topic Re: only allow synced users to authenticate in Alfresco Archive

only allow synced users to authenticate

astacey — Tue, 11 Nov 2014 11:49:17 GMT

Hello All,Is it possible to only allow synchronized users to login to the share web gui? If so what strings need to be added to the global properties?Many thanks in advance for any replies.

Re: only allow synced users to authenticate

lutz_horn — Tue, 11 Nov 2014 12:41:45 GMT

Which users do you not want to be able to login?

Re: only allow synced users to authenticate

mrogers — Tue, 11 Nov 2014 15:01:25 GMT

No.

Re: only allow synced users to authenticate

astacey — Wed, 12 Nov 2014 10:08:00 GMT

So how do i define which users can login to alfresco? i do not want every user in my AD to be able to login. I now have an ldap authentication subsystem working and alfresco is only synchronizing users in a certain AD security group. but i only want users in this security group to authenticate to the share web gui.

Re: only allow synced users to authenticate

mrogers — Wed, 12 Nov 2014 10:24:54 GMT

you need to change your ldap query to only select those users you want to be able to log in. There will be examples in these forums where someone restricts alfresco to members of another ldap group.

Re: only allow synced users to authenticate

astacey — Wed, 12 Nov 2014 11:08:00 GMT

Hi mrogers,

I have been all over the internet trying to find what this query is. do you have an example?

Here is what i am using so far:

### LDAP authentication chain
authentication.chain=ldap1:ldap-ad
ntlm.authentication.sso.enabled=true

### LDAP Authentication
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@domain.co.uk
ldap.authentication.java.naming.provider.url=ldap://dc01.domain.co.uk:389
ldap.authentication.defaultAdministratorUserNames=adminuser1,adminuser2,adminuser3

### LDAP Synchronization
ldap.synchronization.java.naming.security.principal=alfrescohttp@domain.co.uk
ldap.synchronization.java.naming.security.credentials=ssssshhhhh
ldap.synchronization.active=true
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupSearchBase=ou=Int,ou=Manage,dc=domain,dc=co,dc=uk
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.personType=user
ldap.synchronization.personQuery=(&(|(memberof=CN=alfresco.users,OU=Int,OU=Manage,DC=domain,DC=co,DC=uk)(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=organizationalPerson)(!(userAccountControl\:1.2.840.113556.1.4.803\:\=2))(!(modifyTimestamp<\={0})))
ldap.synchronization.userSearchBase=ou=Admin Accounts,ou=company,dc=domain,dc=co,dc=uk

I am also getting this issue in the alfresco.log:

10:36:19,270 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'
10:36:19,335 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since Nov 11, 2014 10:53:10 AM from user registry 'ldap1'
10:36:19,377 WARN [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'alfresco.users' with distinguished name: CN=adminuser1,OU=Admin,OU=Users,DC=domain,DC=co,DC=uk
10:36:19,377 WARN [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'alfresco.users' with distinguished name: CN=adminuser2,OU=Admin,OU=Users,DC=domain,DC=co,DC=uk
10:36:19,378 WARN [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'alfresco.users' with distinguished name: CN=adminuser3,OU=Admin,OU=Users,DC=domain,DC=co,DC=uk
10:36:19,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 1 entries
10:36:19,427 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 27 per second. 0 failures detected.
10:36:19,427 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 1 entries
10:36:19,435 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving users changed since Nov 10, 2014 1:26:10 PM from user registry 'ldap1'
10:36:19,440 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Commencing batch of 0 entries
10:36:19,441 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Completed batch of 0 entries
10:36:19,470 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Finished synchronizing users and groups with user registry 'ldap1'
10:36:19,470 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] 0 user(s) and 1 group(s) processed
10:36:19,543 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Synchronization' subsystem, ID: [Synchronization, default] complete

Do you have any idea why this is failing to resolve the user when it is finding the information? As these users are in a different OU to my searchbase, could this be causing the issue? do i need to add this OU to my searchbase as well?

Re: only allow synced users to authenticate

astacey — Thu, 13 Nov 2014 11:16:54 GMT

I am getting closer with this but i am now getting this warn message when trying to syncronize a security group in AD

11:13:03,785 WARN [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Missing GID on {member;range=0-*=member;range=0-*: CN=adminuser1,OU=Admin,OU=Users,DC=domain,DC=co,DC=uk, CN=adminuser2,OU=Admin,OU=Users,DC=domain,DC=co,DC=uk, whenchanged=whenChanged: 20141112145257.0Z}

Does anyone know why this is missing the gid?

Re: only allow synced users to authenticate

catar4 — Thu, 13 Nov 2014 16:03:08 GMT

"GID" stands for Group ID. Did you also adjust your "groupSelection" query ? I would guess the synchronization needs to sync groups as well as users. That or the users it's trying to sync are not in any groups (and they'd need to be) ? Just a quick guess.

Re: only allow synced users to authenticate

astacey — Tue, 18 Nov 2014 16:36:30 GMT

Hi all,

so it seems that it is possible to allow only syncronized users to be able to login:

synchronization.syncOnStartup=true
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false

Just need to add this to the gloabl properties.

It concerns me that that senior software engineers do not know this. but i spose they are like this software.