topic Re: Limiting users through LDAP authentication without AD group in Alfresco Forum

Limiting users through LDAP authentication without AD group

vsangal — Thu, 11 May 2017 19:30:24 GMT

I am thinking to establish an LDAP based authentication for us. However, if we open LDAP authentication all the employees will have access to Alfresco which probably is not a good idea. I am reading that one way is to create an AD group. I am also hearing that AD group authentication is slow. The qu

Re: Limiting users through LDAP authentication without AD group

idwright — Fri, 12 May 2017 09:12:32 GMT

Hi,

I don't know where you've heard about AD group authentication being slow but I would still use the group based restriction approach.

By defining the LDAP group to synchronize against, in your alfresco-global.properties, you are restricting the result set that is returned from your LDAP server - that should be pretty quick even if you are using a complex LDAP query (if not then you need to look at your LDAP server) - you can define other LDAP queries if you want to do it like that but group based is common and should fit with other policies in your org.

Once the initial load has been done then the synchronization search will be restricted to incremental changes which should be very quick.

When the users are in Alfresco it won't matter about AD groups from an authentication point of view because Alfresco will have the user dn and authenticate against that.

As ever with performance the only way to know is to try it but I would keep things as simple as possible in the first case and only look for other approaches if you really need to.

(FWIW I do use an alternative, not entirely effectively but good enough, approach but there are other reasons for that and I seriously wouldn't recommend it)

Re: Limiting users through LDAP authentication without AD group

vsangal — Thu, 18 May 2017 23:47:44 GMT

Well, my IT guys are telling me that AD groups may slow down logging cycle. Beside maintaining AD group is another overhead. So, I came up with an idea, how about, we enable LDAP with alfresco configured to create a user as "disabled". In this design, we don't have rely on AD group and Alfresco admin (business) will have full authority to assign users on their roles and responsibilities.

Re: Limiting users through LDAP authentication without AD group

vsangal — Wed, 07 Jun 2017 19:39:47 GMT

Hello Ian,

Thanks for the response. Took me a while to respond.

I am agreeing that AD group is one of the best solutions to restrict access and control number of licenses being used.

Is there a way to configure "AD group" without using synchronization approach. I mean I just want to use LDAP for authentication and don't want to use sync. The reason is my IT is restricting use of Sync.