Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco + LDAP: Control User Login

opnek
Champ in-the-making
Champ in-the-making

‎09-18-2012 07:12 AM

Dear all,

I just configured Alfresco to authenticate with LDAP. Everything works pretty well.

In my search-base are about 350 Users.

Now I have the following question:

Is it possible to allow only some users to login into Alfresco? I dont want all of the users to be able to login.

It would be great, if there is a way, that i create an AD-Group and only users who are member of this group are able to login.

Thanks in advance.

Kind Regards
Opnek
Labels:
0 Kudos
4 REPLIES 4

nickburch
Confirmed Champ
Confirmed Champ

‎09-20-2012 06:39 PM

I can read your question two ways, one of which is fairly easy, one isn't. Do you want to import all users from your AD into Alfresco, but only allow a small number to login but have all of them present in the system? Or do you want to have just a subset of your AD both present in Alfresco and able to log in?

I'm going to guess the latter, as that's what we're doing… As long as you can write an LDAP query that filters the users, you can do the filtering.

There are three main properties you need to tweak. The first one is ldap.synchronization.userSearchBase which controls where in your tree Alfresco starts looking for users. If you're able to put all your users who you want to be able to log in into their own tree, then there's really easy. Set the search base to something like ou=full users,dc=example,dc=com and all the users in ou=other users,dc=example,dc=com won't be synced and won't be able to log in. Simple! But rarely the setup you have

The other way is to use ldap.synchronization.personQuery and ldap.synchronization.personDifferentialQuery. These should be almost the same, with the latter only having a modified time filter on it. Assuming you want to exclude users in your Active Directory who've been marked as Disabled (and you probably do!), your queries would be something like:
ldap.synchronization.personQuery=(&(objectclass\=organizationalPerson)(!(userAccountControl\:1.2.840.113556.1.4.803\:\=2)))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=organizationalPerson)(!(userAccountControl\:1.2.840.113556.1.4.803\:\=2))(!(modifyTimestamp<\={0})))

If you also want to restrict to just one group, add something like (memberOf="ou=alfresco users,ou=groups,dc=example,dc=com") . Have a play with an ldap query tool (eg ldapsearch or Apache DS client in Eclipse) to fine tune your filter. Oh, and don't forget to escape things like = signs in your properties file!
0 Kudos

opnek
Champ in-the-making
Champ in-the-making

‎09-21-2012 03:31 PM

Hi,

You are right, I plan to filter the LDAP-Query that only users with a specific group are shown in Alfresco. I just didnt know how to implement this in the best and easiest way.

I will try the LDAP-Filter next week and post my results here.

Thanks a lot for your help!

Kind regards

Opnek
0 Kudos

gojko
Champ in-the-making
Champ in-the-making

‎09-09-2014 04:07 AM

Hi opnek, were you able to resolve this? I have a the same problem, and currently all AD users are listed and all users are able to login. The /alfresco.log does list the correct number of users synched; and when the lines for personQuery and personDifferentialQuery are commented the log lists the users that logged in but shouldn't have, with comment 'This user will in future be assumed to originate from user registry 'myldap'.' Well, the system seems to have logged in the user outside myldap which makes no sense. Here is my global.properties.


# AD integration
authentication.chain=myldap:ldap-ad,alfinst:alfrescoNtlm
ntlm.authentication.sso.enabled=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@[name].local
ldap.authentication.java.naming.provider.url=ldap://[IP]:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=administrator@<name>.local
ldap.synchronization.java.naming.security.credentials=[Password]
ldap.synchronization.groupSearchBase=[correct path]
ldap.synchronization.userSearchBase=[correct path]

#Selective AD Query
synchronization.autoCreatePeopleOnLogin=false  
synchronization.syncWhenMissingPeopleLogIn=false
ldap.synchronization.personType=user
ldap.synchronization.personQuery=(&(objectCategory\=user)(objectClass\=user)(memberOf\=CN\=[correct path]))
ldap.synchronization.personDifferentialQuery=(&(&(objectCategory\=user)(objectClass\=user)(memberOf\=CN\=[correct path]))(!(modifyTimestamp<\={0})))

#CUSTOM LDAP MAPPINGS
ldap.synchronization.userJobTitleAttributeName=title
ldap.synchronization.userOrganizationAttributeName=department
ldap.synchronization.userLocationAttributeName=physicalDeliveryOfficeName
ldap.synchronization.userMobileAttributeName=mobile
ldap.synchronization.userCompanyPostCodeAttributeName=postalCode
ldap.synchronization.userCompanyFaxAttributeName=facsimileTelephoneNumber
ldap.synchronization.userCompanyTelephoneAttributeName=telephoneNumber
ldap.synchronization.userCompanyEmailAttributeName=mail
ldap.synchronization.userPersonDescriptionAttributeName=info
ldap.synchronization.userTelephoneAttributeName=homePhone
ldap.synchronization.userCompanyAddress1AttributeName=streetAddress
ldap.synchronization.userCompanyAddress2AttributeName=l
ldap.synchronization.userCompanyAddress3AttributeName=st

# Sync
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.import.cron=0 0/3 * * * ?


0 Kudos

kimberlydeborah
Champ in-the-making
Champ in-the-making

‎09-10-2014 03:13 AM


You need something to distinct users in AD. If I assume correctly - you cannot modify AD users, then you don't have options with custom LDAP query.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC