Alfresco is the leading provider of open source Enterprise Content Management and provides Enterprise grade, scalable, robust, portable, and reliable solutions for managing any type of content, including documents, digital assets, and web content. Alfresco has different modules to manage different kinds of content. Document Management (DM) and Web Content Management (WCM) are the two main and widely used modules of Alfresco.
Alfresco Document Management captures, shares, and retains content, enabling users to version, search, and simply build their own content applications. The Alfresco Web Content Management allows organizations to rapidly create and more effectively maintain dynamic Internet, intranet, and extranet sites, enabling a shortened web development cycle, providing high return on investment and low cost of ownership. Alfresco framework is built on state-of-the-art open source frameworks such as Spring, Hibernate, Lucene, and JSF. DM and WCM are two different feature sets that are built on the common infrastructure framework of Alfresco and also have services such as security, workflow, library, search, and so on, which can be used across the application for any module. In this chapter, we will discuss how you can leverage the Alfresco DM features for the WCM and cover the following topics for WCM:
- Membership and Security Mechanisms
- FFMPEG Integration
- DM content in WCM
- Image Transformation
- Advance Search
- Metadata Extractor
The Alfresco security model is flexible and allows you to choose either its built-in security or an external security model defined by your organization, by using systems such as LDAP and Active Directory. You will understand various security models and learn to choose the one that is most suited to your enterprise's requirements. The Alfresco membership system is highly scalable and can cater to a number of users and content managers. The Alfresco WCM can also leverage the security mechanism provided by Alfresco DM.
Consider a case where we have people from different departments for any company who need to access the Alfresco WCM system. These companies already have their own directory-based Central Authentication System. Here you can have two possibilities:
- Use Alfresco's out-of-the-box membership system and create the user accounts for all those users in Alfresco.
- Configure Alfresco with LDAP for centralized Identity Management where all the users from existing directory LDAP will be imported in Alfresco if they need to access Alfresco and will be authenticated via Central Authentication System-LDAP.
As the company is already having their own directory, the second approach would be proffered. We can configure Alfresco with LDAP and import the users in Alfresco. Once the users are available in Alfresco, we can easily associate the users to the web project in Alfresco WCM. This is already described in Chapter 3, Getting Started with Alfresco WCM. You can refer to this chapter for further details.
LDAP evolved from X.500 OSI Directory Access Protocol. LDAP directory is the central authentication engine for the enterprise, and serves as the yellow pages for user access and profile information. The biggest advantage of LDAP is that your enterprise can access the LDAP directory from almost any computing platform, using any one of the increasing number of readily available LDAP-aware applications. In fact, LDAP is finding much wider industrial acceptance because of its status as an Internet standard.
You can use LDAP with any directory server, such as iPlanet, Novell's eDirectory, Microsoft's Active Directory, or OpenLDAP. If you are planning to implement an LDAP directory in your organization, you may consider OpenLDAP, Active Directory, or eDirectory. OpenLDAP is a stable and widely accepted open source directory server.
Active Directory supports LDAP-based authentication. It can also support authentication using JAAS+Kerberos and NTLM authentication. Only NTLM will give you a Single-Sign-On solution. It is possible to use any authentication methods against an Active Directory server and extract user and group information via LDAP.
For the LDAP to work with Alfresco, you have to make some changes in the configuration files.
Follow the steps given below to configure LDAP-based authentication with Active Directory.
- Open the
<alfresco>/tomcat/webapps/alfresco/WEBINF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.propertiesfile and modify the properties to your required value as follows. All other properties can be kept as it is in the file.ldap.authentication.active=true(this flag enables the LDAP as authentication mechanism; if set to false, LDAP will be used only for synchronization)ldap.authentication.userNameFormat=CN=%s,DC=company, DC=com(this maps the user ID entered by the user to pass through LDAP; the%sis replaced with whatever the user types in as their user ID on the login screen)ldap.authentication.java.naming.provider.url=ldap://openldap.domain.com:389(the name and port of your LDAP server; the standard port for LDAP is 389)ldap.authentication.java.naming.security.authentication=simple(the authentication mechanism you want to use)ldap.authentication.defaultAdministratorUserNames=admin,User1(LDAP users' names who should be considered as administrators, separated by a comma)
- Open the
<alfresco>/tomcat/shared/classes/alfresco-global.propertiesfile and uncomment the following line:authentication.chain=alfrescoNtlm1:alfrescoNtlm
To configure LDAP as an authentication mechanism, you need to change this property. Provide
ldap:ldapfor LDAP Authentication as follows:authentication.chain=ldap:ldap
- Open the
file-server-custom.xmlfile. Add the following code:<config evaluator="string-compare" condition="CIFS Server" replace="true"> <serverEnable enabled="false"/> <host name="${cifs.localname}A" domain="${cifs.domain}"/> <comment>Alfresco CIFS Server</comment> <!-- Set to the broadcast mask for the subnet --> <broadcast>${cifs.broadcast}</broadcast> <!-- Use Java socket based NetBIOS over TCP/IP and native SMB on linux --> <tcpipSMB platforms="linux,solaris,macosx"/> <netBIOSSMB platforms="linux,solaris,macosx"/> <!-- Can be mapped to non-privileged ports, then use firewall rules to forward requests from the standard ports --> <!-- <tcpipSMB port="1445" platforms="linux,solaris,macosx"/> <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/> --> <hostAnnounce interval="5"/> <!-- Use Win32 NetBIOS interface on Windows --> <Win32NetBIOS/> <Win32Announce interval="5"/> <!-- CIFS authentication --> <authenticator type="passthru"> <LocalDomain/> </authenticator> <!-- <WINS> <primary>1.2.3.4</primary> <secondary>5.6.7.8</secondary> </WINS> --> <sessionDebug flags="Negotiate,Socket"/> </config> <config evaluator="string-compare" condition="FTP Server" replace="true"> <serverEnable enabled="false"/> <!-- Run on a non-privileged port --> <!-- <port>1121</port> --> <!-- FTP authentication --> <authenticator type="alfresco"/> <!--<debug flags="File,Search,Error,Directory,Info,DataPort"/> --> </config> <config evaluator="string-compare" condition="Filesystem Security" replace="true"> <authenticator type=" passthru "> <!-- the name of your ldap server --> <Server>openldap.domain.com</Server> </authenticator> </config>
This authentication mechanism sends usernames and passwords in plain text. It is the most simple to set up. This is supported by both Active Directory and OpenLDAP.
As you have already configured LDAP with Active Directory, the next step will be to extract information from Active Directory. This synchronization of people and groups between the Alfresco repository and LDAP is supported by scheduled jobs. These jobs extract the user or group information from the LDAP repository and create the appropriate information as an Alfresco import XML file. This file is then imported into the repository.
Follow these steps to export users and groups from Active Directory:
- Open the
<alfresco>/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.propertiesfile. Modify the properties to the required value as follows. All other properties can be kept as is in the file:ldap.synchronization.java.naming.security.principal=admin(the user that has read access to the group and people information to be extracted from Active Directory server)
ldap. synchronization.java.naming.security.credentials=secret(the password for the user defined above)
ldap.synchronization.personQuery=(objectclass= inetOrgPerson)ldap.synchronization.userSearchBase=dc=company,dc=com(these two options combine to make the query to find people. In the previous example, you will find all objects of type inetOrgPerson anywhere in the directory)
ldap.synchronization.groupQuery=(objectclass= groupOfNames)ldap.synchronization.groupSearchBase=dc=example,dc=com(these two options combine to make the query to find groups. In the previous example, you will find all objects of type groupOfNames anywhere in the directory)
- Ensure that your earlier changes are saved. Start Alfresco. On restarting, you will be able to log into the Alfresco repository with LDAP users only.
If you want to log into the Alfresco repository with Alfresco users also, then you have to make some more changes in the configuration files. This concept is called Daisy Chaining, allowing the users to configure multiple authentication components for Authentication.
With version 3.2, Alfresco has introduced the concept of sub-systems. A sub-system is a configurable module responsible for a subpart of Alfresco functionality. Authentication is one of such sub-systems available in 3.2, which is a stack of multiple components responsible for Authentication in Alfresco.
For more information on Alfresco Authentication sub-systems, you can refer to the Wiki link: http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems.
With this approach, Authentication sub-systems are easily chained. So, now it's very easy to configure the Chaining authentication. The steps to configure Chaining are as follows:
- Open the
<alfresco>/tomcat/shared/classes/alfresco-global.propertiesfile and uncomment the following line:authentication.chain=alfrescoNtlm1:alfrescoNtlm
- To configure more than one authentication component for chaining, you can add as many authenticators as you want separated by a comma as mentioned below:
authentication.chain=ldap1:ldap,ldap2:ldap, alfrescoNtlm:alfrescoNtlm
Here we have three different authenticators for Chaining Authentication;
ldap1andldap2are for LDAP Authentication andalfrescoNtlmis for Default Alfresco Authentication. For authenticating the users, when a user logs into the system, Alfresco checks for authentication in the sequence as defined above. - Configuration files for
ldap1andldap2are created as follows:Copy
<alfresco>/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties to <alfresco>/tomcat/shared/classes/alfresco/subsystems/Authentication/ldap1/ldap-authentication.properties.Copy
<alfresco>/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties to <alfresco>/tomcat/shared/classes/alfresco/subsystems/Authentication/ldap2/ldap-authentication.properties. - Now, modify this property file for
ldap1andldap2accordingly to provide the LDAP configuration details in both the files. Configuring LDAP is already explained in the previous section. - Restart the server and you can verify the chaining by logging in with an Alfresco local user and the LDAP user as well.
In the previous section, we discussed the different Authentication mechanisms for users in Alfresco. Once the user is part of Alfresco, either created in Alfresco or imported from LDAP or any other system, you can assign different roles to the user for providing specific permissions. The users and default roles to these users are controlled globally in Alfresco, which also affects the WCM.
By default, only the admin user has permission to create a web project in the Company Home | Web Projects folder. All the users of the system will have Consumer role by default for this folder. That means those users can have just "read" permission for the Web Projects folder; they really cannot create a web project. If you want to allow any other user to create a web project other than admin, then an admin can assign a Contributor or higher role to that user and then that user can get rights to create a new web project.
There are different roles available in Alfresco, which users can be assigned to. Following are the five basic roles:
As mentioned here, to create a web project, a user at least needs the Contributor role.
Another scenario is if you remove the default consumer roles available to all the users for the Company Home | Web Projects space, then even if the user is a member of some web project, he will not be able to see the Web Project folder. Therefore, the user will not have access to that web project of which he is also a member.
So, in this way you are controlling the users from outside the Web Content Management.