Updated Alfresco Solr Checks

As some may know…

A little while back I put up some checks for Alfresco Solr Here and wrote a little blog Here

Well over the last few weeks I have added yet more checks to it and I’ve also added some caching of the results so it will now no longer make a separate request to solr for each check and instead will use a local cached copy of the results and after 5 mins get a new one. The reason for this is that most of the results don’t change that frequently and with nagios it was calling each check so 20 calls to solr over a 5 min period, well each individual check is only verified once every 5 mins so now it will pull the report once and reference that cached copy for 5 mins, after that it will simply pull a new one…

In addition to the caching it now has 13 new checks! including cumulative hit ratios which are typically more relavent than the normal hit ratios as they are based over all time (Since reboot) and no, I don’t know how long the normal hitratios are based over.

There is also some checks for the number of Transactions remaining and the number of change sets remaining, these combined with the Lag can give you an indication of how far behind / how much work is left for Solr to do so quite useful.

If you need any help with these or have a few additional checks that are relavant let me know I’m happy to help.

Alfresco with Shibbolath authentication

Some background

While at work a requirement came up to integrate a third parties Shibbolath server with Alfresco, I’m not normally the first person to start customising alfresco but I was quite lucky that a partner had provided some notes and there was an abundance of people at work who were interested enough to help me out. The wiki is pretty good for this and can be found: Here

Now there’s a few “gotchas” that are worth bringing up and things I learnt…

  1. When modifying share-custom-config.xml ensure not Amps are applying it. I noticed even if I applied the changes form the AMP into share-config-custom.xml both things didn’t work very well but consolidating to one place did.
  2. No one ever told me where to get the share-config-custom.xml so I just made one with my changes in, it was wrong and you may find it in webapps/share/WEB-INF/classes/alfresco/web-extension/share-config-custom.xml
  3. There’s some useful tools out there, I was originally trying to do header based auth, but this is not recommended and with the correct configuration it is not needed, either way I was using firefox and the Modify Headers and Live HTTP Headers plugins
  4. At the bottom of the alfresco Wiki there’s some shibboleth paths which will confirm the details are being sent over

On with the “fun”


First things first you need to get hold of mod_shib, now I was luckily enough to be granted access to a remote yum repo where the packages had already been built, for you, you’re not so lucky, see this

To add the module to apache you’ll need to add a module to your mods-enabled or where ever you keep your mods

LoadModule mod_shib /usr/lib64/httpd/modules/mod_shib_22.so

Once that is in place you only need to add a couple of lines the apache site to make it work i.e.

<Proxy balancer://Alfproxy>
    BalancerMember ajp://localhost:8009
  ProxyPass /share balancer://Alfproxy/share stickysession=JSESSIONID|jsessionid
  ProxyPassReverse /share balancer://Alfproxy/share
  ProxyPass /alfresco balancer://Alfproxy/alfresco stickysession=JSESSIONID|jsessionid
  ProxyPassReverse /alfresco balancer://Alfproxy/alfresco
<Location / >
AuthType Shibboleth
ShibRequireSession On
require valid-user

Note that the config of the proxy is important but yours does not necessarily need to be a balance member of 1, this was just because we have a template that accepts multiple hosts and this keeps the configuration more consistant, other than that’s it for Apache, now Shibboleth, Good luck.


I don’t have much to say here, I was luck enough to be provided a shibboleth2.xml and an attributes-map.xml I just had to add my own details in, so adding in the correct IDP, paths to SSL certs and ensuring that the REMOTE_USER is set correctly i.e.

<ApplicationDefaults entityID="https://idp.server.com/shibboleth"

This is picked up by share / alfresco to use and will only work if you’re using AJP to proxy…

Also with shibboleth it’s worth ensuring it is set to come on with a boot (chkconfig –list)
This is all I have to say on shibboleth, I suggest you read other places if you think it’s not working… but getting it to redirect to an IDP was not too bad as long as the file is set up appropriately and there’s a few sites out there including TestSHib and the shibboleth wiki


This is important… on your connector line in /etc/tomcat6/server.xml for port 8009 (or where ever ajp is) you will need to add this:


This is it for tomcat, ignore at your peril.

Alfresco global properties

Just use this, Don’t question it. *NB* See comments below, this is a bad idea if you’re /alfresco on the internet, this config is only going to work if you use share only and access to /alfresco is blocked.

# This header can be changed but should match the configuration in 
# share-config-custom.xml

You can do all sorts of funky stuff with LDAP and mapping attributes but then you’d have to set up LDAP.


You can read the alfresco wiki for more information but this will work…


  <!-- example port config used to access remote Alfresco server (default is 8080) -->
   <config evaluator="string-compare" condition="Remote">
            <name>Alfresco - unauthenticated access</name>
            <description>Access to Alfresco Repository WebScripts that do not require authentication</description>

            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>

            <name>Alfresco Feed</name>
            <description>Alfresco Feed - supports basic HTTP authentication via the EndPointProxyServlet</description>
            <name>Activiti Admin UI - user access</name>
            <description>Access to Activiti Admin UI, that requires user authentication</description>

        Overriding endpoints to reference an Alfresco server with external SSO enabled
        NOTE: If utilising a load balancer between web-tier and repository cluster, the "sticky
              sessions" feature of your load balancer must be used.
        NOTE: If alfresco server location is not localhost:8080 then also combine changes from the
              "example port config" section below.
        *Optional* keystore contains SSL client certificate + trusted CAs.
        Used to authenticate share to an external SSO system such as CAS
        Remove the keystore section if not required i.e. for NTLM.
        NOTE: For Kerberos SSO rename the "KerberosDisabled" condition above to "Kerberos"
        NOTE: For external SSO, switch the endpoint connector to "AlfrescoHeader" and set
              the userHeader to the name of the HTTP header that the external SSO
              uses to provide the authenticated user name.
   <config evaluator="string-compare" condition="Remote">
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using cookie-based authentication</description>
            <name>Alfresco Connector</name>
            <description>Connects to an Alfresco instance using header and cookie-based authentication</description>
            <userHeader>X-Alfresco-Remote-User</userHeader> <!-- pointless setting it to X-Alfresco-Remote-User as this header is always sent -->

            <name>Alfresco - user access</name>
            <description>Access to Alfresco Repository WebScripts that require user authentication</description>

By this point, if everything has gone well and httpd, shibboleth and tomcat have all been restarted you should be able to login!

When logins don’t work…

If you aren’t getting re-directed to the IDP to put in credentials then your Shibboleth configuration is probably wrong. Sometimes this may be caused by the IDP not having your SP’s metadata or relavent details, (you go to https://myserver/Shobboleth.sso/Metadata ) it’s worth reading it and making sure the links to your servers are https and that there are SSL certificates embedded in it.

If you get redirected to share login page and no further then your share configuration / apache could be wrong, there’s a few things to do to test this.
1, Take apache out of the equation, Reconfigure share-config-custom to use “alfrescoHeader” as the connector-id of the endpoint, then using modify Headers in Firefox and Live HTTP headers you should be able to simply set “X-Alfresco-Remote-User” to say me.test@example.com and reload the share login. This should work, if it doesn’t then the share configuration may be wrong.
2, Go to /alfresco For me the /alfresco Login worked right away with no special configuration outside of the global properties (note guest login is disabled in my set up…) if this isn’t working Share never will, if this works with apache you know all is well and it’s just share.

You may want to try a few special paths such as https://myserver/Shibboleth.sso/Service and https://myserver/Shibboleth.sso/Status (I had to modify shibboleth2.xml to add a acl to grant this you may need to too…) they can at least tell you if attributes are being seen by Mod_shib i.e. the data’s there and it needs to be made use of.

Hopefully this will prove helpful… I can’t recommend the Wiki enough it’s got everything you need on it except a share-config-custom.xml (like the one above…)

Just a short update…

Really will be…

Over the last few weeks my work life has been a bit topsy turvey, thanks to new projects at work and existing ones that still ened to be done, The good news is next weeks blog will be mildly useful to anyone that’s ever tried to integrate alfresco with Shibboleth, but I don’t have the time to write it now and do it justice so it will have to wait…

The good news is I’m hoping with Christmas coming up I’ll be able to spend a bit more time on some more ruby and maybe update some of my github projects, in particular I think I’d like to get the Sentinel project re-write finished so I can start extending it. Over the last few weeks I’ve been thinking about how I’m intending to use it and I think I may try and hook it into nagios or graphite or some tool that already does monitoring / tracks metrics and simply have it carry out the actions. For those that don’t know sentinel will pretty much just keep httpd up and running at the moment, in theory it would work with any process but it is only really checking the process state and taking actions based on that. Either way that needs to progress.

I said it’d be short, this is it, people that expected more I apologise maybe next week will bring more joy for you.