It is very important to choose a suitable security model at the beginning of the implementation of Alfresco.The authentication mechanisms, user profile, data storage, security settings, business rules, and so on, are all based on the security model you choose.
Alfresco imposes authentication through a user's login ID and password. This is where you choose a security model such as Alfresco's built-in membership system, NTLM (Windows NT LAN Manager), or LDAP (Lightweight Directory Access Protocol). These security models are explained in detail in the subsequent sections of this chapter.
Alfresco imposes authorization by assigning a role to a specific user (or group) for a specific space (or content). This will be the same irrespective of which model you choose.
The security model you choose will be based on the requirements of your enterprise. Let us consider the following sample scenarios:
- Scenario 1:
Requirement: I would like to build an extranet as a standalone application to share documents with my customers. I have over 500 customers who will access the site, and I would like to control and manage the security. I need a flexible and highly-scalable membership system.
Probable solution: In this scenario, the out of the box Alfresco membership system would be able to solve the problem.
- Scenario 2:
Requirement: I work in the IT department of a large university. Over the years, the various departments have developed their own sites with local authentication and authorization. Our university has a directory-based central authentication system. How can I consolidate all the sites and provide a central point of authentication and authorization for all our subsites?
Probable solution: In this scenario, it would make sense configuring Alfresco with LDAP for centralized identity management.
- Scenario 3:
Requirement: In my enterprise we have various systems such as customer support, ERP, proprietary content management systems, and open source ECM Alfresco. Our employees have different accounts for each of these different systems and it is becoming unmanageable for us. We are looking for a single sign-on solution to access all our systems with one log in ID and password.
Probable solution: In this scenario Alfresco can be configured to use NTML to provide a single sign-on.
Alfresco's out of the box security system includes the following functionality:
- User management
- Provision of a user's personal information
- User authentication
- Group management
- Ownership of nodes within the repository
- An extendable permission model
- Access control, in order to make sure that calls to public services are restricted to only the authenticated users
Examples in this book are based on the out of the box Alfresco security model.
LDAP evolved from the X.500 OSI Directory Access Protocol. The LDAP directory is the central authentication engine for the enterprise, and serves as the Yellow Pages for user access and profile information. The biggest advantage of LDAP is that your enterprise can access the LDAP directory on almost any computing platform, using any one of the increasing numbers of readily-available LDAP-aware applications. In fact, LDAP is finding much wider industrial acceptance because of its status as an Internet standard.
You can use LDAP with any directory server such as iPlanet, Novell's eDirectory, Microsoft's Active Directory, or OpenLDAP. If you are planning to implement an LDAP directory in your organization, you may consider OpenLDAP, Active Directory, or eDirectory. OpenLDAP is a stable and widely accepted open-source directory server.
Listed in the following table are the differences between Active Directory and eDirectory:
|
Sr. no. |
Active Directory |
eDirectory |
|---|---|---|
|
1 |
Active Directory (AD) is an implementation of the LDAP directory services by Microsoft. |
eDirectory is a Novell product known as NDS: Novell Directory Service. |
|
2 |
It offers a static view of the data. |
It supports a logical tree view of data. |
|
3 |
It supports simple updates without transactions. |
It supports hierarchical, object-oriented databases, and referential integrity. However, there is no transactional support. |
|
4 |
Its main purpose is to provide central authentication and authorization services for Windows-based computers. |
Apart from providing central authentication and authorization services, eDirectory can use any other hierarchical data model such as an organizational structure. |
|
5 |
One can manage AD by using the Active Directory Administrative Tool. |
iManager is a supportive Novell product, which is required to manage eDirectory. Using iManager, one can administer Novell eDirectory, along with many Novell and third-party products. |
Active Directory supports LDAP-based authentication. It can also support authentication using JAAS+Kerberos and NTLM authentication. Only NTLM will give you a single sign-on solution. We will discuss single sign-on later in this chapter. It is possible to use any authentication methods against an Active Directory server, and extract user and group information using LDAP.
For the LDAP to work with Alfresco, you have to make the some changes in the configuration files.
The custom version of the configurations file given below is available in the following location:
- JBoss:
<alfresco>/jboss/server/default/conf/alfresco/extension - Tomcat:
<alfresco>/tomcat/shared/classes/alfresco/extension
Follow the steps given below to configure LDAP-based authentication with Active Directory.
- Rename
ldap-authentication-context.xml.sampletoldap-authentication-context.xml. - Open the file
ldap-authentication-context.xmland comment the following block of code:<!-- <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" ><property name="allowDeleteUser"> <value>true</value> </property></bean> --> - Open the
ldap-authentication.propertiesfile. Modify the properties to your required values. All other properties can be kept as it is in the file:ldap.authentication.userNameFormat=CN=%s,DC=company,DC=com: Map the user ID entered by the user to be passed through LDAP, the %s is replaced with whatever the user types in as their user ID on the login screen.ldap.authentication.java.naming.provider.url=ldap://openldap.domain.com:389: The name and port of you LDAP server; the standard port for LDAP is 389.ldap.authentication.java.naming.security.authentication=simple: The authentication mechanism you want to use.ldap.authentication.java.naming.security.principal=admin: The user that has read access to the group and people information to be extracted from the Active Directory server.ldap.authentication.java.naming.security.credentials=secret: The password for the user defined above.
- Open the
file-server-custom.xmlfile. Add the following code:<config evaluator="string-compare" condition="CIFS Server" replace="true"> <serverEnable enabled="false"/> <host name="${cifs.localname}A" domain="${cifs.domain}"/> <comment>Alfresco CIFS Server</comment> <!-- Set to the broadcast mask for the subnet --> <broadcast>${cifs.broadcast}</broadcast> <!-- Use Java socket based NetBIOS over TCP/IP and native SMB on linux --> <tcpipSMB platforms="linux,solaris,macosx"/> <netBIOSSMB platforms="linux,solaris,macosx"/> <!-- Can be mapped to non-privileged ports, then use firewall rules to forward requests from the standard ports --> <!-- <tcpipSMB port="1445" platforms="linux,solaris,macosx"/> <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/> --> <hostAnnounce interval="5"/> <!-- Use Win32 NetBIOS interface on Windows --> <Win32NetBIOS/> <Win32Announce interval="5"/> <!-- CIFS authentication --> <authenticator type=" passthru "> <LocalDomain/> </authenticator> <!-- <WINS> <primary>1.2.3.4</primary> <secondary>5.6.7.8</secondary> </WINS> --> <sessionDebug flags="Negotiate,Socket"/> </config> <config evaluator="string-compare" condition="FTP Server" replace="true"> <serverEnable enabled="false"/> <!-- Run on a non-privileged port --> <!-- <port>1121</port> --> <!-- FTP authentication --> <authenticator type="alfresco"/> <!-- <debug flags="File,Search,Error,Directory,Info,DataPort"/> --> </config> <config evaluator="string-compare" condition="Filesystem Security" replace="true"> <authenticator type=" passthru "> <!-- the name of your ldap server -- > <Server> openldap.domain.com</Server> </authenticator> </config>
This authentication mechanism sends user names and passwords in plain text. It is the simplest to set up. This is supported by both Active Directory and OpenLDAP.
As you have already configured LDAP with Active Directory, the next step would be to extract information from Active Directory. This synchronization of people and groups between the Alfresco repository and LDAP is supported by scheduled jobs. These jobs extract the user or group information from the LDAP repository, and create the appropriate information as an Alfresco import XML file. This file is then imported into the repository.
Follow the steps given below to export users and groups from Active Directory.
- Rename the
ldap-synchronisation-context.xml.samplefile toldap-synchronisation-context.xml. - Open
ldap-synchronisation.propertiesfile. Modify the properties to the required values, as follows. All other properties can be kept unchanged in the file.ldap.synchronisation.personQuery=(objectclass=inetOrgPerson)andldap.synchronisation.personSearchBase=dc=company,dc=com: These two options combine to build the query to find people. In the example above, you will find all objects of typeinetOrgPersonanywhere in the directory.ldap.synchronisation.groupQuery=(objectclass=groupOfNames)andldap.synchronisation.groupSearchBase=dc=example,dc=com: These two options combine to build the query to find groups. In the example above, you will find all objects of typegroupOfNamesanywhere in the directory.
- Ensure that the changes you made above are saved. Start Alfresco.
On restarting, you will be able to login to the alfresco repository with only LDAP.
If you want to login to the Alfresco repository along with Alfresco users too, you have to make some more changes in the configuration files. This concept is known as Daisy Chaining.
Alfresco supports a pluggable authentication model. Out of the box, many authenticators are available such as NTLM, LDAP, Kerberos, and Alfresco. Also, you can have your own custom-built authentication system plugged into Alfresco, as shown below:
Authentication services may be daisy chained—one instance of Alfresco can have more than one user-source. However, the sequence in which these user data sources are daisy chained is important. When a user logs into the system, Alfresco checks for authentication in a defined sequence, as shown in the next figure:
Follow the steps given below to implement chaining:
- Browse the file
:<configRoot>alfresco authentication-services-context.xml. - Copy the following blocks of code :
<bean id="authenticationComponentChain" class="org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl"> <property name="authenticationComponents"> <list> <ref bean="authenticationComponentAlfresco"/> <ref bean="authenticationComponent"/> </list> </property> </bean> <bean id="authenticationComponentAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl" parent="authenticationComponentBase"> <property name="authenticationDao"> <ref bean="authenticationDao" /> </property> <property name="authenticationManager"> <ref bean="authenticationManager" /> </property> <property name="allowGuestLogin"> <value>false</value> </property> <property name="nodeService"> <ref bean="nodeService" /> </property> <property name="personService"> <ref bean="personService" /> </property> <property name="transactionService"> <ref bean="transactionService" /> </property> </bean> - Edit the following block, by commenting against an existing property and adding one block of another property.
<bean id="authenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl"> <property name="authenticationDao"> <ref bean="authenticationDao" /> </property> <property name="ticketComponent"> <ref bean="ticketComponent" /> </property> <!--<property name="authenticationComponent"> <ref bean=" authenticationComponent " /> <This is the property to be modified to authenticationComponentChain > </property> -- > <property name="authenticationComponent"> <ref bean="authenticationComponentChain " /> </property> <property name="sysAdminCache"> <ref bean="sysAdminCache"/> </property> </bean> - Save the changes. You will need to restart Alfresco to see the changes take effect. You can check it by logging in as the Alfresco user as well as the Active Directory user.
NT LAN Manager (NTLM) is an authentication protocol used in various Microsoft network protocol implementations, and is also used throughout Microsoft's systems as an integrated single sign-on mechanism.
NTLM authentication can be used to provide single sign-on to Alfresco. Using this protocol, the password that is sent over the network is made more secure, than when using basic authentication. NTLM pass-through authentication can also be used to replace the standard Alfresco user database, and instead use a Windows server/domain controller, or a list of servers, to authenticate users accessing Alfresco. This eliminates the task of creating user accounts within Alfresco.
By using NTLM authentication, the web browser can automatically log on when accessing Alfresco and Alfresco WebDAV sites. When NTLM is configured, Internet Explorer will use your Windows log-on credentials when requested by the web server. Firefox and Mozilla also support the use of NTLM. For these, you will be prompted for the username/password details, which can then optionally be stored using the password manager. The Opera web browser does not support NTLM authentication. If an Opera browser is detected, you will be sent to the usual Alfresco login page.
- SSO with Active Directory: The users who are inside the company network (who are logged into Active Directory) should automatically be logged into Alfresco Repository.
- Two external applications (such as Alfresco and Liferay) achieving SSO through CAS.
Follow the steps given below to integrate Single sign-on.
- Open the
web.xmlfile. The location of the file depends on the application server used. For Tomcat this can be found in thetomcat/webapps/alfresco/web-inffolder. - Modify the existing block of filters, as given below:
<filter> <filter-name>Authentication Filter</filter-name> <!-- <filter- class>org.alfresco.web.app.servlet.AuthenticationFilter</filter- class> --> <!-- For Novell IChain support use the following filter --> <!-- <filter- class>org.alfresco.web.app.servlet.NovellIChainsHTTPRequestAuthenticationFilter</filter-class> --> <!-- For NTLM authentication support use the following filter --> <filter-class>org.alfresco.web.app.servlet.NTLMAuthenticationFilter</filter-class> </filter> <filter> <filter-name>WebDAV Authentication Filter</filter-name> <!-- <filter-class>org.alfresco.repo.webdav.auth.AuthenticationFilter</filter-class> --> <!-- For NTLM authentication support use the following filter --> <filter-class>org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter</filter-class> </filter> - Browse the
tomcatsharedclassesalfrescoextension tlm-authentication-context.xml.samplefile. Either rename the file tontlm-authentication-context.xmlor create a new file with the namentlm-authentication-context.xmlin the same location, and copy the code from sample file.<bean id="authenticationDao" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" /> <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl"> <property name="personService"> <ref bean="personService" /> </property> <property name="nodeService"> <ref bean="nodeService" /> </property> <property name="transactionService"> <ref bean="transactionComponent" /> </property> <property name="guestAccess"> <value>false</value> </property> <property name="servers"> <value>openldap.domain.com</value> </property> <property name="useLocalServer"> <value>true</value> </property> </bean> - Open the
file-server-custom.xmlfile in the same location and add the following code:<config evaluator="string-compare" condition="FilesystemSecurity" replace="true"> <authenticator type="alfresco" /> </config> <config evaluator="string-compare" condition="CIFS Server"> <serverEnable enabled="true" replace="true" /> <host name="${cifs.localname}A" domain="${cifs.domain}"/> <comment>Alfresco CIFS Server</comment> <!-- Set to the broadcast mask for the subnet --> <broadcast>${cifs.broadcast}</broadcast> <!-- Use Java socket based NetBIOS over TCP/IP and native SMB on linux --> <tcpipSMB platforms="linux,solaris,macosx"/> <netBIOSSMB platforms="linux,solaris,macosx"/> <!-- Can be mapped to non-privileged ports, then use firewall rules to forward requests from the standard ports --> <!-- <tcpipSMB port="1445" platforms="linux,solaris,macosx"/> <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/> --> <hostAnnounce interval="5"/> <!-- Use Win32 NetBIOS interface on Windows --> <Win32NetBIOS/> <Win32Announce interval="5"/> <!-- CIFS authentication --> <authenticator type="alfresco"> </authenticator> <!-- <WINS> <primary>1.2.3.4</primary> <secondary>5.6.7.8</secondary> </WINS> --> <sessionDebug flags="Negotiate,Socket"/> </config> - Restart the Alfresco server. If you are logged into Active Directory, you will be automatically logged in to the Alfresco repository.
Here is a brief explanation of the integration of Alfresco and Liferay through SSO.
- Integration of Liferay and LDAP:
Liferay provides us with facilities to use LDAP for authentication. This can be set up by making changes in the out of the box portlet that is provided by Liferay (the
EnterpriseAdminportlet). - Integration of Liferay and Alfresco:
Download the Alfresco WAR file. Refer to the link http://wiki.alfresco.com/wiki/Deploying_2.1WAR_Liferay4 to deploy alfresco WAR.
- Restart the Liferay server:
Log into Liferay by entering the following URL in the browser:
http://servername: port/. Click on the Auto Deploy tab of the EnterpriseAdmin portlet, locate and browse thealfresco.warfile. Soon, you will find the alfresco portlet on the Liferay Content Page. - Integration of CAS server and Liferay:
Download the CAS server
liferay-portal-cas-web-4.4.2.warfrom http://sourceforge.net/project/showfiles.php?group_id=49260&package_id=42607. Download the CAS Client from http://www.ja sig.org/products/cas/downloads/index.html. Make changes to thesslsection in order to open the port in theserver.xmlfile, and provide a location<liferay>/tomcat/conf. Finally make the necessary configuration changes to enable filters and authentication. - Configure Single sign-on for Liferay:
Add the entry for the CAS filter in the
web.xmlfile that is provided at the location<liferay>/tomcat/webapps/liferay/web-inf. - Configure Single Sign-on for Alfresco:
It is already explained in the section Configuring NTLM for Single sign-on.
- Configure the CAS Authentication handler for the CAS server.
- Log in to Liferay by entering the following URL in the browser:
http://servername :port/.When you click on Sign in, it will redirect you to the CAS server login page. Enter the user ID and password of Active Directory. Once the authentication is done, it will redirect you to the Liferay URL with an already logged in status (with the username that you previously entered).