topic Re: Help configuring LDAP in Alfresco Forum

Help configuring LDAP

ChrisAlker — Wed, 08 Apr 2020 11:38:58 GMT

Alfresco Community v6.2.0

I am connecting a test system to my test domain controller, in the LDAP configuration properties page (https://docs.alfresco.com/5.0/concepts/auth-ldap-props.html) it has a section for group and user search bases. The advice given is 'The DN below which to run the group queries.'. My test system is configured as follows:

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=false

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@chris.com
ldap.authentication.java.naming.provider.url=ldap://192.168.56.220:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.synchronization.java.naming.security.principal=xxxxxxxx
ldap.synchronization.java.naming.security.credentials=xxxxxxxx
ldap.synchronization.groupSearchBase=Alfresco,OU=Groups,OU=Blackburn,DC=Chris,DC=com
ldap.synchronization.userSearchBase=Alfresco,OU=Users,OU=Blackburn,DC=Chris,DC=com

Within both users and groups I have set up 2 OUs (alfresco & nonalfresco), then I have created a test user in each group. From the advice given, one would assume that only the users below the Alfresco OUs would be able to log in, but I can log in with the users in the nonalfresco OUs too, can anyone explain why this is?

Re: Help configuring LDAP

angelborroy — Wed, 08 Apr 2020 13:15:53 GMT

I guess you're missing to set the "create.missing.people" flag.

https://docs.alfresco.com/community/concepts/auth-ldap-props.html

Add following configuration:

create.missing.people=false

Re: Help configuring LDAP

ChrisAlker — Wed, 08 Apr 2020 14:29:12 GMT

Hi, thanks for your reply, I have added that configuration to the file and it has now prevented all users from logging in, even the built in admin/admin account

Re: Help configuring LDAP

angelborroy — Wed, 08 Apr 2020 14:34:10 GMT

Check that you have also included both authentication systems:

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

And take a look at this video:

https://www.youtube.com/watch?v=pJNpqAOelmE

Hope that helps.

Re: Help configuring LDAP

ChrisAlker — Thu, 09 Apr 2020 15:22:37 GMT

Hi, sorry about my last message... The reason I could not authenticate any users was because my VM had a network issue, so Alfresco could not contact the server. I have added in the create.missing.people=false setting and it will still allow users from another OU log in, so this has seemingly not changed anything that I can notice

Re: Help configuring LDAP

narkuss — Fri, 10 Apr 2020 08:10:30 GMT

To avoid auto-creation of users, we are currently using the following property:

synchronization.autoCreatePeopleOnLogin=false

We got this property by looking at default-synchronization.properties file. I think Alfresco should update the documentation about this.

I hope it solves your problem.

Re: Help configuring LDAP

ChrisAlker — Tue, 14 Apr 2020 12:59:06 GMT

I've added that setting and it is still allowing users from the wrong OU in AD to log in. I'm using the Bitnami installer, would that make a difference? Something else worth pointing out too, is that when I navigate to:

http://127.0.0.1:81/share/page/console/admin-console/users

I get an error 'Error loading items'

Re: Help configuring LDAP

narkuss — Tue, 14 Apr 2020 16:41:45 GMT

This error is a known bug in share 6.2.

Regarding ldap users, have you checked that these users from the wrong OU are not there from past wrong logins? The simplest way would be checking that these users can change their password from share UI. Ldap users can't change their password from share UI.

Also, afaik, there is no bitnami installer for Alfresco 6.2...

Re: Help configuring LDAP

ChrisAlker — Wed, 15 Apr 2020 09:19:56 GMT

If I log in to my build and click the alfresco logo, it gives me the following detail:

Alfresco Share v6.2.0

(r7791ffba8f0b22f1ef9fa25ba17400c4657068e3-b9, Aikau 1.0.101.19, Spring Surf 6.2.0, Spring WebScripts 7.10, Freemarker 2.3.28, Rhino 1.7.11, Yui 2.9.0-alfresco-20141223)

(r05dbaf43-b368) schema 13001

With the latest settings, I've now found that a new user created within the 'none alfresco' user/group OUs does not get given access to the front end, so tested creating one in the alfresco OU, but wouldn't let that log in either, was hoping I had resolved the issue, as I've been banging my head against a brick wall with this trying to get a setting to work.

I just don't understand why the setting says:

ldap.synchronization.userSearchBase

The DN below which to run the user queries.

Surely if the LDAP configuration properties page states this, then it should function as outlined? Otherwise it is a bug?

Don't suppose you have any idea with regards to the 'Error loading items' issue in admin tools/users?

Re: Help configuring LDAP

narkuss — Wed, 15 Apr 2020 11:39:24 GMT

The error loading items issue is a known share 6.2 bug as I stated in last comment.

Regarding your ldap error, I think Alfresco is not synchronizing users correctly. Check your logs, and escape the equals signs in your usersSearchBase property value adding a backslash in front of them.

Re: Help configuring LDAP

ChrisAlker — Wed, 15 Apr 2020 15:11:15 GMT

Sorry, I didn't notice your link for the fix, but I've updated the file now and I can now see users in the admin console, which makes life a lot easier for me, thanks for that!

Currently, without the synchronization.autoCreatePeopleOnLogin=false setting, when I delete all of the users and restart the services, they don't appear in the users section, but if I attempt to login with any of the test users from either of the Alfresco/NonAlfresco groups, it allows me to log in and creates them as a user. If I apply that setting, it does not let me log in with the test users from either groups. I seem to get the same reaction from the system if I edit that setting out and use create.missing.people=false instead, so neither seem to be doing what I require. I have tried changing the searchbase properties to what you suggested:

ldap.synchronization.groupSearchBase=OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.userSearchBase=OU\=Alfresco,OU\=Users,OU\=Blackburn,DC\=chris,DC\=com

This doesn't seem to have any effect.

I have had a look at the tomcat errors (in alfrescotomcat-stdout.2020-04-15.log), but I'm not sure what error to look for to determine why Alfresco either allows no users to log in, or all of them.

Re: Help configuring LDAP

narkuss — Wed, 15 Apr 2020 15:50:09 GMT

Then it seems that Alfresco is not correctly synchronizing your ldap users. Look at alfresco.log at startup time, or share your alfresco.log file here. It could be an authentication error against your ldap, or maybe that Alfresco cannot reach your ldap server.

Re: Help configuring LDAP

ChrisAlker — Wed, 15 Apr 2020 16:33:33 GMT

I'm not sure how to share my log file here, there doesn't seem to be any upload facility? I've checked the log file and found this error though:

org.alfresco.repo.security.authentication.AuthenticationException: 03150018 Failed to authenticate, username or password is wrong. User name:Administrator Reason [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]

I originally had a user called Alfresco for authentication and found that error in the log file, so I changed the username to the administrator UN/PW that I use for the server, but still getting the error for the Administrator account. I've set the settings in the following config:

ldap.synchronization.java.naming.security.principal=Alfresco
ldap.synchronization.java.naming.security.credentials=Pa55word

The previous error was the same:

org.alfresco.repo.security.authentication.AuthenticationException: 03150056 Failed to authenticate, username or password is wrong. User name:Alfresco Reason [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]

Re: Help configuring LDAP

narkuss — Wed, 15 Apr 2020 17:18:00 GMT

Ok then the error is about ldap authentication. Don't provide your server user to authenticate against your AD, there must be some user in the same AD application that grants you read access to it.

Also you can try to connect from an external tool to check you can connect properly, or ask who provided you these credentials to check their validity.

Re: Help configuring LDAP

ChrisAlker — Thu, 16 Apr 2020 13:43:57 GMT

Thanks a lot for your help, it turned out that the reason LDAP was not authenticating was due to the username I was using not containing @chris.com on the end of it, once I changed it to that it worked and I now only have the users I want in Alfresco. For anyone visiting this thread in the future, I will list my settings that are now working:

### LDAP - AUTHENTICATION ###

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ldap.authentication.active=true
ldap.authentication.java.naming.provider.url=ldap://192.168.56.220:389
ldap.authentication.userNameFormat=%s@chris.com
ldap.authentication.allowGuestLogin=false

create.missing.people=false

### LDAP - SYNCRONISATION ###

ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=Administrator@chris.com
ldap.synchronization.java.naming.security.credentials=********

ldap.synchronization.groupSearchBase=OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.groupQuery=(objectclass\=group)

ldap.synchronization.userSearchBase=OU\=Alfresco,OU\=Users,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=cn\=TechSupport,OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com))

synchronization.syncOnStartup=true