topic Re: Active Directory authentication: allow just group of users in Alfresco Archive

Active Directory authentication: allow just group of users

brgsousa — Tue, 15 Jan 2013 19:26:50 GMT

I have searched the web two days and found nothing that worked AND this forum.How can I allow only a group (not an organizational unit) to login and use the alfresco system?The main issue is that users are not just in one organizational unit. They are not just in the "Users" OU. I don't know how to

Re: Active Directory authentication: allow just group of users

brgsousa — Thu, 17 Jan 2013 19:39:36 GMT

I could try something different.
How can I allow synchronization of more than one ORGANIZATION UNIT (OU) ?

Re: Active Directory authentication: allow just group of users

brgsousa — Tue, 22 Jan 2013 21:01:18 GMT

Got it to work using this configuration:


ldap.synchronization.personType=user

ldap.synchronization.personQuery=(&(|(memberof=CN=GRTecnologia,OU=Grupos,DC=intranet,DC=domain,DC=com)(memberof=CN=GRUDS,OU=Grupos,DC=intranet,DC=domain,DC=com))(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.personDifferentialQuery=(&(|(memberof=CN=GRTecnologia,OU=Grupos,DC=intranet,DC=domain,DC=com)(memberof=CN=GRUDS,OU=Grupos,DC=intranet,DC=domain,DC=com))(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupQuery=(objectclass\=group)

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=DC=intranet,DC=domain,DC=com
‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: Active Directory authentication: allow just group of users

mrksjs — Wed, 23 Jan 2013 12:14:28 GMT

i was looking for this as well, thanks for finding a solution!

Re: Active Directory authentication: allow just group of users

nelsonoles — Mon, 28 Jan 2013 20:56:49 GMT

What file does this string reside in?
C:\Alfresco\tomcat\shared\classes\alfresc-global.properties
or
C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad\ad1\ldap-ad-authtications.properties?

Any other hints you could toss my way. Trying to figure out AD Authentication, but it's about as easy as SAP was.

Re: Active Directory authentication: allow just group of users

jgionet76 — Mon, 04 Feb 2013 18:27:58 GMT

hi, pretty new to all of this.. so any help is very appreciated!
how would I specify/filter which company and department to only be synced?

thanks

Re: Active Directory authentication: allow just group of users

102020 — Wed, 13 Feb 2013 21:28:57 GMT

I have a howto I've created for alot of the essentials, may help:
https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/installation-upgrades/howto-installconfig-3

Re: Active Directory authentication: allow just group of users

therev — Mon, 30 Dec 2013 18:34:00 GMT

I've been banging my head against this for a couple of days and can't seem to get it running. I'm trying to only allow access to Alfresco to users in a specific group (Alfredo Access) in the following OU: DOMAIN > Service Accounts > Groups
Here's my current config (based on the above examples):
ldap.synchronization.personQuery=(&(|(memberof=CN=Alfresco Access,OU=Groups,OU=Service Accounts,DC=*****,DC=net)(memberof=CN=Alfresco Access,OU=Groups,OU=Service Accounts,DC=*****,DC=net))(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.personDifferentialQuery=(&(|(memberof=CN=Alfresco Access,OU=Groups,OU=Service Accounts,DC=*****,DC=net)(memberof=CN=Alfresco Access,OU=Groups,OU=Service Accounts,DC=*****,DC=net))(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=dc\=*****,dc\=net

ldap.synchronization.userSearchBase=dc\=*****,dc\=net

Re: Active Directory authentication: allow just group of users

therev — Fri, 03 Jan 2014 16:47:17 GMT

I finally managed to caffeinate myself to a level where I could combat my own stupidity and got this working. Derp.

Re: Active Directory authentication: allow just group of users

gojko — Mon, 08 Sep 2014 14:05:00 GMT

Hi, I have the same problem. I need to allow login only for users in a certain group, and in "People" list only these can be shown. I did the same as above, and in /alfresco.log it indeed says it synched 7 users (which is correct), but all users from before can still login, and all users are listed. If I comment out ldap.authentication.userNameFormat=%s@doman.local as I've seen in docs, nobody can login except admin. Also, I don't see why (objectclass\=user) is used instead of (objectclass=user). I don't see anything else wrong with TheRev's code.

Any ideas?

Here is my globalproperties:

# AD integration
authentication.chain=myldap:ldap-ad,alfinst:alfrescoNtlm
ntlm.authentication.sso.enabled=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@[name].local
ldap.authentication.java.naming.provider.url=ldap://[IP]:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=administrator@.local
ldap.synchronization.java.naming.security.credentials=[Password]
ldap.synchronization.groupSearchBase=[correct path]
ldap.synchronization.userSearchBase=[correct path]

#Selective AD Query
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false
ldap.synchronization.personType=user
ldap.synchronization.personQuery=(&(objectCategory\=user)(objectClass\=user)(memberOf\=CN\=[correct path]))
ldap.synchronization.personDifferentialQuery=(&(&(objectCategory\=user)(objectClass\=user)(memberOf\=CN\=[correct path]))(!(modifyTimestamp<\={0})))

#CUSTOM LDAP MAPPINGS
ldap.synchronization.userJobTitleAttributeName=title
ldap.synchronization.userOrganizationAttributeName=department
ldap.synchronization.userLocationAttributeName=physicalDeliveryOfficeName
ldap.synchronization.userMobileAttributeName=mobile
ldap.synchronization.userCompanyPostCodeAttributeName=postalCode
ldap.synchronization.userCompanyFaxAttributeName=facsimileTelephoneNumber
ldap.synchronization.userCompanyTelephoneAttributeName=telephoneNumber
ldap.synchronization.userCompanyEmailAttributeName=mail
ldap.synchronization.userPersonDescriptionAttributeName=info
ldap.synchronization.userTelephoneAttributeName=homePhone
ldap.synchronization.userCompanyAddress1AttributeName=streetAddress
ldap.synchronization.userCompanyAddress2AttributeName=l
ldap.synchronization.userCompanyAddress3AttributeName=st

# Sync
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.import.cron=0 0/3 * * * ?

Re: Active Directory authentication: allow just group of users

kimberlydeborah — Tue, 09 Sep 2014 06:00:00 GMT

Thanks for sharing the great solution. And I appreciated it.But we can also try some different method.