LDAP - allow login specific groups

jeorgen — Tue, 24 Nov 2020 16:09:31 GMT

Hello, I have a Alfresco 6.2 through Docker. I want to be able login only few groups from AD.

I created two configuration files. In the first config. was loaded all users and groups and disabled authetification.

In the second config. is enabled authetification so people mapped in groups in personQuery are able to login.

Problem is that login can everyone. Also I have this error:

org.alfresco.error.AlfrescoRuntimeException: 10240018 Error during LDAP Search. Reason:[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:

'DC=sp,DC=local'

]

I think i have a bad logic with this. Can someone please provide me some correct info? To allow login only for specific group, not for everyone.

First Config

ntlm.authentication.sso.enabled=false

synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true

ldap.synchronization.active=true
ldap.authentication.active=false
#KREDENC
ldap.synchronization.java.naming.security.principal=login
ldap.synchronization.java.naming.security.credentials=password
ldap.authentication.userNameFormat=%s@domain
ldap.authentication.java.naming.provider.url=ldap://ip:port

ldap.synchronization.userEmailAttributeName=mail
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco

ldap.synchronization.groupSearchBase=ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local
ldap.synchronization.userSearchBase=cn\=Users,cn\=cp,dc\=kl,dc\=local

ldap.synchronization.groupQuery=objectclass\=group
ldap.synchronization.personQuery=objectclass\=user

Second Config

ldap.authentication.active=true
ldap.synchronization.active=false


ldap.synchronization.java.naming.security.principal=login
ldap.synchronization.java.naming.security.credentials=password
ldap.authentication.userNameFormat=%s@domain
ldap.authentication.java.naming.provider.url=ldap://ip:port


ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco

ldap.synchronization.groupSearchBase=ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local
ldap.synchronization.userSearchBase=cn\=Users,cn\=cp,dc\=kl,dc\=local


ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userType=user
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=cn\=GROUP1,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(memberOf=cn\=GROUP2,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(userAccountControl:1.2.840.113556.1.4.803:=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=cn\=GROUP1,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(memberOf=cn\=GROUP2,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(userAccountControl:1.2.840.113556.1.4.803:=512))

Re: LDAP - allow login specific groups

heiko_robert — Wed, 25 Nov 2020 12:04:04 GMT

@jeorgen,

why should you need both configs? did you place your two configs in two independant subsystems? For my understanding the second one including the group memberOf filter should be fine for both (sync & login).

How does your authentication.chain look like?

Please check you have autoCreatePeopleOnLogin disabled to prevent user creating from any successfull ldap auth request ignoring your sync paths:

# Should we auto create a missing person on log in?
synchronization.autoCreatePeopleOnLogin=false

topic Re: LDAP - allow login specific groups in Alfresco Forum

LDAP - allow login specific groups

Re: LDAP - allow login specific groups