topic Re: LDAP Authentication from 2 domains in Alfresco Forum

LDAP Authentication from 2 domains

booltrue — Mon, 19 Jun 2017 09:44:03 GMT

I am using alfresco Community - 5.1.0 (r127059-b7)Currently I am doing LDAP authentication from 1 domain with the following entry in the config:ldap.authentication.userNameFormat=%s@x.y.zNow I need additionally a second domain like:ldap.authentication.userNameFormat=%s@a.b.cHow I can do ldap authent

Re: LDAP Authentication from 2 domains

mehe — Mon, 19 Jun 2017 11:29:41 GMT

Hi,

never had to use this, but maybe a starting point:

Example: authentication and synchronization with two ldap-ad subsystems | Alfresco Documentation

Regards,

Martin

Re: LDAP Authentication from 2 domains

cesarista — Mon, 19 Jun 2017 11:34:50 GMT

Hi:

Consider a more complex authentication chain composed by two ldap-ad in alfresco-global.properties

authentication.chain=ldap1:ldap-ad,ldap2:ldap-ad

And you have to create an structure under

$TOMCAT/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad

.
├── ldap1
│ └── ldap-ad-authentication.properties
└── ldap2
└── ldap-ad-authentication.properties

for the corresponding properties, than now are not in alfresco-global.properties

Example: authentication and synchronization with two ldap-ad subsystems | Alfresco Documentation

Regards.

--C.

Re: LDAP Authentication from 2 domains

cesarista — Mon, 19 Jun 2017 11:36:19 GMT

You are faster Martin Ehe

--C.

Re: LDAP Authentication from 2 domains

cesarista — Mon, 19 Jun 2017 11:39:39 GMT

By the way, regarding the example I would say that in recent Alfresco 5 versions, it is not possible to copy the authentication subsystem sample properties from WEB-INF. Now they are inside a jar.

Regards.

--C.

Re: LDAP Authentication from 2 domains

mehe — Mon, 19 Jun 2017 11:40:03 GMT

...but your answer is more detailed (more quality takes more time)

Re: LDAP Authentication from 2 domains

booltrue — Mon, 19 Jun 2017 13:13:06 GMT

I tried that way already, but the users of the other domain will not be synced.

Our current domain is ldap2, group and users are from the same domain z.b.c,

ldap1 is in in the tree, but not current domain, group is in z.b.c, the users coming from a.b.c

As you can see in the logfile, ldap2 will be synced properly, group+users

but ldap1 only the group will be synced, not the users.

properties for ldap1:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@a.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@a.b.c
ldap.synchronization.java.naming.security.credentials=xxxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c))
ldap.synchronization.groupSearchBase=DC\=a,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

ldap properties for ldap2:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@z.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@z.b.c
ldap.synchronization.java.naming.security.credentials=xxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_B_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_B_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=GP_B_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=GP_B_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c))
ldap.synchronization.groupSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

alfresco.log:

2017-06-19 15:00:00,222 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronizing users and groups with user registry 'ad1'
2017-06-19 15:00:00,222 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Full synchronization with user registry 'ad1'
2017-06-19 15:00:00,222 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-19 15:00:00,238 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving groups changed since 19.06.2017 14:03:34 from user registry 'ad1'
2017-06-19 15:00:00,643 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-19 15:00:00,659 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 62 per second. 0 failures detected.
2017-06-19 15:00:00,659 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-19 15:00:18,053 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving all users from user registry 'ad1'
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=6 User Creation and Association: Commencing batch of 0 entries
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=6 User Creation and Association: Completed batch of 0 entries
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Commencing batch of 2 entries
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Processed 2 entries out of 2. 100% complete. 0 failures detected.
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Completed batch of 2 entries
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Finished synchronizing users and groups with user registry 'ad1'
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] 0 user(s) and 1 group(s) processed
2017-06-19 15:00:32,405 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronizing users and groups with user registry 'ad2'
2017-06-19 15:00:32,405 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Full synchronization with user registry 'ad2'
2017-06-19 15:00:32,405 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-19 15:00:32,421 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving groups changed since 19.06.2017 14:00:50 from user registry 'ad2'
2017-06-19 15:00:32,452 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-19 15:00:32,452 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. 0 failures detected.
2017-06-19 15:00:32,452 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-19 15:00:32,499 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving users changed since 19.06.2017 12:04:51 from user registry 'ad2'
2017-06-19 15:00:32,499 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Commencing batch of 16 entries
2017-06-19 15:00:32,608 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Processed 16 entries out of 16. 100% complete. Rate: 146 per second. 0 failures detected.
2017-06-19 15:00:32,608 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Completed batch of 16 entries
2017-06-19 15:00:32,624 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Finished synchronizing users and groups with user registry 'ad2'
2017-06-19 15:00:32,624 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] 16 user(s) and 1 group(s) processed

Re: LDAP Authentication from 2 domains

mehe — Mon, 19 Jun 2017 14:46:29 GMT

just a question for understanding:

Is the LDAP Source ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx

the same in both configurations?

Re: LDAP Authentication from 2 domains

booltrue — Tue, 20 Jun 2017 08:02:15 GMT

yes, it's same address

Re: LDAP Authentication from 2 domains

mehe — Tue, 20 Jun 2017 08:08:32 GMT

have you tried your queries with a ldap tool (like Apache Directory Studio) to verify the results?

Re: LDAP Authentication from 2 domains

booltrue — Tue, 20 Jun 2017 12:03:02 GMT

Just tried and I didn't get the expected result.

I think the problem is, that I have no access to the parent domain.

The domain tree is like:

b.c.

----a.b.c

----c.b.c

----

----z.b.c

Our domain is z.b.c.

I have in my group of domain z.b.c a cross domain member from the domain a.b.c

So I used the user search base b.c.

But when I try to sync with 2 ldap systems under the path tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad

I get the result as you can see in the logfile.

When I dont use any subsystem under extension folder, just use the alfresco-global.properties I get the user from the domain a.b.c. synced to

the group of the domain z.b.c, but only if in the group a user of the domain z.b.c already exists, otherwise not. I really dont understand.

But I need that both domains can register in alfresco, like

ldap.authentication.userNameFormat=%s@a.b.c and ldap.authentication.userNameFormat=%s@z.b.c

so I have to sync from two ldap subsystems

alfresco-global.properties without 2 subsystems:

# LDAP
authentication.chain=alfrescoNtlm1:alfrescoNtlm,myldap:ldap-ad
synchronization.synchronizeChangesOnly=true
synchronization.syncWhenMissingPeopleLogIn=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.authCreatePeopleOnLogin=false
synchronization.syncOnStartup=true
synchronization.import.cron=0 0/10 * ? * *

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@z.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xxx.xxx.xxx.xxx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@z.b.c
ldap.synchronization.java.naming.security.credentials=xxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(|(memberOf=CN\=GP_A_ALFRESCO_DEV,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c)))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(|(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c)))
ldap.synchronization.groupSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

alfresco.log without 2 subsystems:

2017-06-20 13:50:00,176 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronizing users and groups with user registry 'myldap'
2017-06-20 13:50:00,176 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Full synchronization with user registry 'myldap'
2017-06-20 13:50:00,176 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-20 13:50:00,207 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Retrieving groups changed since 20.06.2017 13:22:20 from user registry 'myldap'
2017-06-20 13:50:00,394 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-20 13:50:00,410 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 62 per second. 0 failures detected.
2017-06-20 13:50:00,410 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-20 13:50:39,349 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Retrieving users changed since 20.06.2017 01:52:04 from user registry 'myldap'
2017-06-20 13:51:12,734 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Commencing batch of 2 entries
2017-06-20 13:51:47,461 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Processed 2 entries out of 2. 100% complete. Rate: 0 per second. 0 failures detected.
2017-06-20 13:51:47,461 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Completed batch of 2 entries
2017-06-20 13:51:47,476 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Finished synchronizing users and groups with user registry 'myldap'
2017-06-20 13:51:47,476 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] 2 user(s) and 1 group(s) processed
2017-06-20 14:00:00,323 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronizing users and groups with user registry 'myldap'
2017-06-20 14:00:00,323 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Full synchronization with user registry 'myldap'
2017-06-20 14:00:00,323 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-20 14:00:00,369 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Retrieving groups changed since 20.06.2017 13:22:20 from user registry 'myldap'
2017-06-20 14:00:00,557 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-20 14:00:00,572 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 66 per second. 0 failures detected.
2017-06-20 14:00:00,572 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Completed batch of 1 entries

Re: LDAP Authentication from 2 domains

booltrue — Wed, 21 Jun 2017 08:20:58 GMT

Is it possible to allow multiple domains in alfresco-global.properties,

without two ldap subsytems,i.e.:

ldap.authentication.userNameFormat=%s@z.b.c

ldap.authentication.userNameFormat=%s@a.b.c

How would be the format ?

ldap.authentication.userNameFormat=%s@?

using only %s is not working

Re: LDAP Authentication from 2 domains

booltrue — Fri, 23 Jun 2017 11:37:37 GMT

The right way for me to do was to bind two ldap-systems,

without any cross-domain members in any group (caused sync problems)

to be able to allow multiple domain sync.

Now I have the problem that users of the second domain are not be able to login.

Does anyone have an idea ?

Re: LDAP Authentication from 2 domains

mehe — Fri, 23 Jun 2017 14:54:12 GMT

iisn't

ldap.authentication.userNameFormat=%s@z.b.c

in the first config and

ldap.authentication.userNameFormat=%s@a.b.c

in the second not working?

Re: LDAP Authentication from 2 domains

booltrue — Fri, 23 Jun 2017 15:00:48 GMT

b.c.

----a.b.c

----c.b.c

----

----z.b.c (our domain)

ldap.authentication.userNameFormat=%s@a.b.c

yes, here the login doesnt work, but sync works lika a charm

on our domain z.b.c login works same before with only one ldap system

Re: LDAP Authentication from 2 domains

heiko_robert — Fri, 23 Jun 2017 21:25:02 GMT

Multidomain synchronisation and authentication has only a very limited support in Alfresco. We tried this just some months ago. To summarize:

Limitations

CIFS/WebDAV Auth, SSO using Kerberos support only one directory. We extended the kerberos implementation to handle the whole user principle instead of only the username part (which we know will conflict with the multi tenancy support) but stopped since we didn't want to rewrite the whole group sync.

You can:

define many independent domains (in Alfresco managed in zones) for sync and web authentication having different domains. You need to put all ldap subsystem instances in the auth chain. They work all independent and in sequence on login. Be careful if you have rules for failed logins on AD/LDAP if you work with different configs against the same AD/LDAP.

You cannot:

use the same groups accross different zones. You will see unexpected behavior since the groups will switch on sync from zone to zone and only the users belonging to the active zone will be members in the Alfresco group after sync. The group membership sync logic asumes a user as deleted if a user is not returned as memberOf attribute from the group. If the memberOf user is not member of the zone he will be ignored or cause a softfail.

So you should go ahead if you don't share groups managed on ldap/AD but you will fail if you require to use shared groups. If you only need to authenticate in the browser you may try having only one sync config since you have only one directory server. User query may be e.g.

(& (objectClass=user)(|(userPrincipalName=*@abc.com)(userPrincipalName=*@xyz.net)))

You could then add a second ldap subsystem config only having authentication active
ldap.synchronization.active=false

ldap.authentication.active=true

ldap.authentication.userNameFormat=%s@xyz.net

Re: LDAP Authentication from 2 domains

mehe — Sat, 24 Jun 2017 07:52:52 GMT

Just thinking: maybe a "ldap proxy" that gathers users and groups (with nlscd) in an alfresco compatible way could be a solution... but this would be a more than a "just try" job.

Re: LDAP Authentication from 2 domains

cesarista — Sat, 24 Jun 2017 10:01:18 GMT

booltrue booltrue A passthru based subsystem may be used or combined for authentication, using ldap-ad subsystem for syncing. Finally, completely agree with Heiko Robert‌ comments.

Regards.

--C.

Re: LDAP Authentication from 2 domains

booltrue — Mon, 26 Jun 2017 15:59:18 GMT

Thanks for detailed explanation, but I am a little confused what is the difference between your (‌) explanation and my attempt with two ldap subsytems, or maybe just I dont understand right.

I am syncing two different groups of two different child domains as you can see in the configs.

Maybe you can explain for me more clearer, due I dont understand.

What do I need to change, so that both domains can authenticate.

Currently only members of our domain z.b.c can authenticte to the system,

the members of the other domain a.b.c can not do.

Syncing of both domains works properly.

Re: LDAP Authentication from 2 domains

mehe — Tue, 27 Jun 2017 05:01:53 GMT

Maybe the problem is the authentication.chain

It seems to be defined in both subsystems and so only the secon one "wins". I think you have to move the authentication.chain into alfresco-global.properties (only), delete it from the subsystems and use both subsystems in the chain.