Alfresco部署+配置Ldap驗證
1、 安裝Alfresco:
http://wiki.alfresco.com/wiki/Download_Community_Edition 下載最新版alfresco
本文的安裝版爲:alfresco-community-3.4.c-installer-linux-x64.bin
將安裝包上傳到/opt目錄下
chmod +x alfresco-community-3.4.c-installer-linux-x64.bin
./ alfresco-community-3.4.c-installer-linux-x64.bin
然後根據提示設置安裝組件、安裝目錄、mysql管理員密碼、alfresco管理員密碼等內容,設置完成後即開始安裝
安裝完畢後啓動alfresco:service alfresco start
使用瀏覽器訪問:http://localhost:8080/alfresco
可以看到alfresco的主頁,使用admin用戶及前面設定的密碼能夠正常登陸
2、 漢化配置
http://forge.alfresco.com/projects/zh-package/ 下載相應版本的漢化包
unzip language_Pack.zip
chmod +x install_language_pack.sh
./ install_language_pack.sh
vim /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/web-client-config.xml添加登陸頁面的中文語言選項
找到 <languages> 節點
添加一行:<language locale="zh_CN">Chinese (Simplified)</language>
保存退出
重啓alfresco服務:service alfresco restart
訪問:http://localhost:8080/share
即可看到中文的文檔管理頁面
注:此漢化包僅漢化了該部分內容,其他內容沒有漢化
3、 調整JVM內存
進入目錄/opt/alfresco-3.4.c/tomcat/scripts
修改ctl.sh中的如下內容:
JAVA_OPTS="-XX:MaxPermSize=1024m -Xms512m -Xmx2048m -Dalfresco.home=/opt/alfresco-3.4.c -Dcom.sun.management.jmxremote"
設置需要的內存數即可
4、 配置ldap驗證
編輯alfresco主配置文件:
vim /opt/alfresco-3.4.c/tomcat/shared/classes/alfresco-global.properties
添加如下內容:
ntlm.authentication.sso.enabled=false
passthru.authentication.authenticateCIFS=false
ldap.synchronization.active=true
authentication.chain=myldap:ldap
下面進行ldap的配置:
ldap的配置文件下如下目錄中:
/opt/alfresco-3.4.c/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap
mkdir myldap #跟主配置文件中authentication.chain=myldap:ldap保持一致
cp ldap-authentication.properties myldap/ #複製配置文件模板
mv ldap-authentication.properties ldap-authentication.properties.bak #停用原配置文件
然後修改myldap/ ldap-authentication.properties
內容如下:
This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
#選擇是否使用LDAP來進行用戶認證
ldap.authentication.active=true
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
#是否允許匿名用戶登錄,按照你的情況選擇,這裏我們選擇false
ldap.authentication.allowGuestLogin=false
# How to map the user id entered by the user to that passed through to LDAP
# - simple
# - this must be a DN and would be something like
# uid=%s,ou=People,dc=company,dc=com
# - digest
# - usually pass through what is entered
# %s
# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will
# be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to
# appear in the DN.
#選擇用來認證的用戶DN中用戶節點的映射方式
ldap.authentication.userNameFormat=uid\=%s,ou\=people,dc\=ccxe,dc\=com,dc\=cn
# The LDAP context factory to use
#LDAP環境使用的factory類名稱,一般的符合Open LDAP標準的服務器都不需要修改此設置
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server
#LDAP服務器地址
ldap.authentication.java.naming.provider.url=ldap://119.254.64.5:389
# The authentication mechanism to use for password validation
#連接到LDAP服務器的認證方式,可以是simple, DIGEST MD5 or GSSAPI等等。這裏我們使用簡單認證
ldap.authentication.java.naming.security.authentication=simple
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, i
s
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false
# Comma separated list of user names who should be considered administrators by default
#系統的管理員用戶,可以是多個,用逗號分隔。這個用戶將獲得登錄你alfresco的管理員後臺的權限。必須是你LDAP目錄結構中存在的用戶
ldap.authentication.defaultAdministratorUserNames=uid\=zmpostfix,cn\=appaccts,cn\=zimbra
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
#是否開啓同步,如果LDAP中存在alfresco系統數據庫中不存在的用戶,將自動同步。反向不適用
ldap.synchronization.active=true
# The authentication mechanism to use for synchronization
ldap.synchronization.java.naming.security.authentication=simple
# The default principal to use (only used for LDAP sync)
#用來同步使用的LDAP服務器管理員帳號
ldap.synchronization.java.naming.security.principal=uid\=zmpostfix,cn\=appaccts,cn\=zimbra
# The password for the default principal (only used for LDAP sync)
#上面指定的管理員帳號的密碼
ldap.synchronization.java.naming.security.credentials=3skemZGlp0
# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=0
# If positive, this property indicates that range retrieval should be used to fetch
# multi-valued attributes (such as member) in batches of the specified size.
# Overcomes any size limits imposed by Active Directory.
ldap.synchronization.attributeBatchSize=0
# The query to select all objects that represent the groups to import.
#設定查詢組的時候選取的類型
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
# The query to select objects that represent the groups to import that have changed since a certain time.
#查詢時針對作出改動的節點同步使用的表達式(下同)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
# The query to select all objects that represent the users to import.
#設定查詢用戶的時候選取的類型
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
#用戶組信息的位置
ldap.synchronization.groupSearchBase=dc\=ccxe,dc\=com,dc\=cn
# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
#用戶信息位置
ldap.synchronization.userSearchBase=ou\=people,dc\=ccxe,dc\=com,dc\=cn
# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid
# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
# The attribute on person objects in LDAP to map to the organizational id property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o
# The default home folder provider to use for people created via LDAP import
#同步發生後,新用戶第一次登陸時使用的默認目錄創建器。注意請保證這裏選擇的創建器正常工作,否則可能會導致同步後的用戶無法正常登錄
#幾種HomeFolderProvider的使用請參看 http://wiki.alfresco.com/wiki/Security_Services#Providers
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
# The attribute on LDAP group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
# The attribute on LDAP group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=description
# The group type in LDAP
ldap.synchronization.groupType=groupOfNames
# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson
# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member
# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count ent
ries.
ldap.synchronization.enableProgressEstimation=true
修改完成後重啓alfresco
然後再登陸時即可使用ldap服務器中的用戶信息進行驗證。