Liferay + Alfresco

+ OpenSSO +
LDAP Integration
By Uchit Vyas

contact@attuneuniversity.com
www.attuneuniversity.com

About Author
Uchit Vyas a B.Tech. Graduate in Computer Science with a research
interest in ESB & Cloud and is a certified by Cisco (CCNA), VMware
(VSP) and Red Hat Linux (RHCE) professional. He has an energetic
strength to work on multiple platforms at a time and ability to integrate
open source technologies. He works as a Sr. Consultant and looking
afterAWS Cloud, Mule ESB, Alfresco, Liferay and deploying Portal,
ECM system. He was previously working with TCS as Assistant System
Engineer.
Over 3+ years of hands on experience on Open Source technologies, he
manages to guide the team and deliver the projects and trainings. He has
provided 13+ trainings on Cloud Computing, Continuous Delivery,
Alfresco and Liferay in couple of months. During past years he moved
over 80% of Attune Infocom business processes to the Cloud with
implementing agile SDLC methodology on Amazon, Rackspace and
private clouds like Eucalyptus, Openstack. His skills are not limited as his
designing and managing Cloud environment/infrastructure, server
architecture. He is also active in shell scripting, auto deployment,
supporting hundreds of Linux and Windows physical & virtual servers
hosting databases, and applications with Continuous delivery using Jenkins
/ Cruise Control with Puppet / Chef scripting.

Liferay + Alfresco + OpenSSO + LDAP Integration 1

Table of Content
I.

LDAP Integration with Liferay

II.

Integration OpenSSO/OpenAM with Liferay Portal

on Tomcat

III. Alfresco Opensso Integration

IV. Enable LDAP Authentication and LDAP users import
in Alfresco

Liferay + Alfresco + OpenSSO + LDAP Integration

LDAP Integration with Liferay

ApacheDS
http://directory.apache.org/apacheds/1.5/download/downloadwindows.html
Download the ApacheDS from above link and install exe in windows
Now you just simply run the ApacheDS and follow the instructuin
and finish installation.
Check for the java version e.g. java version
To install and use ApacheDS require JRE 5 or later and windows xp
or vista
By default the LDAP server listens on port 10389 (unencrypted or
StartTLS) and 10636 (SSL).

Installing LDAP browser

Go to www.jxplorer.org.
Click Downloads>precompiled java package>Windows
platform.
Save file.
Click on the LDAP browser icon and follow the installation
instruction
Open LDAP browser jxplorer and click file and than connect
Change the port to 10389
Liferay + Alfresco + OpenSSO + LDAP Integration 3

 In the Level drop-down menu, choose User+Password

Insert uid=admin,ou=system in the User DN input field.
The password is secret.
Click Save and enter a name for the template.

Right click on Example and click New

Add inetorgperson to the Selected Class or select Suggest Classes
(eg. For creating user) Enter cn=uchit in the Enter RDN field and
click OK.

Liferay + Alfresco + OpenSSO + LDAP Integration

 In the Table Editor enter Uchit in the SN line. Enter Uchit in the
givenName line.
For the mail enter uchit@uchitinfo.com. For the user password enter
test. Click Submit.

Liferay + Alfresco + OpenSSO + LDAP Integration 5

Integration with liferay

Now you are suppose to integrate the ldap with liferay login in a
liferay as a administrator for e.g. test@liferay.com and password test.
Once, you generated your profile in ldap than cofigure your liferay to
import/export users from ldap
In liferay go to Control Panel Setting than Authentication
Now you will find ldap there are list of directories select your one.
Than configure your own connection url base dn, principle
Credential and test this connection is working ok.(By clicking on Add
button)

Liferay + Alfresco + OpenSSO + LDAP Integration

 In above example, If you check the box to enable ldap

Required mean login will require ldap to authenticate
Then set other properties search filter you change it to just name only
instead of email can change group name
You can also change group search filter
You can also enable import/export of user from ldap with liferay
And all of this properties you can also set portal-ext.properties file
which you can find in root/web-inf/classes/portal-ext.properties.
Portal-ext.properties File will override your setting from defaults one
Now just start Directory server and use ldap user in liferay
For Integrating liferay with ldap install directory server and start
Enable ldap in liferay select your DS from list for other use portalext. properties
Use secret as password
Liferay + Alfresco + OpenSSO + LDAP Integration 7

 change search filter from email to (cn=@screen_name@)

If you want to import/export check the boxe
You can also check your connection and list of users
If you connection is replying than everything is working properly
When you use ldap user first liferay will ask for terms and condition
Portal.properties and override use portal-ext.properties
ldap.import.enabled=false
ldap.import.on.startup=false.
ldap.import.interval=10
ldap.import.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.import.base.provider.url=ldap://localhost:10389
ldap.import.base.dn=dc=example,dc=com
ldap.import.security.principal=uid=admin,ou=system
ldap.import.security.credentials=secret
ldap.import.search.filter=(objectClass=inetOrgPerson)
ldap.import.user.mappings=userId=cn\npassword=userPassword\nemail
Address=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ng
roup=groupMembership
ldap.import.group.mappings=groupName=cn\ndescription=description
ldap.auth.enabled=false
ldap.auth.required=false
ldap.auth.method=bind

Integrating OpenSSO / OpenAM with Liferay

Portal on Tomcat
Liferay Portal and OpenSSO both require a minimum 1.5 JVM, but I
would recommend using Java 6 (as Java 1.5 reached its End of
Service Life in October, 2009). Make sure that your JAVA_HOME
8

Liferay + Alfresco + OpenSSO + LDAP Integration

environment variable is correctly set to point to your Java 6

installation.
For OpenSSO to work correctly with Liferay Portal, both servers
need to be running in the same domain. To solve this issue while
running both servers on a single machine, edit the hosts file (/etc/hosts
or %SystemRoot%\system32\drivers\etc\) and add/update your localhost
entry:

127.0.0.1 localhost localhost.example.com

where example.com is your actual domain.(uchit.info.com)

Install OpenSSO/OpenAM

Download the latest OpenAM (OpenAM Snapshot 9.5.1 RC1) build

from http://www.forgerock.com/downloads.html
Downloaded the latest Tomcat (6.0.32) from
http://tomcat.apache.org/download-60.cgi
Installation of the Tomcat server consisted of:
Unzip apache-tomcat-6.0.32 zip file. This will create an apachetomcat-6.0.32 folder.
As both Liferay Portal and OpenAM will be running on the same
machine, I needed to update the ports that the OpenAM Tomcat
server was using.
Edit apache-tomcat-6.0.32/conf/server.xml. I changed all of the
ports from 8xxx to 9xxx. For example, 8080 to 9080, 8443 to 9443,
etc.
Liferay + Alfresco + OpenSSO + LDAP Integration 9

 On Linux/MacOS, you will need to add execute permissions to all of

the shell scripts in the bin directory: chmod +x *.sh
Installation of OpenAM consisted of:

Unzip openam_snapshot_951RC1.zip to a directory. This will create

an opensso folder.
Copy the opensso.war from opensso/deployable-war/ to apachetomcat-6.0.32/webapps/.
In apache-tomcat-6.0.32/bin/, execute startup.sh (or startup.bat) to
start Tomcat and deploy OpenAM.
After Tomcat has deployed OpenAM, you will see the exploded war
file as apache-tomcat-6.0.29/webapps/opensso.
Open a browser to http://uchit.info.com:9080/opensso, which
should redirect you to
http://uchit.info.com:9080/opensso/config/options.htm,
to complete the OpenAM configuration.
You should see the OpenAM configuration options page. Under
Custom Configuration click Create New Configuration. Enter the
following:

10

Liferay + Alfresco + OpenSSO + LDAP Integration

 First step is to choose password for the default administrator account

(amAdmin). The password needs to be at least 8 characters long (eg.
upassword). Once a valid password has been entered twice, the next
button will appear and the configuration can proceed.

Liferay + Alfresco + OpenSSO + LDAP Integration 11

On the server settings page, the Server URL and the Configuration
Directory both need some attention. By default the Server URL will
be the address that was typed to reach the server. The problem with
this being that it requires a fully qualified domain name, so if the page
was accessed via localhost or an IP Address it will cause problems.
This is why it was configured to be accessible at uchit.info.com.

12

Liferay + Alfresco + OpenSSO + LDAP Integration

 The other setting on this page to take note of is the Configuration

Directory. It is important that the user that Apache Tomcat is
running under has write access to that directory. As a result
~/openam/config is appropriate for this purpose.
Supported Platform Locales are en_US (English), de (German), es
(Spanish), fr (French), ja (Japanese), zh_CN (Simplified Chinese), or
zh_TW (Traditional Chinese).

Liferay + Alfresco + OpenSSO + LDAP Integration 13

The Configuration Data Store Settings do not need to be changed

when working with a single server configuration.

The User Data Store Settings are what connect OpenAM to the
OpenDS data store. The side effect of this is that most of these
setting require some attention. Fields which require changing are
marked with an Asterisk (*).
*User Data Store Type : OpenDS
SSL/TLS Enabled : Not ticked
*Directory Name : uchit.info.com
*Port : 10389
*Root Suffix : dc=example,dc=com

14

Liferay + Alfresco + OpenSSO + LDAP Integration

Login ID : uid=admin,ou=system
*Password : secret

The configurator does not give the option to continue until all the
settings have been correctly specified and it has successfully
connected to the OpenDS instance.

OpenAM is not installed behind a load balancer in this test

deployment, so Site Configuration can be left as default.

Liferay + Alfresco + OpenSSO + LDAP Integration 15

 The policy agent password once again needs to be 8 characters or

more and it must also be different from the administrator password.
In this case we will use 'apassword', although the policy agent user is
not used in this tutorial.

16

Liferay + Alfresco + OpenSSO + LDAP Integration

 The Summary Page shows a brief summary of the settings that were
defined in the previous few steps before the configuration is created.
Clicking Create Configuration will begin the configuration process.
This will create the configuration for your OpenAM server under
~/opensso (or c:\Documents and Settings\{username}\opensso).

Liferay + Alfresco + OpenSSO + LDAP Integration 17

 The Configuration Progress Screen will display the progress of the

installation and take a couple of minutes to run through. All of the
output on this screen, as well as any errors, are written to the
file~/openam/config/install.log. Assuming success a Configuration
Complete! view will appear, providing a link to the login page.
In the case that it did not succeed check the troubleshooting guide at
https://wikis.forgerock.org/confluence/display/openam/Common
Install Issues

18

Liferay + Alfresco + OpenSSO + LDAP Integration

 When this completes, in the Configuration Complete dialog, click Proceed

to Login, which should now redirect you to
http://uchit.info.com:9080/opensso/UI/Login

Type amAdmin as the username, password as the password, and

click Log In. You should now see the OpenAM Console.
For detailed information about the OpenAM Console, see this and
this.
You can now delete the opensso.war file from apache-tomcat-6.0.29/webapps/
directory.

Liferay + Alfresco + OpenSSO + LDAP Integration 19

Additional OpenAM Configuration

To get OpenAM to work correctly with Liferay, you need to set Encode
Cookie Value to Yes. This will prevent infinite redirection between Liferay
and OpenAM on login.
1. In the OpenAM Console, select the Configuration tab.
2. Select the Servers and Sites tab.
3. Click Default Server Settings.
4. Select the Security tab.
5. In the Cookie section, select the Yes checkbox beside Encode Cookie
Value.
6. Click Save.
To resolve the infinite redirection problem:
1. In the OpenAM Console, select the Configuration tab.
2. Select the Servers and Sites tab.
3. Click Default Server Settings.
4. Select the Advanced tab.
5. Find the com.iplanet.am.cookie.c66Encode property, and set the value to true.
6. Click Save.
Before updating Liferay to use OpenAM, I recommend adding the default
Liferay user, test@liferay.com, to OpenAM.
1. In the OpenAM Console, select the Access Control tab.
2. Click the / (Top Level Realm) realm.
20

Liferay + Alfresco + OpenSSO + LDAP Integration

3. Select the Subjects tab.

4. Click New
5. Setup the default Liferay user:
6. ID test
7. First Name test
8. Last Name test
9. Full Name test
Password test
Click OK to create the user.
10.

Click test to add the email address. Enter test@liferay.com for the

Email Address, and click Save.

[Note: Use uid to create new user in LDAP for OpenAM]
Integrate Liferay Portal with OpenAM
Now you are ready to update Liferay Portal to integrate with OpenAM for
authentication.
1. If Liferay is running, shut it down (bin/shutdown).
2. Create a new file, called portal-ext.properties, in your Liferay
directory, under liferay-portal-5.2.3/tomcat-6.0.18/webapps/ROOT/WEB-INF/classes/.
3. Edit this file, and add the following properties:
open.sso.auth.enabled=true
open.sso.login.url=http://uchit.info.com:9080/opensso/UI/Login?goto=htt
p://uchit.info.com:8080/c/portal/login

Liferay + Alfresco + OpenSSO + LDAP Integration 21

open.sso.logout.url=http://uchit.info.com:9080/opensso/UI/Logout?goto=h
ttp://uchit.info.com:8080/web/guest/home
open.sso.service.url=http://uchit.info.com:9080/opensso
open.sso.screen.name.attr=uid
open.sso.email.address.attr=mail
open.sso.first.name.attr=givenname
open.sso.last.name.attr=sn

Start Liferay (bin/startup).

Once Liferay has started, open a browser to
http://uchit.info.com/8080, and you should be redirected to the
OpenAM login page
(http://uchit.info.com:9080/opensso/UI/Login). Enter test for the
User Name, and test for the Password. Click Log In.
You will be authenticated against OpenAM, and redirected to Liferay.
Now that Liferay is using OpenAM for authentication, if you create a new
user in OpenAM, that user will also be created in Liferay on the first log in.
That newly created user in Liferay will only have the basic information
filled in First Name, Last Name, Screenname, Email Address and will
have the default Roles, Groups, and Organizations assigned.
[Note: You can also Integrate Liferay and openSSO by going in Liferay
Control Panel-> Settings-> Authentication-> open SSO ]

22

Liferay + Alfresco + OpenSSO + LDAP Integration

Alfresco OpenSSO Integration

Download and Install Alfresco(3.4.d) from
http://wiki.alfresco.com/wiki/Download_Community_Edition
Now go to this link http://uchit.info.com:8080/alfresco/
User Name:-admin

Password:-password

Liferay + Alfresco + OpenSSO + LDAP Integration 23

DEPLOYMENT
============

1. Build the jar from the sources, or download the latest release of the
filter from:
2. http://repository.sourcesense.com/nexus/content/groups/public/c
om/sourcesense/alfresco/alfresco-opensso/
3. Download OpenSSO SDK from
4. http://repository.sourcesense.com/nexus/content/repositories/thir
dparty/com/sun/identity/openssoclientsdk/8.0/openssoclientsdk8.0.jar
5. Copy both to <Alfresco_Home>/tomcat/webapps/alfresco/WEBINF/lib
6. Create the file AMConfig.properties to
<Alfresco_Home>/tomcat/webapps/alfresco/WEB-INF/classes
7. An example of this file can be:
com.iplanet.am.naming.url=http://uchit.info.com:9080/opensso/namingserv
ice
com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.sun.identity.agents.app.username=amAdmin
com.iplanet.am.service.password=upassword

8. Change the values to reflect your OpenSSO installation.

9. Replace the authentication filter
<Alfresco_Home>/tomcat/webapps/alfresco/WEB-INF/web.xml:
<filter>
<filter-name>Authentication Filter</filter-name>

24

Liferay + Alfresco + OpenSSO + LDAP Integration

<description>Authentication filter mapped only to faces URLs. Other

URLs generally use proprietary means to talk to the
AuthenticationComponent</description>
<filterclass>org.alfresco.repo.web.filter.beans.BeanProxyFilter</filter-class>
<init-param>
<param-name>beanName</param-name>
<param-value>AuthenticationFilter</param-value>
</init-param>
</filter>
with
<filter>
<filter-name>Authentication Filter</filter-name>
<filterclass>com.sourcesense.alfresco.opensso.AlfrescoOpenSSOFilter</filter-class>
<init-param>
<param-name>opensso.url</param-name>
<param-value>http://uchit.info.com:9080/opensso</param-value>
</init-param>
</filter>

USAGE
======
Accessing Alfresco's home will redirect the browser to OpenSSO login
page.
After a successful login, openSSO will redirect the browser back to
Alfresco.
If user does not exist in Alfresco, it'll be created. The groups associated
with the user in OpenSSO
will be created in Alfresco, and the user will be associated with this groups.
If the user's groups are changed in OpenSSO, the filter will reflect those
changes in the moment of login.
Liferay + Alfresco + OpenSSO + LDAP Integration 25

No group will bi deleted on Alfresco, just the user association with the
groups.
In order to access alfresco administration, the "admin" user must be
created in OpenSSO as well.

Enable LDAP Authentication and LDAP

users import in Alfresco
1. To do Web-SSO is not necessary this step, but i recommend to do it
because you can do users management from Alfresco Admin
Console (Browser/Explorer or Share) (edit, delete, to do groups and
give permissions).
2.

Add following properties in

${ALF_HOME}\tomcat\shared\classes\alfresco-global.properties file.
# The default authentication chain
authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
# These options are for test purpose, to make full synchro every minute
at 15 seconds, you certainly should tune it for your need
synchronization.import.cron=15 * * * * ?
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=false

1. Create the following folders in

\subsystems\Authentication\ldap\ldap1
in ${ALF_HOME}\tomcat\shared\classes\alfresco\extension
26

Liferay + Alfresco + OpenSSO + LDAP Integration

2. Copy the file ${ALF_HOME}\tomcat\webapps\alfresco\WEBINF\classes\alfresco\subsystems\Authentication\ldap\ldapauthentication.properties in the folder before created.

3. Modify ldap-authentication.properties enabling LDAP authN and
sync. For example, you can use my file (This only works for my
LDAP tree UID as RDN and authN with CN.):
# this flag enables use of this LDAP subsystem for authentication. It may
be
# this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=true
# This properties file brings together the common options for LDAP
authentication rather than editing the bean definitions
ldap.authentication.allowGuestLogin=true
# How to map the user id entered by the user to that passed through to
LDAP
# - simple
# - this must be a DN and would be something like
#

uid=%s,ou=People,dc=company,dc=com

Liferay + Alfresco + OpenSSO + LDAP Integration 27

# - digest
# - usually pass through what is entered
#

%s

# If not set, an LDAP query involving ldap.synchronization.personQuery

and ldap.synchronization.userIdAttributeName will
# be performed to resolve the DN dynamically. This allows directories to
be structured and doesn't require the user ID to
# appear in the DN.
ldap.authentication.userNameFormat=uid\=%s,ou\=people,dc\=example
,dc\=com
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxF
actory
# The URL to connect to the LDAP server
#
ldap.authentication.java.naming.provider.url=ldap://openldap.domain.com
:389
ldap.authentication.java.naming.provider.url=ldap://uchit.info.com:10389

28

Liferay + Alfresco + OpenSSO + LDAP Integration

# The authentication mechanism to use for password validation

ldap.authentication.java.naming.security.authentication=simple
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN
and contains commas
ldap.authentication.escapeCommasInBind=false
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN
and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider
as space names can not contain \
ldap.authentication.escapeCommasInUid=false
# Comma separated list of user names who should be considered
administrators by default
ldap.authentication.defaultAdministratorUserNames=
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
Liferay + Alfresco + OpenSSO + LDAP Integration 29

# authentication, in which case this flag should be set to false.

ldap.synchronization.active=true
# The authentication mechanism to use for synchronization
ldap.synchronization.java.naming.security.authentication=simple
# The default principal to use (only used for LDAP sync)
###
ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=co
mpany,dc\=com
ldap.synchronization.java.naming.security.principal=uid\=admin,ou\=syst
em
# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=secret
# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=0
# If positive, this property indicates that range retrieval should be used to
fetch
30

Liferay + Alfresco + OpenSSO + LDAP Integration

# multi-valued attributes (such as member) in batches of the specified size.

# Overcomes any size limits imposed by Active Directory.
ldap.synchronization.attributeBatchSize=0
# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
# The query to select objects that represent the groups to import that have
changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfN
ames)(!(modifyTimestamp<\={0})))
# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
# The query to select objects that represent the users to import that have
changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPe
rson)(!(modifyTimestamp<\={0})))
# The group search base restricts the LDAP group query to a sub section
of tree on the LDAP server.
##ldap.synchronization.groupSearchBase=ou\=Groups,dc\=company,dc
\=com
Liferay + Alfresco + OpenSSO + LDAP Integration 31

ldap.synchronization.groupSearchBase=ou\=groups,dc\=example,dc\=co
m
# The user search base restricts the LDAP user query to a sub section of
tree on the LDAP server.
###
ldap.synchronization.userSearchBase=ou\=People,dc\=company,dc\=co
m
ldap.synchronization.userSearchBase=ou\=people,dc\=example,dc\=com
# The name of the operational attribute recording the last update time for
a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
# The timestamp format. Unfortunately, this varies between directory
servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
# The attribute name on people objects found in LDAP to use as the uid
in Alfresco
ldap.synchronization.userIdAttributeName=uid
# The attribute on person objects in LDAP to map to the first name
property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
32

Liferay + Alfresco + OpenSSO + LDAP Integration

# The attribute on person objects in LDAP to map to the last name

property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn
# The attribute on person objects in LDAP to map to the email property
in Alfresco
ldap.synchronization.userEmailAttributeName=mail
# The attribute on person objects in LDAP to map to the organizational id
property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o
# The default home folder provider to use for people created via LDAP
import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolde
rProvider
# The attribute on LDAP group objects to map to the authority name
property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
# The attribute on LDAP group objects to map to the authority display
name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=description
# The group type in LDAP
Liferay + Alfresco + OpenSSO + LDAP Integration 33

ldap.synchronization.groupType=groupOfNames
# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson
# The attribute in LDAP on group objects that defines the DN for its
members
ldap.synchronization.groupMemberAttributeName=member
# If true progress estimation is enabled. When enabled, the user query has
to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true

34

Liferay + Alfresco + OpenSSO + LDAP Integration