Connect Alfresco with LDAPS

[marcogianini]

Good Morning,

I'm using the project of Angel and I try to connect to LDAPS on port 636, but it doesn't connect, generating the following error line:
2022-09-26 12:01:58,845 ERROR [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] [main] Unable to connect to LDAP Server; check LDAP configuration
javax.naming.CommunicationException: simple bind failed: 172.30.0.40:636 [Root exception is java.net.SocketException: Connection or outbound has closed]

The connection between servers is allowed.

Alfresco was also installed with https protocol with port 8433.

The configuration of docker-commpose.yml is as follows:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
-Dldap.authentication.allowGuestLogin=false
-Dldap.authentication.userNameFormat=%[email protected]
-Dldap.authentication.java.naming.provider.url=ldaps://xxx.xx.x.x:636
-Dldap.authentication.defaultAdministratorUserNames=admin
-Dldap.synchronization.java.naming.security.principal=xxxxxx
-Dldap.synchronization.java.naming.security.credentials=xxxxxxxxx
-Dldap.synchronization.groupSearchBase=OU=Groups,OU=xx,DC=xxxx,DC=com,DC=xx
-Dldap.synchronization.userSearchBase=OU=Users,OU=xxxxx,DC=xxx,DC=com,DC=xx
-Dauthentication.chain=alfinst:alfrescoNtlm,dc1:ldap-ad

Can anyone point me in the right direction or help me on this topic?

Do I really need to have the LDAPS server certificate and import it into the alfresco container structure?

Thanks

Marco Gianini

[aborroy]

You need to add the LDAP TLS certificate to Alfresco Truststore.

This may help: https://hub.alfresco.com/t5/alfresco-content-services-hub/ldap-over-ssl/ba-p/290005

[marcogianini]

Hi Angel,

Thanks for information.

I saw that you need to import the certificate for Tomcat to recognize it, but as I'm not very experienced in working with Docker, I identify some difficulties.

I have the .cer certificate issued by LDAP.

As we use your project's Dockerfile, I can't run the keytool import because it asks for a password and a new password.

I tried to copy the certificate into a new folder of the container and informed the docker-compose.yml this location, but it generated an error. I also reported in docker-compose.yml

How can I install this certificate inside the Alfresco container?

[aborroy]

In order to add the certificate to LDAP connection, you need to use specific settings for the LDAP Subsystem. Since mTLS communication keystores are not used for this configuration.

-Dldap.authentication.truststore.path=/usr/local/tomcat/keystore/ldap.jks
-Dldap.authentication.truststore.passphrase=password
-Dldap.authentication.truststore.type=JKS
-Dldap.authentication.java.naming.security.protocol=ssl

You can build this ldap.jks with keytool to add the .cer certificate issued by LDAP.

And use a volume to mount the external file ./keystore/ldap.jks into the Alfresco Container.

alfresco:
  volumes: 
            - ./keystore/ldap.jks:/usr/local/tomcat/keystore/ldap.jks

[marcogianini]

Good morning Angel.

Thank you for your feedback and the success in the execution.

It is now successfully synchronizing with LDAPS.

Thanks

[marcogianini]

Angel, I apologize for reopening the case.

But it stopped working overnight.

Execution steps:
1 - from the .cer certificate issued by the LDAP server, I generated a .jks through the command:
keytool -importcert -file certnew.cer -keystore ldap.jks and created a password.
2 - I added the lines in docker-compose.yml right at the beginning of the alfresco container:
JAVA_TOOL_OPTIONS: "
-Dencryption.keystore.type=JCEKS
-Dencryption.cipherAlgorithm=DESede/CBC/PKCS5Padding
-Dencryption.keyAlgorithm=DESede
-Dencryption.keystore.location=/usr/local/tomcat/shared/classes/alfresco/extension/keystore/keystore
-Dmetadata-keystore.password=mp6yc0UD9e
-Dmetadata-keystore.aliases=metadata
-Dmetadata-keystore.metadata.password=oKIWzVdEdA
-Dmetadata-keystore.metadata.algorithm=DESede
-Dssl-keystore.password=keystore
-Dssl-keystore.aliases=ssl-alfresco-ca,ssl-repo
-Dssl-keystore.ssl-alfresco-ca.password=keystore
-Dssl-keystore.ssl-repo.password=keystore
-Dssl-truststore.password=truststore
-Dssl-truststore.aliases=alfresco-ca,ssl-repo-client
-Dssl-truststore.alfresco-ca.password=truststore
-Dssl-truststore.ssl-repo-client.password=truststore
-Dldap.authentication.truststore.path=/usr/local/tomcat/keystore/ldap.jks
-Dldap.authentication.truststore.passphrase=xxxxxx
-Dldap.authentication.truststore.type=JKS
-Dldap.authentication.java.naming.security.protocol=ssl
"
3 - Further down I added the LDAPS connection information:
-Dldap.authentication.allowGuestLogin=false
-Dldap.authentication.userNameFormat=%[email protected]
-Dldap.authentication.java.naming.security.authentication=SIMPLE
-Dldap.authentication.java.naming.read.timeout=30000
-Dldap.authentication.java.naming.provider.url=ldaps://xxxxxxxx.xxxxxxx.com.ar:636
-Dldap.authentication.defaultAdministratorUserNames=admin
-Dldap.synchronization.java.naming.security.principal=svc_alfresco
-Dldap.synchronization.java.naming.security.credentials=xxxxxxxxxxxxxxxxxxxxxxxx
-Dldap.synchronization.groupSearchBase=OU=Groups,OU=xxxxx,DC=xxxxxxxxxxx,DC=com,DC=xx
-Dldap.synchronization.userSearchBase=OU=Users,OU=xxxxxx,DC=xxxxxxxx,DC=com,DC=xx
-Dauthentication.chain=alfinst:alfrescoNtlm,dc1:ldap-ad

4 - I directed to an external volume where the .jks certificate is.
/opt/xxx/keyldap/*.cer and *.jks

But when running in the console log of alfresco, the following error message appears:
ERROR [security.sync.ChainingUserRegistrySynchronizer] [main] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 09190018 Failed to authenticate, username or password is wrong. User name:svc_alfresco Reason [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090447, comment: AcceptSecurityContext error, data 52e, v3839]

It was like this when I closed the ticket, but in a normal stop/start process it stopped connecting.

Thanks