LDAP authentication | limit to groups inside AD

drshadow — Fri, 13 Nov 2020 12:15:22 GMT

Hello everyone,

I have alfresco community 6.2 with docker already working with Active Directory authentication.

But I'm facing the issue that everybody inside the AD is able to login to Alfresco also like service accounts which is not the best situatin. I thought I had reduced it to LDAP path inside the AD for configured alfresco OU which I created for this. In this OU there is only two groups configured where are the users which need to login to alfresco. But this did not work.

My goal is to allow only users which are inside the alfresco group inside the AD, is there any possibility to bring this to work?

Here is my config:

alfresco.authentication.allowGuestLogin=false
ntlm.authentication.mapUnknownUserToGuest=false
create.missing.people=false

### LDAP authentication ###

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@domain.tld
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://domain.tld:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=service_acc@domain.tld
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
\n\
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false

synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true

ldap.synchronization.groupQuery=objectclass\=group
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(&(memberOf=cn\=alfresco-admin,ou=alfresco,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld)(memberOf=cn\=alfresco-user,ou=USEDOU,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld)))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(&(memberOf=cn\=alfresco-admin,ou=alfresco,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld)(memberOf=cn\=alfresco-user,ou=USEDOU,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld))(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=ou\=alfresco,ou\=USEDOU,ou\=USEDOU,dc\=domain,dc\=tld

ldap.synchronization.userSearchBase=ou\=alfresco,ou\=USEDOU,ou\=USEDOU,dc\=domain,dc\=tld

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

I also tried a change on the person and group query with:

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=alfresco-admin,ou=alfresco,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld)(memberOf=cn\=alfresco-user,ou=USEDOU,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld)))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=alfresco-admin,ou=alfresco,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld)(memberOf=cn\=alfresco-user,ou=USEDOU,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld))(!(modifyTimestamp<\={0})))

Also the same.

I already tried to add the following:

create.missing.people=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false

But with this config, no new user is able to login, because the user will not be created inside alfresco - so also not a real soloution to provide new users access to alfresco.

So is there any chance to get ldap authentication for users inside a group get to work without allowing anybody to login?

Many thanks in advance for your help.

Best regards

Re: LDAP authentication | limit to groups inside AD

afaust — Mon, 28 Dec 2020 08:58:19 GMT

Unless you expand your person query to cover any (child) group in which a user is a member who should be allowed to log in, it will be impossible to achieve this hard distinction between "being allowed to log in" and "not synchronise every user". What I generally recommend my customers do in this situation is to create a new group in AD specifically to collect all the users who should be allowed to log into Alfresco, and not rely on any (transient) member of (sub-)group shenanigans.

topic Re: LDAP authentication | limit to groups inside AD in Alfresco Forum

LDAP authentication | limit to groups inside AD

Re: LDAP authentication | limit to groups inside AD