https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200852#M153982 <HTML><HEAD></HEAD><BODY><SPAN>Hi there,</SPAN><BR /><SPAN>I'm working on a Alfresco CAS LDAP installation. Most things are up and running but I have still some questions. My idea is to have one single CAS Server for SSO for Liferay and multiple Alfresco servers for different customers. The CAS server (with ApacheDS) is configured to search the whole directory (DC=ALL, DC=Customers), the Alfresco servers ldap authentification and synchronisation is configured with this searchbase:</SPAN><BR /><BR /><SPAN>ldap.authentication.userNameFormat=cn=%s,ou=customer1people,ou=custumer1groups,dc=all,dc=customers.</SPAN><BR /><BR /><SPAN>Now I have the following problem:</SPAN><BR /><SPAN>Every user who has a valid cas login (all users from ou=customer1, ou=customer2…) is allowed to login to the alfresco webclient on server customer1 despite he is definitely not in the list of users which is imported via ldap (I checked the XML files with the LPAD importdata)?</SPAN><BR /><SPAN>There is one difference between the users who are importet from LDAP and those who can login through CAS: webdav login is only permitted for the LDAP authentificated users, that makes me sure that the LDAP settings for alfresco are correct.</SPAN><BR /><SPAN>Is there any chance to allow only the members of ou=customer1people,ou=custumer1groups to alfresco on server customer1 even if cas accept all members of my directory.</SPAN><BR /><SPAN>Another question is is it possible to authentificate against multiple ou like customer1 an support for server customer1, ou=customer2 and ou=support for server customer2 and so on?</SPAN><BR /><BR /><SPAN>I hope some of you will understand what I tried to explain and may have a solution for this setup.</SPAN><BR /><BR /><SPAN>Thanks in advance</SPAN><BR /><BR /><SPAN>Arne Kaiser</SPAN></BODY></HTML> Thu, 12 Feb 2009 16:29:14 GMT arnekaiser 2009-02-12T16:29:14Z https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200852#M153982 Hi there,I'm working on a Alfresco CAS LDAP installation. Most things are up and running but I have still some questions. My idea is to have one single CAS Server for SSO for Liferay and multiple Alfresco servers for different customers. The CAS server (with ApacheDS) is configured to search the who Thu, 12 Feb 2009 16:29:14 GMT https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200852#M153982 arnekaiser 2009-02-12T16:29:14Z https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200853#M153983 <HTML><HEAD></HEAD><BODY><SPAN>Did you solve it?</SPAN></BODY></HTML> Mon, 02 Mar 2009 20:51:11 GMT https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200853#M153983 juan 2009-03-02T20:51:11Z https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200854#M153984 <HTML><HEAD></HEAD><BODY><SPAN>no, its still open.</SPAN></BODY></HTML> Sun, 08 Mar 2009 18:43:45 GMT https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200854#M153984 arnekaiser 2009-03-08T18:43:45Z https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200855#M153985 <HTML><HEAD></HEAD><BODY><SPAN>I have found a workaround for a similar issue;</SPAN><BR /><BR /><SPAN>Import desired LDAP users and change authentication-services-context.xml at line 280:</SPAN><BR /><SPAN>(change default "createMissingPeople" value from&nbsp; ${server.transaction.allow-writes} -&gt; false )</SPAN><BR /><BR /><BR /><SPAN style="color:#0000FF;">&lt;bean id="personService" class="org.alfresco.repo.security.person.PersonServiceImpl" init-method="init"&gt;</SPAN><BR /><SPAN>…</SPAN><BR /><SPAN>…</SPAN><BR /><SPAN style="color:#00BF00;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– Some authentication mechanisms may need to create people –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– in the repository on demand. This enables that feature.&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– If dsiabled an error will be generated for missing&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– people. If enabled then a person will be created and&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– persisted.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!– Valid values are&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!–&nbsp;&nbsp;&nbsp;&nbsp; ${server.transaction.allow-writes}&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;!–&nbsp;&nbsp;&nbsp;&nbsp; false&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; –&gt;</SPAN><BR /><SPAN style="color:#0000BF;">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;property name="createMissingPeople"&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;value&gt;</SPAN><SPAN style="color:#000000;"> <STRONG>false</STRONG></SPAN><SPAN style="color:#0000BF;"> &lt;/value&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/property&gt;<BR />…<BR />…<BR />&lt;/bean&gt;</SPAN><BR /><BR /><SPAN>This way prevents Alfresco from creating any new user.</SPAN></BODY></HTML> Tue, 10 Mar 2009 08:29:20 GMT https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200855#M153985 juan 2009-03-10T08:29:20Z https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200856#M153986 <HTML><HEAD></HEAD><BODY><SPAN>Hi Juan,</SPAN><BR /><SPAN>that sounds like a suitable workaround, ich will try that ass soon as possible.</SPAN><BR /><BR /><SPAN>Thank You!</SPAN><BR /><BR /><SPAN>Arne</SPAN></BODY></HTML> Sun, 15 Mar 2009 17:00:57 GMT https://connect.hyland.com/t5/alfresco-archive/one-cas-server-for-multiple-alfresco-servers/m-p/200856#M153986 arnekaiser 2009-03-15T17:00:57Z