alfresco-docker-installer
alfresco-docker-installer copied to clipboard
Alfresco
Connect Alfresco with LDAPS
Good Morning,
I'm using the project of Angel and I try to connect to LDAPS on port 636, but it doesn't connect, generating the following error line: 2022-09-26 12:01:58,845 ERROR [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] [main] Unable to connect to LDAP Server; check LDAP configuration javax.naming.CommunicationException: simple bind failed: 172.30.0.40:636 [Root exception is java.net.SocketException: Connection or outbound has closed]
The connection between servers is allowed.
Alfresco was also installed with https protocol with port 8433.
The configuration of docker-commpose.yml is as follows: -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -Dldap.authentication.allowGuestLogin=false -Dldap.authentication.userNameFormat=%[email protected] -Dldap.authentication.java.naming.provider.url=ldaps://xxx.xx.x.x:636 -Dldap.authentication.defaultAdministratorUserNames=admin -Dldap.synchronization.java.naming.security.principal=xxxxxx -Dldap.synchronization.java.naming.security.credentials=xxxxxxxxx -Dldap.synchronization.groupSearchBase=OU=Groups,OU=xx,DC=xxxx,DC=com,DC=xx -Dldap.synchronization.userSearchBase=OU=Users,OU=xxxxx,DC=xxx,DC=com,DC=xx -Dauthentication.chain=alfinst:alfrescoNtlm,dc1:ldap-ad
Can anyone point me in the right direction or help me on this topic?
Do I really need to have the LDAPS server certificate and import it into the alfresco container structure?
Thanks
Marco Gianini
You need to add the LDAP TLS certificate to Alfresco Truststore.
This may help: https://hub.alfresco.com/t5/alfresco-content-services-hub/ldap-over-ssl/ba-p/290005
Hi Angel,
Thanks for information.
I saw that you need to import the certificate for Tomcat to recognize it, but as I'm not very experienced in working with Docker, I identify some difficulties.
I have the .cer certificate issued by LDAP.
As we use your project's Dockerfile, I can't run the keytool import because it asks for a password and a new password.
I tried to copy the certificate into a new folder of the container and informed the docker-compose.yml this location, but it generated an error. I also reported in docker-compose.yml
How can I install this certificate inside the Alfresco container?
In order to add the certificate to LDAP connection, you need to use specific settings for the LDAP Subsystem. Since mTLS communication keystores are not used for this configuration.
-Dldap.authentication.truststore.path=/usr/local/tomcat/keystore/ldap.jks
-Dldap.authentication.truststore.passphrase=password
-Dldap.authentication.truststore.type=JKS
-Dldap.authentication.java.naming.security.protocol=ssl
You can build this ldap.jks with keytool to add the .cer certificate issued by LDAP.
And use a volume to mount the external file ./keystore/ldap.jks into the Alfresco Container.
alfresco:
volumes:
- ./keystore/ldap.jks:/usr/local/tomcat/keystore/ldap.jks
Good morning Angel.
Thank you for your feedback and the success in the execution.
It is now successfully synchronizing with LDAPS.
Thanks
Angel, I apologize for reopening the case.
But it stopped working overnight.
Execution steps: 1 - from the .cer certificate issued by the LDAP server, I generated a .jks through the command: keytool -importcert -file certnew.cer -keystore ldap.jks and created a password. 2 - I added the lines in docker-compose.yml right at the beginning of the alfresco container: JAVA_TOOL_OPTIONS: " -Dencryption.keystore.type=JCEKS -Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding -Dencryption.keyAlgorithm=DESede -Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore -Dmetadata-keystore.password=mp6yc0UD9e -Dmetadata-keystore.aliases=metadata -Dmetadata-keystore.metadata.password=oKIWzVdEdA -Dmetadata-keystore.metadata.algorithm=DESede -Dssl-keystore.password=keystore -Dssl-keystore.aliases=ssl-alfresco-ca,ssl-repo -Dssl-keystore.ssl-alfresco-ca.password=keystore -Dssl-keystore.ssl-repo.password=keystore -Dssl-truststore.password=truststore -Dssl-truststore.aliases=alfresco-ca,ssl-repo-client -Dssl-truststore.alfresco-ca.password=truststore -Dssl-truststore.ssl-repo-client.password=truststore -Dldap.authentication.truststore.path=/usr/local/tomcat/keystore/ldap.jks -Dldap.authentication.truststore.passphrase=xxxxxx -Dldap.authentication.truststore.type=JKS -Dldap.authentication.java.naming.security.protocol=ssl " 3 - Further down I added the LDAPS connection information: -Dldap.authentication.allowGuestLogin=false -Dldap.authentication.userNameFormat=%[email protected] -Dldap.authentication.java.naming.security.authentication=SIMPLE -Dldap.authentication.java.naming.read.timeout=30000 -Dldap.authentication.java.naming.provider.url=ldaps://xxxxxxxx.xxxxxxx.com.ar:636 -Dldap.authentication.defaultAdministratorUserNames=admin -Dldap.synchronization.java.naming.security.principal=svc_alfresco -Dldap.synchronization.java.naming.security.credentials=xxxxxxxxxxxxxxxxxxxxxxxx -Dldap.synchronization.groupSearchBase=OU=Groups,OU=xxxxx,DC=xxxxxxxxxxx,DC=com,DC=xx -Dldap.synchronization.userSearchBase=OU=Users,OU=xxxxxx,DC=xxxxxxxx,DC=com,DC=xx -Dauthentication.chain=alfinst:alfrescoNtlm,dc1:ldap-ad
4 - I directed to an external volume where the .jks certificate is. /opt/xxx/keyldap/*.cer and *.jks
But when running in the console log of alfresco, the following error message appears: ERROR [security.sync.ChainingUserRegistrySynchronizer] [main] Synchronization aborted due to error org.alfresco.repo.security.authentication.AuthenticationException: 09190018 Failed to authenticate, username or password is wrong. User name:svc_alfresco Reason [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839]
It was like this when I closed the ticket, but in a normal stop/start process it stopped connecting.
Thanks