Alfresco部署+配置Ldap验证

 

1、  安装Alfresco

http://wiki.alfresco.com/wiki/Download_Community_Edition 下载最新版alfresco

本文的安装版为:alfresco-community-3.4.c-installer-linux-x64.bin

将安装包上传到/opt目录下

chmod +x alfresco-community-3.4.c-installer-linux-x64.bin

./ alfresco-community-3.4.c-installer-linux-x64.bin

然后根据提示设置安装组件、安装目录、mysql管理员密码、alfresco管理员密码等内容,设置完成后即开始安装

安装完毕后启动alfrescoservice alfresco start

使用浏览器访问:http://localhost:8080/alfresco

可以看到alfresco的主页,使用admin用户及前面设定的密码能够正常登陆

 

2、  汉化配置

http://forge.alfresco.com/projects/zh-package/ 下载相应版本的汉化包

unzip language_Pack.zip

chmod +x install_language_pack.sh

./ install_language_pack.sh

vim /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/web-client-config.xml添加登陆页面的中文语言选项

找到  <languages>  节点

添加一行:<language locale="zh_CN">Chinese (Simplified)</language>

保存退出

重启alfresco服务service alfresco restart

访问:http://localhost:8080/share

即可看到中文的文档管理页面

注:此汉化包仅汉化了该部分内容,其他内容没有汉化

 

3、  调整JVM内存

进入目录/opt/alfresco-3.4.c/tomcat/scripts

修改ctl.sh中的如下内容:

JAVA_OPTS="-XX:MaxPermSize=1024m -Xms512m -Xmx2048m -Dalfresco.home=/opt/alfresco-3.4.c -Dcom.sun.management.jmxremote"

设置需要的内存数即可

 

4、  配置ldap验证

编辑alfresco主配置文件:

vim /opt/alfresco-3.4.c/tomcat/shared/classes/alfresco-global.properties

添加如下内容:

ntlm.authentication.sso.enabled=false

passthru.authentication.authenticateCIFS=false

ldap.synchronization.active=true

authentication.chain=myldap:ldap

 

下面进行ldap的配置:

ldap的配置文件下如下目录中:

/opt/alfresco-3.4.c/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap

mkdir myldap   #跟主配置文件中authentication.chain=myldap:ldap保持一致

cp ldap-authentication.properties myldap/  #复制配置文件模板

mv ldap-authentication.properties ldap-authentication.properties.bak  #停用原配置文件

然后修改myldap/ ldap-authentication.properties

内容如下:

This flag enables use of this LDAP subsystem for authentication. It may be

# that this subsytem should only be used for synchronization, in which case

# this flag should be set to false.

#选择是否使用LDAP来进行用户认证

ldap.authentication.active=true 

 

#

# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions

#

#是否允许匿名用户登录,按照你的情况选择,这里我们选择false

ldap.authentication.allowGuestLogin=false 

# How to map the user id entered by the user to that passed through to LDAP

# - simple

#    - this must be a DN and would be something like

#      uid=%s,ou=People,dc=company,dc=com

# - digest

#    - usually pass through what is entered

#      %s

# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will

# be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to

# appear in the DN.

#选择用来认证的用户DN中用户节点的映射方式

ldap.authentication.userNameFormat=uid\=%s,ou\=people,dc\=ccxe,dc\=com,dc\=cn

 

# The LDAP context factory to use

#LDAP环境使用的factory类名称,一般的符合Open LDAP标准的服务器都不需要修改此设置

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

 

# The URL to connect to the LDAP server

#LDAP服务器地址

ldap.authentication.java.naming.provider.url=ldap://119.254.64.5:389

 

# The authentication mechanism to use for password validation

#连接到LDAP服务器的认证方式,可以是simple, DIGEST MD5 or GSSAPI等等。这里我们使用简单认证

ldap.authentication.java.naming.security.authentication=simple

 

# Escape commas entered by the user at bind time

# Useful when using simple authentication and the CN is part of the DN and contains commas

ldap.authentication.escapeCommasInBind=false

 

# Escape commas entered by the user when setting the authenticated user

# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, i

s

# pulled in as part of an LDAP sync

# If this option is set to true it will break the default home folder provider as space names can not contain \

ldap.authentication.escapeCommasInUid=false

 

# Comma separated list of user names who should be considered administrators by default

#系统的管理员用户,可以是多个,用逗号分隔。这个用户将获得登录你alfresco的管理员后台的权限。必须是你LDAP目录结构中存在的用户

ldap.authentication.defaultAdministratorUserNames=uid\=zmpostfix,cn\=appaccts,cn\=zimbra

 

# This flag enables use of this LDAP subsystem for user and group

# synchronization. It may be that this subsytem should only be used for

# authentication, in which case this flag should be set to false.

#是否开启同步,如果LDAP中存在alfresco系统数据库中不存在的用户,将自动同步。反向不适用

ldap.synchronization.active=true

 

# The authentication mechanism to use for synchronization

ldap.synchronization.java.naming.security.authentication=simple

 

# The default principal to use (only used for LDAP sync)

#用来同步使用的LDAP服务器管理员帐号

ldap.synchronization.java.naming.security.principal=uid\=zmpostfix,cn\=appaccts,cn\=zimbra

 

# The password for the default principal (only used for LDAP sync)

#上面指定的管理员帐号的密码

ldap.synchronization.java.naming.security.credentials=3skemZGlp0

 

# If positive, this property indicates that RFC 2696 paged results should be

# used to split query results into batches of the specified size. This

# overcomes any size limits imposed by the LDAP server.

ldap.synchronization.queryBatchSize=0

 

# If positive, this property indicates that range retrieval should be used to fetch

# multi-valued attributes (such as member) in batches of the specified size.

# Overcomes any size limits imposed by Active Directory.       

ldap.synchronization.attributeBatchSize=0

 

# The query to select all objects that represent the groups to import.

#设定查询组的时候选取的类型

ldap.synchronization.groupQuery=(objectclass\=groupOfNames)

 

# The query to select objects that represent the groups to import that have changed since a certain time.

#查询时针对作出改动的节点同步使用的表达式(下同)

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))

 

# The query to select all objects that represent the users to import.

#设定查询用户的时候选取的类型

ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)

 

# The query to select objects that represent the users to import that have changed since a certain time.

ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))

 

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.

#用户组信息的位置

ldap.synchronization.groupSearchBase=dc\=ccxe,dc\=com,dc\=cn

 

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.

#用户信息位置

ldap.synchronization.userSearchBase=ou\=people,dc\=ccxe,dc\=com,dc\=cn

 

# The name of the operational attribute recording the last update time for a group or user.

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

 

# The timestamp format. Unfortunately, this varies between directory servers.

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

 

# The attribute name on people objects found in LDAP to use as the uid in Alfresco

ldap.synchronization.userIdAttributeName=uid

 

# The attribute on person objects in LDAP to map to the first name property in Alfresco

ldap.synchronization.userFirstNameAttributeName=givenName

 

# The attribute on person objects in LDAP to map to the last name property in Alfresco

ldap.synchronization.userLastNameAttributeName=sn

 

# The attribute on person objects in LDAP to map to the email property in Alfresco

ldap.synchronization.userEmailAttributeName=mail

 

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco

ldap.synchronization.userOrganizationalIdAttributeName=o

 

# The default home folder provider to use for people created via LDAP import

#同步发生后,新用户第一次登陆时使用的默认目录创建器。注意请保证这里选择的创建器正常工作,否则可能会导致同步后的用户无法正常登录

#几种HomeFolderProvider的使用请参看 http://wiki.alfresco.com/wiki/Security_Services#Providers

ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

 

# The attribute on LDAP group objects to map to the authority name property in Alfresco

ldap.synchronization.groupIdAttributeName=cn

 

# The attribute on LDAP group objects to map to the authority display name property in Alfresco

ldap.synchronization.groupDisplayNameAttributeName=description

 

# The group type in LDAP

ldap.synchronization.groupType=groupOfNames

 

# The person type in LDAP

ldap.synchronization.personType=inetOrgPerson

 

# The attribute in LDAP on group objects that defines the DN for its members

ldap.synchronization.groupMemberAttributeName=member

 

# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count ent

ries.

ldap.synchronization.enableProgressEstimation=true

 

修改完成后重启alfresco

然后再登陆时即可使用ldap服务器中的用户信息进行验证。