAM.

After Tomcat has deployed OpenAM, you will see the exploded war

file as apache-tomcat-6.0.29/webapps/opensso.

Open a browser to http://uchit.info.com:9080/opensso, which

should redirect you to

http://uchit.info.com:9080/opensso/config/options.htm,

to complete the OpenAM configuration.

You should see the OpenAM configuration options page. Under

Custom Configuration click Create New Configuration. Enter the

following:


12/35


First step is to choose password for the default administrator account

(amAdmin). The password needs to be at least 8 characters long (eg.

upassword). Once a valid password has been entered twice, the next

button will appear and the configuration can proceed.


13/35


On the server settings page, the Server URL and the Configuration

Directory both need some attention. By default the Server URL will

be the address that was typed to reach the server. The problem with

this being that it requires a fully qualified domain name, so if the page

was accessed via localhost or an IP Address it will cause problems.This is why it was configured to be accessible at uchit.info.com.


14/35


The other setting on this page to take note of is the Configuration

Directory. It is important that the user that Apache Tomcat is

running under has write access to that directory. As a result~/openam/config is appropriate for this purpose.

Supported Platform Locales are en_US (English), de (German), es

(Spanish), fr (French), ja (Japanese), zh_CN (Simplified Chinese), or

zh_TW (Traditional Chinese).


15/35


The Configuration Data Store Settings do not need to be changed

when working with a single server configuration.

The User Data Store Settings are what connect OpenAM to the

OpenDS data store. The side effect of this is that most of these

setting require some attention. Fields which require changing aremarked with an Asterisk (*).

*User Data Store Type : OpenDS

SSL/TLS Enabled : Not ticked

*Directory Name : uchit.info.com

*Port : 10389

*Root Suffix : dc=example,dc=com


16/35


Login ID : uid=admin,ou=system*Password : secret

The configurator does not give the option to continue until all the

settings have been correctly specified and it has successfully

connected to the OpenDS instance.

OpenAM is not installed behind a load balancer in this test

deployment, so Site Configuration can be left as default.


17/35


The policy agent password once again needs to be 8 characters or

more and it must also be different from the administrator password.

In this case we will use 'apassword', although the policy agent user is

not used in this tutorial.


18/35


The Summary Page shows a brief summary of the settings that were

defined in the previous few steps before the configuration is created.

Clicking Create Configuration will begin the configuration process.

This will create the configuration for your OpenAM server under

~/opensso (or c:\Documents and Settings\{username}\opensso).


19/35


The Configuration Progress Screen will display the progress of the

installation and take a couple of minutes to run through. All of the

output on this screen, as well as any errors, are written to the

file~/openam/config/install.log. Assuming success a Configuration

Complete! view will appear, providing a link to the login page.

In the case that it did not succeed check the troubleshooting guide at

https://wikis.forgerock.org/confluence/display/openam/Common

Install Issues
https://wikis.forgerock.org/confluence/display/openam/Common+Install+Issueshttps://wikis.forgerock.org/confluence/display/openam/Common+Install+Issueshttps://wikis.forgerock.org/confluence/display/openam/Common+Install+Issueshttp://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlhttps://wikis.forgerock.org/confluence/display/openam/Common+Install+Issueshttps://wikis.forgerock.org/confluence/display/openam/Common+Install+Issues


20/35


When this completes, in the Configuration Completedialog, click Proceed

to Login, which should now redirect you to

http://uchit.info.com:9080/opensso/UI/Login.

Type amAdminas the username,passwordas the password, and

click Log In. You should now see the OpenAM Console.

For detailed information about the OpenAM Console, seethis and

this. You can now delete the opensso.warfile from apache-tomcat-6.0.29/webapps/

directory.
https://wikis.forgerock.org/confluence/display/openam/Homehttp://wikis.sun.com/display/OpenSSO/Sun+OpenSSO+Enterprise+8.0+Documentation+Centerhttp://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlhttp://wikis.sun.com/display/OpenSSO/Sun+OpenSSO+Enterprise+8.0+Documentation+Centerhttps://wikis.forgerock.org/confluence/display/openam/Home


21/35


Additional OpenAM Configuration

To get OpenAM to work correctly with Liferay, you need to setEncode

Cookie ValuetoYes. This will prevent infinite redirection between Liferay

and OpenAM on login.

1.

In the OpenAM Console, select the Configurationtab.

2.

Select the Servers and Sitestab.

3.

Click Default Server Settings.

4. Select the Securitytab.

5.

In the Cookiesection, select theYescheckbox besideEncode Cookie

Value.

6.

Click Save.

To resolve the infinite redirection problem:

1. In the OpenAM Console, select the Configurationtab.

2.

Select the Servers and Sitestab.

3. Click Default Server Settings.

4. Select theAdvancedtab.

5. Find the com.iplanet.am.cookie.c66Encodeproperty, and set the value to true.

6. Click Save.

Before updating Liferay to use OpenAM, I recommend adding the defaultLiferay user, [email protected], to OpenAM.

1.

In the OpenAM Console, select theAccess Controltab.

2.

Click the / (Top Level Realm) realm.


22/35


3. Select the Subjectstab.

4.

Click New

5.

Setup the default Liferay user:6.

IDtest

7.

First Nametest

8.

Last Nametest

9.

Full Nametest

Passwordtest

Click OKto create the user.

10. Click testto add the email address. Enter [email protected] the

Email Address, and click Save.

[Note: Use uid to create new user in LDAP for OpenAM]

Integrate Liferay Portal with OpenAM

Now you are ready to update Liferay Portal to integrate with OpenAM for

authentication.

1.

If Liferay is running, shut it down (bin/shutdown).

2.

Create a new file, calledportal-ext.properties, in your Liferay

directory, under liferay-portal-5.2.3/tomcat-6.0.18/webapps/ROOT/WEB-INF/classes/.

3. Edit this file, and add the following properties:

open.sso.auth.enabled=true

open.sso.login.url=http://uchit.info.com:9080/opensso/UI/Login?goto=http://uchit.info.com:8080/c/portal/login


23/35


open.sso.logout.url=http://uchit.info.com:9080/opensso/UI/Logout?goto=http://uchit.info.com:8080/web/guest/home

open.sso.service.url=http://uchit.info.com:9080/opensso

open.sso.screen.name.attr=uid

open.sso.email.address.attr=mailopen.sso.first.name.attr=givennameopen.sso.last.name.attr=sn

Start Liferay (bin/startup).

Once Liferay has started, open a browser to

http://uchit.info.com/8080, and you should be redirected to the

OpenAM login page

(http://uchit.info.com:9080/opensso/UI/Login). Enter testfor the

User Name, and testfor the Password. Click Log In.

You will be authenticated against OpenAM, and redirected to Liferay.

Now that Liferay is using OpenAM for authentication, if you create a new

user in OpenAM, that user will also be created in Liferay on the first log in.

That newly created user in Liferay will only have the basic information

filled inFirst Name, Last Name, Screenname, Email Addressand will

have the default Roles, Groups, and Organizations assigned.

[Note: You can also Integrate Liferay and openSSO by going in Liferay

Control Panel-> Settings-> Authentication-> open SSO ]


24/35


Alfresco OpenSSO Integration

Download and Install Alfresco(3.4.d) from

http://wiki.alfresco.com/wiki/Download_Community_Edition

Now go to this linkhttp://uchit.info.com:8080/alfresco/

User Name:-admin Password:-password
http://wiki.alfresco.com/wiki/Download_Community_Editionhttp://wiki.alfresco.com/wiki/Download_Community_Editionhttp://attune.infocom.com:8080/alfresco/http://attune.infocom.com:8080/alfresco/http://attune.infocom.com:8080/alfresco/http://www.youtube.com/user/theattuneuniversityhttps://plus.google.com/u/0/106846348206866593061/postshttp://twitter.com/attuneuniversithttp://www.linkedin.com/company/attune-universityhttps://www.facebook.com/opensourcetechnologytrainingportalhttp://www.attuneuniversity.com/blogs.htmlhttp://attune.infocom.com:8080/alfresco/http://wiki.alfresco.com/wiki/Download_Community_Edition


25/35


DEPLOYMENT

============

1. Build the jar from the sources, or download the latest release of the

filter from:

2. http://repository.sourcesense.com/nexus/content/groups/public/c

om/sourcesense/alfresco/alfresco-opensso/

3. Download OpenSSO SDK from

4.

http://repository.sourcesense.com/nexus/content/repositories/thir

dparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-

8.0.jar

5. Copy both to /tomcat/webapps/alfresco/WEB-

INF/lib

6. Create the file AMConfig.properties to

/tomcat/webapps/alfresco/WEB-INF/classes

7.An example of this file can be:

com.iplanet.am.naming.url=http://uchit.info.com:9080/opensso/namingservicecom.iplanet.am.cookie.name=iPlanetDirectoryProcom.sun.identity.agents.app.username=amAdmincom.iplanet.am.service.password=upassword

8.

Change the values to reflect your OpenSSO installation.9.

Replace the authentication filter

/tomcat/webapps/alfresco/WEB-INF/web.xml:

Authentication Filter
http://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/http://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/http://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/http://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/http://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/repositories/thirdparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk-8.0.jarhttp://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/http://repository.sourcesense.com/nexus/content/groups/public/com/sourcesense/alfresco/alfresco-opensso/


26/35


Authentication filter mapped only to faces URLs. OtherURLs generally use proprietary means to talk to theAuthenticationComponent

org.alfresco.repo.web.filter.beans.BeanProxyFilter

beanNameAuthenticationFilter

wit

Authentication Filtercom.sourcesense.alfresco.opensso.AlfrescoOpenSSOFilter

opensso.urlhttp://uchit.info.com:9080/opensso

USAGE

======

Accessing Alfresco's home will redirect the browser to OpenSSO login

page.

After a successful login, openSSO will redirect the browser back to

Alfresco.

If user does not exist in Alfresco, it'll be created. The groups associated

with the user in OpenSSO

will be created in Alfresco, and the user will be associated with this groups.

If the user's groups are changed in OpenSSO, the filter will reflect those

changes in the moment of login.


27/35


No group will bi deleted on Alfresco, just the user association with the

groups.

In order to access alfresco administration, the "admin" user must be

created in OpenSSO as well.

Enable LDAP Authentication and LDAP

users import in Alfresco

1.

To do Web-SSO is not necessary this step, but i recommend to do itbecause you can do users management from Alfresco Admin

Console (Browser/Explorer or Share) (edit, delete, to do groups and

give permissions).

2.Add following properties in

${ALF_HOME}\tomcat\shared\classes\alfresco-global.properties file.

# The default authentication chain

authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm

# These options are for test purpose, to make full synchro every minuteat 15 seconds, you certainly should tune it for your need

synchronization.import.cron=15 * * * * ?

synchronization.synchronizeChangesOnly=false

synchronization.syncOnStartup=false

1.

Create the following folders in

\subsystems\Authentication\ldap\ldap1

in ${ALF_HOME}\tomcat\shared\classes\alfresco\extension


28/35


2. Copy the file ${ALF_HOME}\tomcat\webapps\alfresco\WEB-

INF\classes\alfresco\subsystems\Authentication\ldap\ldap-

authentication.properties in the folder before created.3.

Modify ldap-authentication.properties enabling LDAP authN and

sync. For example, you can use my file (This only works for my

LDAP tree UID as RDN and authN with CN.):

# this flag enables use of this LDAP subsystem for authentication. It may

be

# this subsytem should only be used for synchronization, in which case

# this flag should be set to false.

ldap.authentication.active=true

# This properties file brings together the common options for LDAP

authentication rather than editing the bean definitions

ldap.authentication.allowGuestLogin=true

# How to map the user id entered by the user to that passed through to

LDAP

# - simple

# - this must be a DN and would be something like

# uid=%s,ou=People,dc=company,dc=com


29/35


# - digest

# - usually pass through what is entered

# %s

# If not set, an LDAP query involving ldap.synchronization.personQuery

and ldap.synchronization.userIdAttributeName will

# be performed to resolve the DN dynamically. This allows directories to

be structured and doesn't require the user ID to

# appear in the DN.

ldap.authentication.userNameFormat=uid\=%s,ou\=people,dc\=example

,dc\=com

# The LDAP context factory to use

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxF

actory

# The URL to connect to the LDAP server

#

ldap.authentication.java.naming.provider.url=ldap://openldap.domain.com

:389

ldap.authentication.java.naming.provider.url=ldap://uchit.info.com:10389


30/35


# The authentication mechanism to use for password validation

ldap.authentication.java.naming.security.authentication=simple

# Escape commas entered by the user at bind time

# Useful when using simple authentication and the CN is part of the DN

and contains commas

ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user

# Useful when using simple authentication and the CN is part of the DN

and contains commas, and the escaped \, is

# pulled in as part of an LDAP sync

# If this option is set to true it will break the default home folder provider

as space names can not contain \

ldap.authentication.escapeCommasInUid=false

# Comma separated list of user names who should be considered

administrators by default

ldap.authentication.defaultAdministratorUserNames=

# This flag enables use of this LDAP subsystem for user and group

# synchronization. It may be that this subsytem should only be used for


31/35


# authentication, in which case this flag should be set to false.

ldap.synchronization.active=true

# The authentication mechanism to use for synchronization

ldap.synchronization.java.naming.security.authentication=simple

# The default principal to use (only used for LDAP sync)

###

ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=co

mpany,dc\=com

ldap.synchronization.java.naming.security.principal=uid\=admin,ou\=syst

em

# The password for the default principal (only used for LDAP sync)

ldap.synchronization.java.naming.security.credentials=secret

# If positive, this property indicates that RFC 2696 paged results should be

# used to split query results into batches of the specified size. This

# overcomes any size limits imposed by the LDAP server.

ldap.synchronization.queryBatchSize=0

# If positive, this property indicates that range retrieval should be used to

fetch


32/35


# multi-valued attributes (such as member) in batches of the specified size.

# Overcomes any size limits imposed by Active Directory.

ldap.synchronization.attributeBatchSize=0

# The query to select all objects that represent the groups to import.

ldap.synchronization.groupQuery=(objectclass\=groupOfNames)

# The query to select objects that represent the groups to import that have

changed since a certain time.

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfN

ames)(!(modifyTimestamp


33/35


ldap.synchronization.groupSearchBase=ou\=groups,dc\=example,dc\=co

m

# The user search base restricts the LDAP user query to a sub section of

tree on the LDAP server.

###

ldap.synchronization.userSearchBase=ou\=People,dc\=company,dc\=co

m

ldap.synchronization.userSearchBase=ou\=people,dc\=example,dc\=com

# The name of the operational attribute recording the last update time for

a group or user.

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory

servers.

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

# The attribute name on people objects found in LDAP to use as the uid

in Alfresco

ldap.synchronization.userIdAttributeName=uid

# The attribute on person objects in LDAP to map to the first name

property in Alfresco

ldap.synchronization.userFirstNameAttributeName=givenName


34/35


# The attribute on person objects in LDAP to map to the last name


ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property

in Alfresco

ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id


ldap.synchronization.userOrganizationalIdAttributeName=o

# The default home folder provider to use for people created via LDAP

import

ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The attribute on LDAP group objects to map to the authority name


ldap.synchronization.groupIdAttributeName=cn

# The attribute on LDAP group objects to map to the authority display

name property in Alfresco

ldap.synchronization.groupDisplayNameAttributeName=description

# The group type in LDAP


35/35

ldap.synchronization.groupType=groupOfNames

# The person type in LDAP

ldap.synchronization.personType=inetOrgPerson

# The attribute in LDAP on group objects that defines the DN for its

members

ldap.synchronization.groupMemberAttributeName=member

# If true progress estimation is enabled. When enabled, the user query has

to be run twice in order to count entries.

ldap.synchronization.enableProgressEstimation=true