users only in LDAP not in alfresco

skumar_us — Tue, 23 Jun 2015 19:26:13 GMT

I have a scenario where the customer wants to have the users inside the LDAP server, but not inside Alfresco.is it something possible?

Re: users only in LDAP not in alfresco

timo_denissen — Wed, 24 Jun 2015 12:33:00 GMT

Hey there,

I configured my Alfresco installation (binary installer) against LDAP the following way:

To enable LDAP-Authentication for users not created in Alfresco, add the folling line to $CATALINA_BASE/shared/classes/alfresco-global.properties:


# Add LDAP support
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
‍‍‍‍

Next, create the following directory path:


mkdir -p $CATALINA_BASE/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1
‍‍‍

Create a new file called ldap-authentication.properties with the following content:


ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid\=%s,cn\=users,LDAP_BASE
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://localhost:7389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=univentionGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=univentionGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=cn\=groups,LDAP_BASE
ldap.synchronization.userSearchBase=cn\=users,LDAP_BASE
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mailPrimaryAddress
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=univentionGroup
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Replace LDAP_BASE with your base dn, escape the equality signs with a backslash. Adapt the objectclasses and search bases as well as the LDAP port.

This is configured against a UCS 4.0-2 system with openLDAP, so make sure everything adapts to your system and your LDAP.

This configuration lets you log in with openLDAP users without the users begin added or created in the Alfresco database.

Greetings
Timo

Re: users only in LDAP not in alfresco

borisstankov — Wed, 24 Jun 2015 12:35:51 GMT

Well, you can use only the LDAP for authentication and not for synchronization. Meaning no user profiles will be on the Alfresco, however you still have some names on the alfresco side, cause every user has its own home dir (in alfresco repository).

Maybe someone else can give you more details if this is possible.

topic Re: users only in LDAP not in alfresco in Alfresco Archive

users only in LDAP not in alfresco

Re: users only in LDAP not in alfresco

Re: users only in LDAP not in alfresco