Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active Directory authentication: allow just group of users

brgsousa
Champ in-the-making
Champ in-the-making

‎01-15-2013 02:26 PM

I have searched the web two days and found nothing that worked AND this forum.
How can I allow only a group (not an organizational unit) to login and use the alfresco system?
The main issue is that users are not just in one organizational unit. They are not just in the "Users" OU. I don't know how to include several OUs to synchronize.

Current configuration :
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=false

ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@intranet.domain.com
ldap.authentication.java.naming.provider.url=ldap://intranet.domain.com:389
ldap.authentication.defaultAdministratorUserNames=administrator

ldap.synchronization.java.naming.security.principal=administrator@intranet.domain.com
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.groupSearchBase=ou=groups,dc=intranet,dc=domain,dc=com
ldap.synchronization.userSearchBase=OU=Users,dc=intranet,dc=domain,dc=com
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf\=CN\=Developers,OU\=Users,DC\=intranet,DC\=domain,DC\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
Labels:
0 Kudos
10 REPLIES 10

brgsousa
Champ in-the-making
Champ in-the-making

‎01-17-2013 02:39 PM

I could try something different.
How can I allow synchronization of more than one ORGANIZATION UNIT (OU) ?
0 Kudos

brgsousa
Champ in-the-making
Champ in-the-making

‎01-22-2013 04:01 PM

Got it to work using this configuration:

ldap.synchronization.personType=user

ldap.synchronization.personQuery=(&(|(memberof=CN=GRTecnologia,OU=Grupos,DC=intranet,DC=domain,DC=com)(memberof=CN=GRUDS,OU=Grupos,DC=intranet,DC=domain,DC=com))(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.personDifferentialQuery=(&(|(memberof=CN=GRTecnologia,OU=Grupos,DC=intranet,DC=domain,DC=com)(memberof=CN=GRUDS,OU=Grupos,DC=intranet,DC=domain,DC=com))(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupQuery=(objectclass\=group)

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=DC=intranet,DC=domain,DC=com
0 Kudos

mrksjs
Champ on-the-rise
Champ on-the-rise

‎01-23-2013 07:14 AM

i was looking for this as well, thanks for finding a solution!
0 Kudos

nelsonoles
Champ in-the-making
Champ in-the-making

‎01-28-2013 03:56 PM

What file does this string reside in?
C:\Alfresco\tomcat\shared\classes\alfresc-global.properties
or
C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad\ad1\ldap-ad-authtications.properties?

Any other hints you could toss my way. Trying to figure out AD Authentication, but it's about as easy as SAP was.
0 Kudos

jgionet76
Champ in-the-making
Champ in-the-making

‎02-04-2013 01:27 PM

hi, pretty new to all of this.. so any help is very appreciated! Smiley Happy
how would I specify/filter which company and department to only be synced?

thanks
0 Kudos

102020
Champ on-the-rise
Champ on-the-rise

‎02-13-2013 04:28 PM

I have a howto I've created for alot of the essentials, may help:
https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/installation-upgra...
0 Kudos

therev
Champ in-the-making
Champ in-the-making

‎12-30-2013 01:34 PM

I've been banging my head against this for a couple of days and can't seem to get it running. I'm trying to only allow access to Alfresco to users in a specific group (Alfredo Access) in the following OU: DOMAIN > Service Accounts > Groups
Here's my current config (based on the above examples):
ldap.synchronization.personQuery=(&(|(memberof=CN=Alfresco Access,OU=Groups,OU=Service Accounts,DC=*****,DC=net)(memberof=CN=Alfresco Access,OU=Groups,OU=Service Accounts,DC=*****,DC=net))(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))


ldap.synchronization.personDifferentialQuery=(&(|(memberof=CN=Alfresco Access,OU=Groups,OU=Service Accounts,DC=*****,DC=net)(memberof=CN=Alfresco Access,OU=Groups,OU=Service Accounts,DC=*****,DC=net))(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=dc\=*****,dc\=net

ldap.synchronization.userSearchBase=dc\=*****,dc\=net
0 Kudos

therev
Champ in-the-making
Champ in-the-making
In response to therev

‎01-03-2014 11:47 AM

I finally managed to caffeinate myself to a level where I could combat my own stupidity and got this working.  Derp.
0 Kudos

gojko
Champ in-the-making
Champ in-the-making

‎09-08-2014 10:05 AM

Hi, I have the same problem. I need to allow login only for users in a certain group, and in "People" list only these can be shown. I did the same as above, and in /alfresco.log  it indeed says it synched 7 users (which is correct), but all users from before can still login, and all users are listed. If I comment out ldap.authentication.userNameFormat=%s@doman.local as I've seen in docs, nobody can login except admin. Also, I don't see why (objectclass\=user) is used instead of (objectclass=user). I don't see anything else wrong with TheRev's code.

Any ideas?

Here is my globalproperties:

# AD integration
authentication.chain=myldap:ldap-ad,alfinst:alfrescoNtlm
ntlm.authentication.sso.enabled=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@[name].local
ldap.authentication.java.naming.provider.url=ldap://[IP]:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=administrator@.local
ldap.synchronization.java.naming.security.credentials=[Password]
ldap.synchronization.groupSearchBase=[correct path]
ldap.synchronization.userSearchBase=[correct path]

#Selective AD Query
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false
ldap.synchronization.personType=user
ldap.synchronization.personQuery=(&(objectCategory\=user)(objectClass\=user)(memberOf\=CN\=[correct path]))
ldap.synchronization.personDifferentialQuery=(&(&(objectCategory\=user)(objectClass\=user)(memberOf\=CN\=[correct path]))(!(modifyTimestamp<\={0})))

#CUSTOM LDAP MAPPINGS
ldap.synchronization.userJobTitleAttributeName=title
ldap.synchronization.userOrganizationAttributeName=department
ldap.synchronization.userLocationAttributeName=physicalDeliveryOfficeName
ldap.synchronization.userMobileAttributeName=mobile
ldap.synchronization.userCompanyPostCodeAttributeName=postalCode
ldap.synchronization.userCompanyFaxAttributeName=facsimileTelephoneNumber
ldap.synchronization.userCompanyTelephoneAttributeName=telephoneNumber
ldap.synchronization.userCompanyEmailAttributeName=mail
ldap.synchronization.userPersonDescriptionAttributeName=info
ldap.synchronization.userTelephoneAttributeName=homePhone
ldap.synchronization.userCompanyAddress1AttributeName=streetAddress
ldap.synchronization.userCompanyAddress2AttributeName=l
ldap.synchronization.userCompanyAddress3AttributeName=st

# Sync
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.import.cron=0 0/3 * * * ?
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC