topic Re: ldap-ad: allow login for users of specific security group in Alfresco Forum

ldap-ad: allow login for users of specific security group

jahu — Thu, 16 Mar 2017 15:25:06 GMT

Hello,I am running Alfresco Community Edition 201702 and trying to get ldap-ad authentication to work to my liking. I would like Alfresco to synchronize with our Active Directory, but only allow users of a specific group (AlfrescoUsers) to login to Alfresco, and deny any other login attempts.Current

Re: ldap-ad: allow login for users of specific security group

mehe — Thu, 16 Mar 2017 16:47:56 GMT

Hi Jason,

your person LDAP query seems to be wrong:

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net)))

i think you want objectclass=user AND userAcountControl... AND memberOf... but you put an OR "|" before memberOf condition.

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net))

should be ok (without having verified it in real life).

regards,

Martin

Re: ldap-ad: allow login for users of specific security group

jpotts — Thu, 16 Mar 2017 18:00:26 GMT

Who do you want to show up in Alfresco? If the answer is "everyone in LDAP" while the answer to "Who do you want to be able to authenticate?" is "a subset of users as specified by this group" then the answer is that you have to create two LDAP configurations, one will be enabled for sync-only and will sync the entire LDAP directory. The other will be disabled for sync but enabled for authentication and it will specify the person query that points to the group you want to restrict to.

I should mention that this technique was first described to me by Axel Faust in the #alfresco IRC channel.

Re: ldap-ad: allow login for users of specific security group

cesarista — Thu, 16 Mar 2017 19:14:43 GMT

Yes, Martin's query will work for the users under defined user base.

But maybe the differential query will not, because you deal everything inside the AD group, so the timestamp of the user is not touched when adding users to the AD group (whenChanged). A walkaround for this is to define user differential query equal to user query, but full sync is done everyday instead of differential.

Another way of selecting a group of users belonging to different levels in the AD, is via custom extension attributes in AD (i.e: "alf") users, so you have to include the extension attribute in the users query. This will respect whenChanged parameter, because the user is modified (changing the timestamp) when applying the extension attribute.

Regards.

--C.

Re: ldap-ad: allow login for users of specific security group

cesarista — Thu, 16 Mar 2017 19:27:11 GMT

Hi Jason:

All users are allowed to authenticate via LDAP-AD in principle. By default Alfresco, create and sync accounts on login when they does not exist. But if you set the properties below, you would restrict the ldap auth only to those synced users.

create.missing.people=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false

Regards.

--C.

Re: ldap-ad: allow login for users of specific security group

mehe — Thu, 16 Mar 2017 20:04:40 GMT

...the query I mentioned is exact the one Jason has defined in his attached alfresco-global.properties. He just added the OR sign in the query, which should not be the case for his intentions.

He also defined the differential query in then right way (again, just the OR sign is too much)

Because the query will only import Users which are members of ou=Alfresco, only those user will be able to login (allowDeletions=true, so the user not in ou=Alfresco will be deleted - no login possible).

I would let synchronization.syncWhen... =true, so new users in ou Alfresco will be able to log in without having to wait for a scheduled LDAP Sync - what do you think Cesar?

Setting the two other values (create) to false should be fine.

Are you sure that a change in "memberOf" would not affect the whenChanged/modifiedTimestamp setting?

Re: ldap-ad: allow login for users of specific security group

jahu — Thu, 16 Mar 2017 21:17:14 GMT

Thank you all for your help and suggestions. I have applied all of the changes/additions that you have suggested, and I believe it is working for me now. These are the changes/additions I've made to the alfresco-global.properties configuration file:

Added:

create.missing.people=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false

I also changed my person queries as well:

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=com))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(&(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=groups,dc=domain,dc=com))(!(modifyTimestamp<\={0})))

(basically just change OR to AND).

One more question: Because I was syncing all users before, any users that were synced before I made the configuration change are still able to login. Is there a way to clear Alfresco's user/authentication cache, or (this may be an entirely different subject) is there a way to make Alfresco sync directly from AD, instead of caching users?

Thank you all again, I appreciate it!

-Jason

Re: ldap-ad: allow login for users of specific security group

cesarista — Fri, 17 Mar 2017 08:34:10 GMT

Hi Martin:

Regarding synchronization.syncWhen... =true, I'm not completely sure if this property depends on the other ones. By the way, with the new OOTB Support Tools addon, I think you can run the scheduled job on demand (I did not tested yet). If it is not possible it would be a nice feature for Support Tools in Beecon hackathon (Axel Faust‌). This is a nice feature of the Support Tools in EE edition.

If you only change the group object I will say no. Before, you may do a minor "tricky" user modification to change the timestamp, and it will work for this user.

Regards.

--C.

Re: ldap-ad: allow login for users of specific security group

afaust — Fri, 17 Mar 2017 08:35:57 GMT

"Scheduled Jobs" tool is already included in OOTBee Support Tools. What might be of added value in the future might be to provide a tool for configuring LDAP at runtime so your test cycles can be shorter.

Re: ldap-ad: allow login for users of specific security group

mehe — Fri, 17 Mar 2017 08:37:36 GMT

I don't think the users are cached but not deleted by now. You can see this in the user administration (admin console). Because your ...allowDeletions flag is true, all you need is a full-sync.

Your can force this by temporarily setting the differential query to the same value as the full query like Cesar Capillas mentioned above, and restart alfresco.

But alfresco has already created a user home for each of your users. These home directories will not be deleted (this is normally a good thing, because you don't want to have user-data deleted when you accidentally misconfigured the sync).

Make sure the value of synchronization.allowDeletions is really true, because if set to false, all your unwanted-synced users will only be untagged and converted to local users (uahhh). But this is explained in the docs http://docs.alfresco.com/5.2/concepts/sync-delete.html

I fear you'd have to write a script to delete the home-folders of the non-existing/allowed users. Maybe someone in the community has done that already.

...or you just don't care about the unused folders - but they can behave bad, when you sync a formerly not allowed user. Then a second home folder with a number added to the username will be created.

Re: ldap-ad: allow login for users of specific security group

mehe — Fri, 17 Mar 2017 08:46:16 GMT

Hi Cesar,

thank you for clarifying the "memberOf" thing - I always wondered why some users weren't synced like expected, but a few days later they were in sync - probably of some change I didn't notice (bad password time...)

I also saw that whenChanged seem not to be propagated between multiple DCs, which has the effect that I had to use a distinct DC for syncing...

...and thanks to Axel Faust and the others who work(ed) on the OOTBee Support Tools

Re: ldap-ad: allow login for users of specific security group

cesarista — Fri, 17 Mar 2017 08:53:53 GMT

Maybe a modification of this script helps (for iterating between a defined array of users, and not for all users). Be careful with deletions.

Alfresco, massive delete of users | Programming and So

Regards.

--C.

Re: ldap-ad: allow login for users of specific security group

afaust — Fri, 17 Mar 2017 09:00:26 GMT

Even if you have the allowDeletions set to false you can still technically trigger a synchronisation that deletes users that should no longer exist. This can be done via the JavaScript Console tool and I have a Gist that shows how synchronisation can be triggered with a different setting than may be configured for synchronisation.

Re: ldap-ad: allow login for users of specific security group

mehe — Fri, 17 Mar 2017 10:01:04 GMT

...I should setup a knowledge base for things like these with a sophisticated solr/elasticsearch index

Thanx again Axel

Re: ldap-ad: allow login for users of specific security group

jahu — Fri, 17 Mar 2017 15:02:54 GMT

Ah, thank you. If you can't tell already, I'm extremely green with Alfresco! I didn't know it was as easy as removing the user in the admin console, I figured there would be more cleanup to do.

I am not worried about the users home directory, those can live on into eternity. If I do run into problems later on, I will find a way to remove them, most likely using Cesar's suggestion with modifying the mass user deletion script he linked to.

One more side question since it's been mentioned a few times: Is the only way to do a full sync is by setting the differential query the same as the full query, then restarting the Alfresco server?

Thank you again everyone!

-Jason

Re: ldap-ad: allow login for users of specific security group

afaust — Fri, 17 Mar 2017 15:17:57 GMT

No - there are alternatives. See my response further up the chain. Using the JavaScript Console you can always trigger a full synchronisation.

Re: ldap-ad: allow login for users of specific security group

cesarista — Fri, 17 Mar 2017 15:19:00 GMT

No, you can also set:

synchronization.synchronizeChangesOnly=false

The default is true. But this only applies on cron syncs, not for the subsystem startup for example.

Regards.

--C.

Re: ldap-ad: allow login for users of specific security group

mehe — Fri, 17 Mar 2017 15:33:51 GMT

Hi Jason, no (see the other answers) but it is an easy way to force the full sync if you need it just now - without installing anything else.

Re: ldap-ad: allow login for users of specific security group

cesarista — Fri, 17 Mar 2017 15:53:40 GMT

Hi Axel, I tried with JS Console with the mentioned script.

I run the script and I obtained this error in JS Console,

500 Internal Error
Stacktrace-Details:
org.springframework.extensions.webscripts.WebScriptException: 02170092 Wrapped Exception (with status template): A valid SecureContext was not provided in the RequestContext
.
.
Caused by: net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext
at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:481)

But the INFO logs in catalina.out seem correct and without errors.

2017-03-17 16:40:56,596 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronizing users and groups with user registry 'myldap'
2017-03-17 16:40:56,642 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Retrieving groups changed since 13-mar-2017 11:25:54 from user registry 'myldap'
2017-03-17 16:40:56,668 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Commencing batch of 0 entries
2017-03-17 16:40:56,668 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Completed batch of 0 entries
2017-03-17 16:40:56,670 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Retrieving users changed since 13-mar-2017 11:21:34 from user registry 'myldap'
2017-03-17 16:40:56,674 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Commencing batch of 16 entries
2017-03-17 16:40:56,752 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Processed 16 entries out of 16. 100% complete. Rate: 205 per second. 0 failures detected.
2017-03-17 16:40:56,753 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Completed batch of 16 entries
2017-03-17 16:40:56,788 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Finished synchronizing users and groups with user registry 'myldap'
2017-03-17 16:40:56,788 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] 16 usuarios y 0 grupos procesados

Does it have sense ?

Regards.

--C.

Re: ldap-ad: allow login for users of specific security group

afaust — Fri, 17 Mar 2017 16:30:51 GMT

You should not have any issues / errors executing that script. Are you executing it with a proper authentication (you can set other runAs contexts with JavaScript Console)?