https://connect.hyland.com/t5/alfresco-forum/openldap-authentication-if-username-already-existed-both/m-p/53678#M19974 <HTML><HEAD></HEAD><BODY><P>We have to provide authentication with&nbsp;<SPAN>OpenLDAP&nbsp;so, that after synchronization with OpenLDAP usernames from OpenLDAP, which already existed&nbsp;for&nbsp; <SPAN style="background-color: #f6f6f6;">alfrescoNtlm authentication</SPAN>, would keep all the access to&nbsp;owned&nbsp;documents.</SPAN></P><P><SPAN>That is, we had user John with <SPAN style="background-color: #f6f6f6;">alfrescoNtlm</SPAN> authentication, which had long working background in repository with owned documents.&nbsp;</SPAN><SPAN>The same user John is in OpenLDAP, but with different password.</SPAN></P><P><SPAN>After&nbsp;synchronization with OpenLDAP,&nbsp;I have found that both user types with same username are valid. So that user John can login with both passwords, <SPAN style="background-color: #f6f6f6;">alfrescoNtlm</SPAN> and OpenLDAP.&nbsp;</SPAN></P><P><SPAN>It&nbsp;could be even&nbsp;fine, but&nbsp;what&nbsp;discourages is that in admin tools only one old user John is displayed.</SPAN></P><P><SPAN>If we disable it, the OpenLDAP user still can login.</SPAN></P><P>Lucene search</P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P>TYPE:"{http://www.alfresco.org/model/content/1.0}person"</P></BLOCKQUOTE><P>also display only one user John, not two of them.</P><P>Is it normal situation, or we should have deleted&nbsp;old user John before&nbsp;synchronization with&nbsp;OpenLDAP? And how about access to documents of user John in this case?</P><P><SPAN>Below is&nbsp;alfresco-global.properties</SPAN></P><P></P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P>authentication.protection.enabled=false<BR />authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap<BR />ntlm.authentication.sso.enabled=false<BR />alfresco.authentication.authenticateCIFS=false</P><P>ldap.authentication.active=true<BR />ldap.synchronization.active=true<BR />ldap.authentication.allowGuestLogin=false<BR />ldap.authentication.userNameFormat=uid=%s,ou=Users,dc=some,dc=ua<BR />ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory<BR />ldap.authentication.java.naming.provider.url=ldap://10.0.1.15:389<BR />ldap.authentication.java.naming.security.authentication=simple<BR />ldap.synchronization.java.naming.security.authentication=simple<BR />ldap.authentication.defaultAdministratorUserNames=Admin</P><P># <BR />ldap.synchronization.java.naming.security.principal=uid\=someUser,ou\=users,dc\=some,dc\=ua<BR />ldap.synchronization.java.naming.security.credentials=12356</P><P><BR />ldap.synchronization.groupSearchBase=ou\=Users,dc\=some,dc\=ua<BR />ldap.synchronization.userSearchBase=ou\=Users,dc\=some,dc\=ua</P><P><BR />ldap.synchronization.groupQuery=(&amp;(objectclass\=posixGroup)(CN\=someGroup))<BR />ldap.synchronization.groupDifferentialQuery=(&amp;(objectclass\=posixGroup)(CN\=someGoup)(!(modifyTimestamp&lt;\={0})))<BR />ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)<BR />ldap.synchronization.personDifferentialQuery=(&amp;(objectclass\=inetOrgPerson)(!(modifyTimestamp&lt;\={0})))</P><P><BR />ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp<BR />ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'<BR />ldap.synchronization.userIdAttributeName=uid<BR />ldap.synchronization.userOrganizationalIdAttributeName=o<BR />ldap.synchronization.groupDisplayNameAttributeName=displayName<BR />ldap.synchronization.groupType=posixGroup<BR />ldap.synchronization.personType=inetOrgPerson<BR />ldap.authentication.java.naming.read.timeout=0<BR />ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled<BR />ldap.synchronization.disabledAccountPropertyValue=true<BR />ldap.synchronization.userFirstNameAttributeName=givenName</P><P>ldap.synchronization.userLastNameAttributeName=sn</P><P>ldap.synchronization.userEmailAttributeName=mail</P><P>ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider</P><P>ldap.synchronization.groupIdAttributeName=cn</P><P>ldap.synchronization.groupMemberAttributeName=member</P><P>ldap.synchronization.enableProgressEstimation=true</P><P>ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=fine</P><P>synchronization.autoCreatePeopleOnLogin=true<BR />synchronization.synchronizeChangesOnly=false<BR />synchronization.syncOnStartup=true<BR />synchronization.syncWhenMissingPeopleLogIn=true</P><P>synchronization.externalUserControl=true<BR />synchronization.externalUserControlSubsystemName=ldap1</P><P># sync every 15 minutes<BR />#synchronization.import.cron=0 0/15 * * * ?</P></BLOCKQUOTE><P>Another question, is it possible not to provide parameters&nbsp;<SPAN style="background-color: #f6f6f6;"><STRONG>ldap.synchronization.java.naming.security.principal</STRONG> and&nbsp;<SPAN><STRONG>ldap.synchronization.java.naming.security.credentials</STRONG>, as OpenLDAP is accessible without them?</SPAN></SPAN></P><P><SPAN style="background-color: #f6f6f6;"><SPAN>If I simply turn them off, there is error while&nbsp;synchronization with&nbsp;<SPAN>OpenLDAP:</SPAN></SPAN></SPAN></P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P>2019-02-13 10:33:24,550 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Failed initial synchronize with user registries org.alfresco.repo.security.authentication.AuthenticationException: 01130001 Failed to authenticate, username or password is wrong. User name:cn=Manager,dc=company,dc=com Reason [LDAP: error code 49 - Invalid Credentials]</P></BLOCKQUOTE><P>Alfresco Community (Build: 201612)</P></BODY></HTML> Wed, 13 Feb 2019 09:05:25 GMT skushnerenko 2019-02-13T09:05:25Z https://connect.hyland.com/t5/alfresco-forum/openldap-authentication-if-username-already-existed-both/m-p/53678#M19974 We have to provide authentication with&nbsp;OpenLDAP&nbsp;so, that after synchronization with OpenLDAP usernames from OpenLDAP, which already existed&nbsp;for&nbsp; alfrescoNtlm authentication, would keep all the access to&nbsp;owned&nbsp;documents.That is, we had user John with alfrescoNtlm authentication, which had long workin Wed, 13 Feb 2019 09:05:25 GMT https://connect.hyland.com/t5/alfresco-forum/openldap-authentication-if-username-already-existed-both/m-p/53678#M19974 skushnerenko 2019-02-13T09:05:25Z https://connect.hyland.com/t5/alfresco-forum/openldap-authentication-if-username-already-existed-both/m-p/53679#M19975 <HTML><HEAD></HEAD><BODY><P>Using SQL queries I have found the difference between user created with <SPAN>NATIVE</SPAN> Alfresco authentication and user with same username imported from LDAP.</P><P>So, <SPAN>NATIVE</SPAN> user is stored in&nbsp;database table&nbsp;<EM>alf_node</EM> with types <EM>user</EM> and <EM>person</EM>.</P><P>Mixed user also&nbsp;has both types.</P><P>LDAP user&nbsp;<SPAN>has only&nbsp;</SPAN><SPAN>&nbsp;type <EM>person</EM>.</SPAN></P><P><SPAN>Besides,&nbsp;with db objects <EM>alf_child_assoc</EM> it&nbsp;was found, that&nbsp;NATIVE person&nbsp;object is owned by&nbsp;AUTH.ALF&nbsp;object, while LDAP <SPAN>person&nbsp;</SPAN><SPAN>object</SPAN><SPAN><SPAN>&nbsp;is owned by AUTH.EXT.ldap1 object.</SPAN></SPAN></SPAN></P><P><SPAN><SPAN><SPAN>Mixed person object is owned by both&nbsp;AUTH.ALF and AUTH.EXT.ldap1&nbsp;objects.</SPAN></SPAN></SPAN></P><P><SPAN>ACL is made by db object&nbsp;<EM>alf_authority</EM> where username is stored as String.</SPAN></P><P><SPAN>So I hope that&nbsp;ACL&nbsp;made by native user will be effective for both LDAP and mixed user with same name.</SPAN></P><P>The same may be true for&nbsp;access to documents owned by <SPAN>NATIVE</SPAN> user - I suppose access to these documents will be&nbsp;effective for LDAP and mixed user with same username.</P><P><SPAN>The only problem is that field <EM>authority</EM> in&nbsp;<EM>alf_authority</EM>&nbsp;is case sensitive while username is&nbsp;case insensitive.&nbsp;</SPAN></P><P><SPAN>So in case if LDAP username and&nbsp;NATIVE username have different case, there may be problem with access&nbsp;of LDAP user to documetns of NATIVE user.</SPAN></P></BODY></HTML> Thu, 21 Feb 2019 10:23:59 GMT https://connect.hyland.com/t5/alfresco-forum/openldap-authentication-if-username-already-existed-both/m-p/53679#M19975 skushnerenko 2019-02-21T10:23:59Z