It is very important to choose a suitable security model at the beginning of the implementation of Alfresco.The authentication mechanisms, user profile, data storage, security settings, business rules, and so on, are all based on the security model you choose.
Alfresco imposes authentication through a user's login ID and password. This is where you choose a security model such as Alfresco's built-in membership system, NTLM (Windows NT LAN Manager), or LDAP (Lightweight Directory Access Protocol). These security models are explained in detail in the subsequent sections of this chapter.
Alfresco imposes authorization by assigning a role to a specific user (or group) for a specific space (or content). This will be the same irrespective of which model you choose.
The security model you choose will be based on the requirements of your enterprise. Let us consider the following sample scenarios:
Requirement: I would like to build an extranet as a standalone application to share documents with my customers. I have over 500 customers who will access the site, and I would like to control and manage the security. I need a flexible and highly-scalable membership system.
Probable solution: In this scenario, the out of the box Alfresco membership system would be able to solve the problem.
Requirement: I work in the IT department of a large university. Over the years, the various departments have developed their own sites with local authentication and authorization. Our university has a directory-based central authentication system. How can I consolidate all the sites and provide a central point of authentication and authorization for all our subsites?
Probable solution: In this scenario, it would make sense configuring Alfresco with LDAP for centralized identity management.
Requirement: In my enterprise we have various systems such as customer support, ERP, proprietary content management systems, and open source ECM Alfresco. Our employees have different accounts for each of these different systems and it is becoming unmanageable for us. We are looking for a single sign-on solution to access all our systems with one log in ID and password.
Probable solution: In this scenario Alfresco can be configured to use NTML to provide a single sign-on.
Alfresco's out of the box security system includes the following functionality:
Examples in this book are based on the out of the box Alfresco security model.
LDAP evolved from the X.500 OSI Directory Access Protocol. The LDAP directory is the central authentication engine for the enterprise, and serves as the Yellow Pages for user access and profile information. The biggest advantage of LDAP is that your enterprise can access the LDAP directory on almost any computing platform, using any one of the increasing numbers of readily-available LDAP-aware applications. In fact, LDAP is finding much wider industrial acceptance because of its status as an Internet standard.
You can use LDAP with any directory server such as iPlanet, Novell's eDirectory, Microsoft's Active Directory, or OpenLDAP. If you are planning to implement an LDAP directory in your organization, you may consider OpenLDAP, Active Directory, or eDirectory. OpenLDAP is a stable and widely accepted open-source directory server.
Listed in the following table are the differences between Active Directory and eDirectory:
Sr. no. |
Active Directory |
eDirectory |
---|---|---|
1 |
Active Directory (AD) is an implementation of the LDAP directory services by Microsoft. |
eDirectory is a Novell product known as NDS: Novell Directory Service. |
2 |
It offers a static view of the data. |
It supports a logical tree view of data. |
3 |
It supports simple updates without transactions. |
It supports hierarchical, object-oriented databases, and referential integrity. However, there is no transactional support. |
4 |
Its main purpose is to provide central authentication and authorization services for Windows-based computers. |
Apart from providing central authentication and authorization services, eDirectory can use any other hierarchical data model such as an organizational structure. |
5 |
One can manage AD by using the Active Directory Administrative Tool. |
iManager is a supportive Novell product, which is required to manage eDirectory. Using iManager, one can administer Novell eDirectory, along with many Novell and third-party products. |
Active Directory supports LDAP-based authentication. It can also support authentication using JAAS+Kerberos and NTLM authentication. Only NTLM will give you a single sign-on solution. We will discuss single sign-on later in this chapter. It is possible to use any authentication methods against an Active Directory server, and extract user and group information using LDAP.
For the LDAP to work with Alfresco, you have to make the some changes in the configuration files.
The custom version of the configurations file given below is available in the following location:
<alfresco>/jboss/server/default/conf/alfresco/extension
<alfresco>/tomcat/shared/classes/alfresco/extension
Follow the steps given below to configure LDAP-based authentication with Active Directory.
ldap-authentication-context.xml.sample
to ldap-
authentication-context.xml
.
ldap-authentication-context.xml
and comment the following block of code:<!-- <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
<property name="allowDeleteUser"> <value>true</value> </property>
</bean> -->
ldap-authentication.properties
file. Modify the properties to your required values. All other properties can be kept as it is in the file:ldap.authentication.userNameFormat=CN=%s,DC=company,DC=com
: Map the user ID entered by the user to be passed through LDAP, the %s is replaced with whatever the user types in as their user ID on the login screen.ldap.authentication.java.naming.provider.url=ldap://openldap.domain.com:389
: The name and port of you LDAP server; the standard port for LDAP is 389. ldap.authentication.java.naming.security.authentication=simple
: The authentication mechanism you want to use.ldap.authentication.java.naming.security.principal=admin
: The user that has read access to the group and people information to be extracted from the Active Directory server.ldap.authentication.java.naming.security.credentials=secret
: The password for the user defined above.file-server-custom.xml
file. Add the following code:<config evaluator="string-compare" condition="CIFS Server" replace="true"> <serverEnable enabled="false"/> <host name="${cifs.localname}A" domain="${cifs.domain}"/> <comment>Alfresco CIFS Server</comment> <!-- Set to the broadcast mask for the subnet --> <broadcast>${cifs.broadcast}</broadcast> <!-- Use Java socket based NetBIOS over TCP/IP and native SMB on linux --> <tcpipSMB platforms="linux,solaris,macosx"/> <netBIOSSMB platforms="linux,solaris,macosx"/> <!-- Can be mapped to non-privileged ports, then use firewall rules to forward requests from the standard ports --> <!-- <tcpipSMB port="1445" platforms="linux,solaris,macosx"/> <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/> --> <hostAnnounce interval="5"/> <!-- Use Win32 NetBIOS interface on Windows --> <Win32NetBIOS/> <Win32Announce interval="5"/> <!-- CIFS authentication --> <authenticator type=" passthru "> <LocalDomain/> </authenticator> <!-- <WINS> <primary>1.2.3.4</primary> <secondary>5.6.7.8</secondary> </WINS> --> <sessionDebug flags="Negotiate,Socket"/> </config> <config evaluator="string-compare" condition="FTP Server" replace="true"> <serverEnable enabled="false"/> <!-- Run on a non-privileged port --> <!-- <port>1121</port> --> <!-- FTP authentication --> <authenticator type="alfresco"/> <!-- <debug flags="File,Search,Error,Directory,Info,DataPort"/> --> </config> <config evaluator="string-compare" condition="Filesystem Security" replace="true"> <authenticator type=" passthru "> <!-- the name of your ldap server -- > <Server> openldap.domain.com</Server> </authenticator> </config>
This authentication mechanism sends user names and passwords in plain text. It is the simplest to set up. This is supported by both Active Directory and OpenLDAP.
As you have already configured LDAP with Active Directory, the next step would be to extract information from Active Directory. This synchronization of people and groups between the Alfresco repository and LDAP is supported by scheduled jobs. These jobs extract the user or group information from the LDAP repository, and create the appropriate information as an Alfresco import XML file. This file is then imported into the repository.
Follow the steps given below to export users and groups from Active Directory.
ldap-synchronisation-context.xml.sample
file to ldap-synchronisation-context.xml
.ldap-synchronisation.properties
file. Modify the properties to the required values, as follows. All other properties can be kept unchanged in the file.ldap.synchronisation.personQuery=(objectclass=inetOrgPerson)
and ldap.synchronisation.personSearchBase=dc=company,dc=com
: These two options combine to build the query to find people. In the example above, you will find all objects of type inetOrgPerson
anywhere in the directory.ldap.synchronisation.groupQuery=(objectclass=groupOfNames)
and ldap.synchronisation.groupSearchBase=dc=example,dc=com
: These two options combine to build the query to find groups. In the example above, you will find all objects of type groupOfNames
anywhere in the directory. On restarting, you will be able to login to the alfresco repository with only LDAP.
If you want to login to the Alfresco repository along with Alfresco users too, you have to make some more changes in the configuration files. This concept is known as Daisy Chaining.
Alfresco supports a pluggable authentication model. Out of the box, many authenticators are available such as NTLM, LDAP, Kerberos, and Alfresco. Also, you can have your own custom-built authentication system plugged into Alfresco, as shown below:
Authentication services may be daisy chained—one instance of Alfresco can have more than one user-source. However, the sequence in which these user data sources are daisy chained is important. When a user logs into the system, Alfresco checks for authentication in a defined sequence, as shown in the next figure:
Follow the steps given below to implement chaining:
:<configRoot>alfresco authentication-services-context.xml
.<bean id="authenticationComponentChain" class="org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl"> <property name="authenticationComponents"> <list> <ref bean="authenticationComponentAlfresco"/> <ref bean="authenticationComponent"/> </list> </property> </bean> <bean id="authenticationComponentAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl" parent="authenticationComponentBase"> <property name="authenticationDao"> <ref bean="authenticationDao" /> </property> <property name="authenticationManager"> <ref bean="authenticationManager" /> </property> <property name="allowGuestLogin"> <value>false</value> </property> <property name="nodeService"> <ref bean="nodeService" /> </property> <property name="personService"> <ref bean="personService" /> </property> <property name="transactionService"> <ref bean="transactionService" /> </property> </bean>
<bean id="authenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl"> <property name="authenticationDao"> <ref bean="authenticationDao" /> </property> <property name="ticketComponent"> <ref bean="ticketComponent" /> </property> <!--<property name="authenticationComponent"> <ref bean=" authenticationComponent " /> <This is the property to be modified to authenticationComponentChain > </property> -- > <property name="authenticationComponent"> <ref bean="authenticationComponentChain " /> </property> <property name="sysAdminCache"> <ref bean="sysAdminCache"/> </property> </bean>
NT LAN Manager (NTLM) is an authentication protocol used in various Microsoft network protocol implementations, and is also used throughout Microsoft's systems as an integrated single sign-on mechanism.
NTLM authentication can be used to provide single sign-on to Alfresco. Using this protocol, the password that is sent over the network is made more secure, than when using basic authentication. NTLM pass-through authentication can also be used to replace the standard Alfresco user database, and instead use a Windows server/domain controller, or a list of servers, to authenticate users accessing Alfresco. This eliminates the task of creating user accounts within Alfresco.
By using NTLM authentication, the web browser can automatically log on when accessing Alfresco and Alfresco WebDAV sites. When NTLM is configured, Internet Explorer will use your Windows log-on credentials when requested by the web server. Firefox and Mozilla also support the use of NTLM. For these, you will be prompted for the username/password details, which can then optionally be stored using the password manager. The Opera web browser does not support NTLM authentication. If an Opera browser is detected, you will be sent to the usual Alfresco login page.
Follow the steps given below to integrate Single sign-on.
web.xml
file. The location of the file depends on the application server used. For Tomcat this can be found in the tomcat/webapps/alfresco/web-inf
folder.<filter> <filter-name>Authentication Filter</filter-name> <!-- <filter- class>org.alfresco.web.app.servlet.AuthenticationFilter</filter- class> --> <!-- For Novell IChain support use the following filter --> <!-- <filter- class>org.alfresco.web.app.servlet.NovellIChainsHTTPRequestAuthenticationFilter</filter-class> --> <!-- For NTLM authentication support use the following filter --> <filter-class>org.alfresco.web.app.servlet.NTLMAuthenticationFilter</filter-class> </filter> <filter> <filter-name>WebDAV Authentication Filter</filter-name> <!-- <filter-class>org.alfresco.repo.webdav.auth.AuthenticationFilter</filter-class> --> <!-- For NTLM authentication support use the following filter --> <filter-class>org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter</filter-class> </filter>
tomcatsharedclassesalfrescoextension
tlm-authentication-context.xml.sample
file. Either rename the file to ntlm-authentication-context.xml
or create a new file with the name ntlm-authentication-context.xml
in the same location, and copy the code from sample file.<bean id="authenticationDao" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" /> <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl"> <property name="personService"> <ref bean="personService" /> </property> <property name="nodeService"> <ref bean="nodeService" /> </property> <property name="transactionService"> <ref bean="transactionComponent" /> </property> <property name="guestAccess"> <value>false</value> </property> <property name="servers"> <value>openldap.domain.com</value> </property> <property name="useLocalServer"> <value>true</value> </property> </bean>
file-server-custom.xml
file in the same location and add the following code:<config evaluator="string-compare" condition="FilesystemSecurity" replace="true"> <authenticator type="alfresco" /> </config> <config evaluator="string-compare" condition="CIFS Server"> <serverEnable enabled="true" replace="true" /> <host name="${cifs.localname}A" domain="${cifs.domain}"/> <comment>Alfresco CIFS Server</comment> <!-- Set to the broadcast mask for the subnet --> <broadcast>${cifs.broadcast}</broadcast> <!-- Use Java socket based NetBIOS over TCP/IP and native SMB on linux --> <tcpipSMB platforms="linux,solaris,macosx"/> <netBIOSSMB platforms="linux,solaris,macosx"/> <!-- Can be mapped to non-privileged ports, then use firewall rules to forward requests from the standard ports --> <!-- <tcpipSMB port="1445" platforms="linux,solaris,macosx"/> <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/> --> <hostAnnounce interval="5"/> <!-- Use Win32 NetBIOS interface on Windows --> <Win32NetBIOS/> <Win32Announce interval="5"/> <!-- CIFS authentication --> <authenticator type="alfresco"> </authenticator> <!-- <WINS> <primary>1.2.3.4</primary> <secondary>5.6.7.8</secondary> </WINS> --> <sessionDebug flags="Negotiate,Socket"/> </config>
Here is a brief explanation of the integration of Alfresco and Liferay through SSO.
Liferay provides us with facilities to use LDAP for authentication. This can be set up by making changes in the out of the box portlet that is provided by Liferay (the EnterpriseAdmin
portlet).
Download the Alfresco WAR file. Refer to the link http://wiki.alfresco.com/wiki/Deploying_2.1WAR_Liferay4 to deploy alfresco WAR.
Log into Liferay by entering the following URL in the browser: http://servername: port/
. Click on the Auto Deploy tab of the EnterpriseAdmin portlet, locate and browse the alfresco.war
file. Soon, you will find the alfresco portlet on the Liferay Content Page.
Download the CAS server liferay-portal-cas-web-4.4.2.war
from http://sourceforge.net/project/showfiles.php?group_id=49260&package_id=42607. Download the CAS Client from http://www.ja sig.org/products/cas/downloads/index.html. Make changes to the ssl
section in order to open the port in the server.xml
file, and provide a location <liferay>/tomcat/conf
. Finally make the necessary configuration changes to enable filters and authentication.
Add the entry for the CAS filter in the web.xml
file that is provided at the location <liferay>/tomcat/webapps/liferay/web-inf
.
It is already explained in the section Configuring NTLM for Single sign-on.
http://servername :port/.
When you click on Sign in, it will redirect you to the CAS server login page. Enter the user ID and password of Active Directory. Once the authentication is done, it will redirect you to the Liferay URL with an already logged in status (with the username that you previously entered).