topic Re: LDAP Auth issue with openLDAP in Alfresco Forum

LDAP Auth issue with openLDAP

anwoke8204 — Tue, 19 Dec 2017 07:00:32 GMT

LDAP Auth issueHi, im having an issue with LDAP on a new install.I am copying my ldap auth file to see if I can get some help# User name format ..ldap.authentication.active=trueldap.authentication.userNameFormat=uid=%s,ou=users,dc=usswhitebuffalo,dc=org, # IP address or name of your LDAP server - (p

Re: LDAP Auth issue with openLDAP

amitkulhari26 — Wed, 20 Dec 2017 08:16:16 GMT

Hello,

Please refer the following configurations.

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=%s@example.foo
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://example.foo:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=administrator@example.foo
ldap.synchronization.java.naming.security.credentials=Alfr3sc0
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true

ldap.synchronization.groupQuery=objectclass\=group
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoAdmins,ou=alfresco,dc=example,dc=foo)(memberOf=cn\=AlfrescoUsers,ou=alfresco,dc=example,dc=foo)))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoAdmins,ou=alfresco,dc=example,dc=foo)(memberOf=cn\=AlfrescoUsers,ou=alfresco,dc=example,dc=foo))(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=ou\=alfresco,dc\=example,dc\=foo

ldap.synchronization.userSearchBase=dc\=example,dc\=foo

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

Thanks

Amit

Re: LDAP Auth issue with openLDAP

pradip — Thu, 21 Dec 2017 09:45:08 GMT

Hello,

Please try following configuration:

ldap-authentication.properties
ldap.authentication.active=true # Base DN containing users ldap.authentication.userNameFormat=uid=%s,ou=users,dc=usswhitebuffalo,dc=org # The URL to connect to the LDAP server ldap.authentication.java.naming.provider.url=ldap://myip:389 # The authentication mechanism to use ldap.authentication.java.naming.security.authentication=simple ldap.synchronization.active=true ldap.synchronization.java.naming.security.principal=cn\=admin,dc\=usswhitebuffalo,dc\=org ldap.synchronization.java.naming.security.credentials=*********** # The query to select all objects that represent the groups to import. ldap.synchronization.groupQuery=(&(objectclass\=groupOfNames)(cn=share)) # The query to select objects that represent the groups to import that have changed since a certain time. ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0}))) # The query to select all objects that represent the users to import. ldap.synchronization.personQuery=(objectclass\=inetOrgPerson) # The query to select objects that represent the users to import that have changed since a certain time. ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0}))) # The group search base restricts the LDAP group query to a sub section of tree on the LDAP server. ldap.synchronization.groupSearchBase=ou\=groups,dc\=usswhitebuffalo,dc\=org # The user search base restricts the LDAP user query to a sub section of tree on the LDAP server. ldap.synchronization.userSearchBase=ou\=users,dc\=usswhitebuffalo,dc\=org # The name of the operational attribute recording the last update time for a group or user. ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp # The timestamp format. Unfortunately, this varies between directory servers. ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z' # The attribute name on people objects found in LDAP to use as the uid in Alfresco ldap.synchronization.userIdAttributeName=uid # The attribute on person objects in LDAP to map to the first name property in Alfresco ldap.synchronization.userFirstNameAttributeName=givenName # The attribute on person objects in LDAP to map to the last name property in Alfresco ldap.synchronization.userLastNameAttributeName=sn # The attribute on person objects in LDAP to map to the email property in Alfresco ldap.synchronization.userEmailAttributeName=mail # The attribute on person objects in LDAP to map to the organizational id property in Alfresco ldap.synchronization.userOrganizationalIdAttributeName=o # The default home folder provider to use for people created via LDAP import ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider # The attribute on LDAP group objects to map to the gid property in Alfrecso ldap.synchronization.groupIdAttributeName=cn # The group type in LDAP ldap.synchronization.groupType=groupOfNames # The person type in LDAP ldap.synchronization.personType=inetOrgPerson # The attribute in LDAP on group objects that defines the DN for its members ldap.synchronization.groupMemberAttributeName=member

ldap-authentication.properties

ldap.authentication.active=true

# Base DN containing users

ldap.authentication.userNameFormat=uid=%s,ou=users,dc=usswhitebuffalo,dc=org

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://myip:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=cn\=admin,dc\=usswhitebuffalo,dc\=org
ldap.synchronization.java.naming.security.credentials=***********

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(&(objectclass\=groupOfNames)(cn=share))

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=ou\=groups,dc\=usswhitebuffalo,dc\=org

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=ou\=users,dc\=usswhitebuffalo,dc\=org

# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o

# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronization.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronization.groupType=groupOfNames

# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member

alfresco-global.properties
ldap.enabled=true authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

Regards,
Pradip patel

Enprowess Technologies

Re: LDAP Auth issue with openLDAP

anwoke8204 — Fri, 22 Dec 2017 06:48:54 GMT

Hello Pradip after copying your settings but setting the correct ip and password I am getting the following error:

2017-12-21 23:43:55,157 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'
2017-12-21 23:43:55,306 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving all groups from user registry 'ldap1'
2017-12-21 23:46:02,699 ERROR [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 11210018 Failed to communicate with ldap://openldap.domain.com:389. Reason javax.naming.CommunicationException, openldap.domain.com:389, java.net.ConnectException, Connection timed out (Connection timed out)

its like its not even trying to connect on the correct ip, and just defaulting to ldap://openldap.domain.com:389. I have double checked and I have the correct IP address and password set.

Re: LDAP Auth issue with openLDAP

anwoke8204 — Fri, 22 Dec 2017 20:48:30 GMT

Ok, what I ended up having to do was put the config in my alfresco global properties file, and now users can authenicate using LDAP. however users who are not part of the Share group are also able to log in, and I need it so that only users who are part of the share group should be able to log in.