1 Topic by cyrj

  • cyrj
  • Member
  • Offline
  • Registered: 2012-01-15
  • Posts: 4

Topic: Integrating iRedMail @ Alfresco user information with LDAP

Hi,

I'm building a system with eMail, IM, and Alfresco.  Alfresco is a document management system.  So users on my system would have eMail, Calendaring (provided by Horde), IM (provided by eJabberd), and mini collaboration websites (provided by Alfresco's Share Interface).

The idea would be, that I use iRedAdmin-Pro LDAP to add a user, and sync the LDAP, so that user becomes a user on all four systems.

I used the eJabberd tutorial to add in this service, works fine.  It handles "chained" LDAP, so all email users are included, and you can use the ejabberd web console to add users not included in the email system.

Horde plays nice with the eMail so that works fine, as well.

Alfresco offers many options in integrating LDAP and AD out of the box.  I am a newbie to LDAP, so I can make config changes but, cant create my own LDAP strategy.

I had hoped to use iRedMail & iRedAdmin's LDAP strategy as a master to integrate the others to.

Alfresco's has a nice manual, with LDAP settings here... http://docs.alfresco.com/4.0/index.jsp? … intro.html

It allows chaining, so both internal email users and external collaboration users can be managed with multiple sources.  I just couldn't get it to link up.

Any ideas?

Jon Cyr

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Integrating iRedMail @ Alfresco user information with LDAP

After reading Alfresco doc, below setting might work:

ldap.authentication.java.naming.security.authentication -> simple
ldap.authentication.userNameFormat -> mail=%s,ou=Users,domainName=domain.ltd,o=domains,dc=company,dc=com (Use email address as login id)
ldap.authentication.java.naming.provider.url -> ldap://127.0.0.1:389 (or ldaps://127.0.0.1 for TLS)

ldap.synchronization.userSearchBase -> ou=Users,domainName=domain.ltd,o=domains,dc=company,dc=com

ldap.synchronization.userIdAttributeName -> uid (maybe 'mail')
ldap.synchronization.userEmailAttributeName -> mail

I'm not sure what other settings are required. Sorry.

If this is a testing server, i'm glad to help configure it remotely via SSH.

3 Reply by cyrj

  • cyrj
  • Member
  • Offline
  • Registered: 2012-01-15
  • Posts: 4

Re: Integrating iRedMail @ Alfresco user information with LDAP

I tried so many things, not sure if I tried your suggestion.  I very well may have not.  the domainName= and the o= elements both, I don't think I did.

Debugging Alfresco is a bear, for this item, you have to restart it, to see if it works, which takes 5-10 minutes to come up.  It's evidently doing alot at startup.  So, having you help me is much appreciated, but not necessary.

I'll report back, when I get it working.


Thanks again,

-Jon

4 Reply by labasus

  • labasus
  • Member
  • Offline
  • Registered: 2009-06-22
  • Posts: 97

Re: Integrating iRedMail @ Alfresco user information with LDAP

Hello cyrj,
  Alfresco integration is very intresting. Please,  inform us how it's going...
Is this method works?


cyrj wrote:

I tried so many things, not sure if I tried your suggestion.  I very well may have not.  the domainName= and the o= elements both, I don't think I did.

Debugging Alfresco is a bear, for this item, you have to restart it, to see if it works, which takes 5-10 minutes to come up.  It's evidently doing alot at startup.  So, having you help me is much appreciated, but not necessary.

I'll report back, when I get it working.


Thanks again,

-Jon

labasus's Website

5 Reply by cyrj

  • cyrj
  • Member
  • Offline
  • Registered: 2012-01-15
  • Posts: 4

Re: Integrating iRedMail @ Alfresco user information with LDAP

Hi Guys,

I finally got around to needing this LDAP-Alfresco connection again.

I read a book on LDAP.

When I log in as cn=Manager.... with phpLDAPAdmin, it won't let me search the tree in some ways... I think.

I have my iRedMail.tips printout with my passwords... which dn login will give alfresco unrestricted rights so I can experiment.  Or how do I set up a "root" type access, so the two trusted programs can communicate.  They are local and nonSSL at the moment.

Thanks In Advance,

Jon

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Integrating iRedMail @ Alfresco user information with LDAP

cyrj wrote:

When I log in as cn=Manager.... with phpLDAPAdmin, it won't let me search the tree in some ways... I think.

cn=Manager,dc=xx,dc=xx is the root dn, it's same as 'root' user on Linux, it has all privileges, including searching.

Usually, cn=vmail,dc=xx,dc=xx should be enough if you just need read access, or cn=vmailadmin,dc=xx,dc=xx if you need read+write access.

7 Reply by cyrj

  • cyrj
  • Member
  • Offline
  • Registered: 2012-01-15
  • Posts: 4

Re: Integrating iRedMail @ Alfresco user information with LDAP

Aha,

Going better.  Two items.

1) In the domain settings of Alfresco, not only do you have to escape spaces and equals with a backspace.... dots must be escaped as well. 

ldap.synchonization.groupSearchBase=ou\=Groups,domainName\=example\.com,o\=domains,dc\=example,dc\=com
ldap.synchonization.userSearchBase=ou\=Users,domainName\=example\.com,o\=domains,dc\=example,dc\=com

I had to imagine Java passing that configuration around, and a dot would cause problems, and the folks at Alfresco never mentioned escaping dots, they never conceived a domain in LDAP.

2) Next, since Alfresco doesn't really delete anything, I had difficulty testing this.  I would delete any users and re-sync them with OpenLDAP/iRedMail schema.  Alfresco is a Document Management System, so things aren't really deleted ever, they are just set to visibility=none, until the database is packed/reindexed.   The ids for imported/syncd users are still there.

So that means the default modifyTimeStamp doesn't change, it's still there for the deleted user, so a deleted group is not re-syncd in my experiments, a deleted user is not resyncd either.  You must remove this filter to see changes, it will revive an old record and change its properties when you do.

ldap.synchronization.personDifferentialQuery=(&(objectclass=inetOrgPerson)(!(modifyTimestamp<\={0})))
to
ap.synchronization.personDifferentialQuery=(&(objectclass=inetOrgPerson))
at least until you figure out your configuration settings

New Problem

The Users, the groups, and the group assignments  come over, but the password doesn't seem to.   My LDAP explorer phpLDAPAdmin, say the passwords are in ssha... Alfresco handles simple or MD5.  Any ideas on getting them to sync.

I think I would need to change OpenLDAP to store passwords in either simple, plaintext or MD5. 

This is outside my expertise.  Are we storing the passwords in SSHA, so they cant be read in the database as plaintext?  I don't have that requirement.  Plaintext would be fine, MD5 would be fine.

I will post my config file, when it's all working, BTW, so others can boldly follow.

Jon

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Integrating iRedMail @ Alfresco user information with LDAP

cryj wrote:

The Users, the groups, and the group assignments  come over, but the password doesn't seem to.   My LDAP explorer phpLDAPAdmin, say the passwords are in ssha... Alfresco handles simple or MD5.  Any ideas on getting them to sync.

With OpenLDAP backend, iRedAdmin chooses to use SSHA by default, other choices are 'SHA' (worse than SSHA) or PLAIN (plain text, the worest), you can choose PLAIN if you want, but it's obviously not recommended for security.

I guess i forgot to implement MD5 for OpenLDAP backend in iRedAdmin, but it has necessary functions to create MD5 password hash. i submitted a patch for this moment ago:
https://bitbucket.org/zhb/iredadmin-ose … b1d0a97982

NOTE: You can simply patch iRedAdmin open source edition with this patch, it's generated with upcoming release of iRedAdmin. You have to manually edit related file to add MD5 password hash support. After you applied the patch, please update 'LDAP_DEFAULT_PASSWORD_SCHEME' to 'MD5' in file 'libs/settings.py' under iRedAdmin directory.