Alfresco部署+配置Ldap验证
1、 安装Alfresco:
http://wiki.alfresco.com/wiki/Download_Community_Edition 下载最新版alfresco
本文的安装版为:alfresco-community-3.4.c-installer-linux-x64.bin
将安装包上传到/opt目录下
chmod +x alfresco-community-3.4.c-installer-linux-x64.bin
./ alfresco-community-3.4.c-installer-linux-x64.bin
然后根据提示设置安装组件、安装目录、mysql管理员密码、alfresco管理员密码等内容,设置完成后即开始安装
安装完毕后启动alfresco:service alfresco start
使用浏览器访问:http://localhost:8080/alfresco
可以看到alfresco的主页,使用admin用户及前面设定的密码能够正常登陆
2、 汉化配置
http://forge.alfresco.com/projects/zh-package/ 下载相应版本的汉化包
unzip language_Pack.zip
chmod +x install_language_pack.sh
./ install_language_pack.sh
vim /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/web-client-config.xml添加登陆页面的中文语言选项
找到 <languages> 节点
添加一行:<language locale="zh_CN">Chinese (Simplified)</language>
保存退出
重启alfresco服务:service alfresco restart
访问:http://localhost:8080/share
即可看到中文的文档管理页面
注:此汉化包仅汉化了该部分内容,其他内容没有汉化
3、 调整JVM内存
进入目录/opt/alfresco-3.4.c/tomcat/scripts
修改ctl.sh中的如下内容:
JAVA_OPTS="-XX:MaxPermSize=1024m -Xms512m -Xmx2048m -Dalfresco.home=/opt/alfresco-3.4.c -Dcom.sun.management.jmxremote"
设置需要的内存数即可
4、 配置ldap验证
编辑alfresco主配置文件:
vim /opt/alfresco-3.4.c/tomcat/shared/classes/alfresco-global.properties
添加如下内容:
ntlm.authentication.sso.enabled=false
passthru.authentication.authenticateCIFS=false
ldap.synchronization.active=true
authentication.chain=myldap:ldap
下面进行ldap的配置:
ldap的配置文件下如下目录中:
/opt/alfresco-3.4.c/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap
mkdir myldap #跟主配置文件中authentication.chain=myldap:ldap保持一致
cp ldap-authentication.properties myldap/ #复制配置文件模板
mv ldap-authentication.properties ldap-authentication.properties.bak #停用原配置文件
然后修改myldap/ ldap-authentication.properties
内容如下:
This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
#选择是否使用LDAP来进行用户认证
ldap.authentication.active=true
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
#是否允许匿名用户登录,按照你的情况选择,这里我们选择false
ldap.authentication.allowGuestLogin=false
# How to map the user id entered by the user to that passed through to LDAP
# - simple
# - this must be a DN and would be something like
# uid=%s,ou=People,dc=company,dc=com
# - digest
# - usually pass through what is entered
# %s
# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will
# be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to
# appear in the DN.
#选择用来认证的用户DN中用户节点的映射方式
ldap.authentication.userNameFormat=uid\=%s,ou\=people,dc\=ccxe,dc\=com,dc\=cn
# The LDAP context factory to use
#LDAP环境使用的factory类名称,一般的符合Open LDAP标准的服务器都不需要修改此设置
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server
#LDAP服务器地址
ldap.authentication.java.naming.provider.url=ldap://119.254.64.5:389
# The authentication mechanism to use for password validation
#连接到LDAP服务器的认证方式,可以是simple, DIGEST MD5 or GSSAPI等等。这里我们使用简单认证
ldap.authentication.java.naming.security.authentication=simple
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, i
s
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false
# Comma separated list of user names who should be considered administrators by default
#系统的管理员用户,可以是多个,用逗号分隔。这个用户将获得登录你alfresco的管理员后台的权限。必须是你LDAP目录结构中存在的用户
ldap.authentication.defaultAdministratorUserNames=uid\=zmpostfix,cn\=appaccts,cn\=zimbra
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
#是否开启同步,如果LDAP中存在alfresco系统数据库中不存在的用户,将自动同步。反向不适用
ldap.synchronization.active=true
# The authentication mechanism to use for synchronization
ldap.synchronization.java.naming.security.authentication=simple
# The default principal to use (only used for LDAP sync)
#用来同步使用的LDAP服务器管理员帐号
ldap.synchronization.java.naming.security.principal=uid\=zmpostfix,cn\=appaccts,cn\=zimbra
# The password for the default principal (only used for LDAP sync)
#上面指定的管理员帐号的密码
ldap.synchronization.java.naming.security.credentials=3skemZGlp0
# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=0
# If positive, this property indicates that range retrieval should be used to fetch
# multi-valued attributes (such as member) in batches of the specified size.
# Overcomes any size limits imposed by Active Directory.
ldap.synchronization.attributeBatchSize=0
# The query to select all objects that represent the groups to import.
#设定查询组的时候选取的类型
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
# The query to select objects that represent the groups to import that have changed since a certain time.
#查询时针对作出改动的节点同步使用的表达式(下同)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
# The query to select all objects that represent the users to import.
#设定查询用户的时候选取的类型
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
#用户组信息的位置
ldap.synchronization.groupSearchBase=dc\=ccxe,dc\=com,dc\=cn
# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
#用户信息位置
ldap.synchronization.userSearchBase=ou\=people,dc\=ccxe,dc\=com,dc\=cn
# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid
# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
# The attribute on person objects in LDAP to map to the organizational id property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o
# The default home folder provider to use for people created via LDAP import
#同步发生后,新用户第一次登陆时使用的默认目录创建器。注意请保证这里选择的创建器正常工作,否则可能会导致同步后的用户无法正常登录
#几种HomeFolderProvider的使用请参看 http://wiki.alfresco.com/wiki/Security_Services#Providers
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
# The attribute on LDAP group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
# The attribute on LDAP group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=description
# The group type in LDAP
ldap.synchronization.groupType=groupOfNames
# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson
# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member
# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count ent
ries.
ldap.synchronization.enableProgressEstimation=true
修改完成后重启alfresco
然后再登陆时即可使用ldap服务器中的用户信息进行验证。