在 Alfresco 5.1 中使用两个 LDAP 配置身份验证和同步

Configure authentication and synchronization with two LDAP in Alfresco 5.1

我们执行从企业版 Alfresco 4.2 到 5.1 的迁移。 公司有两个 Active Directory 域(主域和子域),因此我们在 Alfresco 5.1 中配置了两个 LDAP(AD) 子系统。

属性结构: /opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2 /opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1

问题是身份验证和同步仅对一个 ldap-ad 子系统(ldap1 或 ldap2)起作用,它们在身份验证链列表中排名第一(ldap1 和 ldap2 不能一起工作)。

Authentication chain screenshot

例如,如果 ldap1 在列表中排名第一,则该用户从 ldap2 登录失败(反之亦然!)。 在这种情况下,我在 alfresco.log:

中查找错误
Caused by: net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext 

我的属性:

/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/ldap-ad-authentication.properties

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@fake.local
ldap.authentication.java.naming.provider.url=ldap://fake.local:***
ldap.authentication.defaultAdministratorUserNames=fake_user
ldap.authentication.java.naming.referral=follow

ldap.synchronization.java.naming.security.principal=fake_user@fake.local
ldap.synchronization.java.naming.security.credentials=somepassword
ldap.synchronization.groupSearchBase=ou=Archiv,ou=FileServerGroups,ou=Groups,dc=fake,dc=local
ldap.synchronization.userSearchBase=dc=fake,dc=local
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.userOrganizationalIdAttributeNameCustom=distinguishedName
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true

/opt/tomcat7/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2/ldap-ad-authentication.properties

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@gss.fake.local
ldap.authentication.java.naming.provider.url=ldap://gss.fake.local:***
ldap.authentication.defaultAdministratorUserNames=fake_user
ldap.authentication.java.naming.referral=follow

ldap.synchronization.java.naming.security.principal=fake_user@fake.local
ldap.synchronization.java.naming.security.credentials=somepassword%
ldap.synchronization.groupSearchBase=ou=Archiv,ou=FileServerGroups,ou=Groups,dc=gss,dc=fake,dc=local
ldap.synchronization.userSearchBase=dc=gss,dc=fake,dc=local
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.userOrganizationalIdAttributeNameCustom=distinguishedName
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true

露天-global.properties

### Authentication ###
#authentication.chain=ldap1:ldap-ad,ldap2:ldap-ad,alfrescoNtlm1:alfrescoNtlm
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad,ldap2:ldap-ad

提前致谢!

最后,我解决了与身份验证用户相关的问题。 我把参数的空字符串:

ldap.authentication.userNameFormat=

对于文件中的每个 LDAP 子系统 ldap-ad-authentication.properties.

之后,两个ldaps的用户都可以登录成功

ldap.authentication.userNameFormat

Specifies how to map the user identifier entered by the user to that passed through to LDAP. If set to an empty string (the default for the ldap subsystem), an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will be performed to resolve the DN from the user ID dynamically. This allows directories to be structured and does not require the user ID to appear in the DN.

If set to a non-empty value, the substring %s in this value will be replaced with the entered user ID to produce the ID passed to LDAP. This restricts LDAP user names to a fixed format. The recommended format of this value depends on your LDAP server.