Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco + OpenLDAP + Filtering (logging by two conditions)

mmmartin
Champ in-the-making
Champ in-the-making

‎12-10-2012 10:16 AM

Hi All!

I have a problem during configuring OpenLDAP authentication with Alfresco.
I saw some similar topics, but the most are about AD, not about OpenLDAP.

My aim is to log people to Alfresco using LDAP. People have user account in phpLDAPAdmin and some of them are members of Alfresco group.
Logging into Alfresco is OK, but I can't use filtering users from user list who are members of Alfresco group.
Why does the following query not work?

ldap.synchronization.personQuery=(&(objectclass\=inetOrgPerson)(cn\=%s)(memberof\=cn\=ecm,ou\=Groups,dc\=capsulecorp,dc\=com))  

The 
%s
expression is for passing variable through from logging picture to query, right?

Any Help Will Be Appreciated!
Regards,
Martin
Labels:
0 Kudos
2 REPLIES 2

mmmartin
Champ in-the-making
Champ in-the-making

‎01-04-2013 06:55 AM

Anyone else? Smiley Happy
0 Kudos

mmmartin
Champ in-the-making
Champ in-the-making

‎01-09-2013 06:39 AM

I have resolved the problem I have mentioned above.
My solution is written below for your consideration. Smiley Happy

My question was:
How can I authenticate by LDAP with checking group membership in LDAP. Only users with ecm membership can log into Alfresco. For this I need a query in LDAP and the personQuery did not work.

Solution:
The key is set UserNameFormat empty and then personQuery will work!


FIRST STEP
My OpenLDAP Directory system:

dc=capsulecorp,dc=com
|_cn=admin
|_ou=Groups
—|_cn=ecm
—|_cn=fs
—|_cn=…
—|_…
|_ou=Users
—|_cn=firstname1 surname1
—|_cn=firstname2 surname2
—|_cn=…
—|_…

The children of ou=Groups are groupOfName entries. (e.g. cn=ecm: Enterprise Content Management - Alfresco)
The users in ou=Users are members of cn=ecm groupOfName entry (exactly those people who need permission to Alfresco).

SECOND STEP
My Alfresco is running on BitNami Virtual Appliance Stack
My Alfresco Settings:

    1, alfresco-global.properties
      - Path:

      /opt/bitnami/apache-tomcat/shared/classes/alfresco-global.properties
      - Modifications: Write the row below into the file - anywhere

      authentication.chain=myldap:myldap,alfrescoNtlm:alfrescoNtlm
      - Notes:
        b, alfrescoNtlm is Alfresco's default authentication system
        c, chain means that Alfresco is trying to authenticate by systems in the chain in order
    2, ldap-authentication.properties
      - Default Path:
      /opt/bitnami/apache-tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties
      - New Path:
      /opt/bitnami/apache-tomcat/shared/classes/alfresco/subsystems/Authentication/myldap/ldap-authentication.properties
      - Note for New Path:
      You should make the missing directories:
      sudo mkdir /subsystems/Authentication/myldap/
      And then copy the file into myldap folder.
      - Modifications:

      ldap.authentication.active=true
      ldap.authentication.allowGuestLogin=true
      ldap.authentication.userNameFormat=
      ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
      ldap.authentication.java.naming.provider.url=ldap://10.10.10.10:389
      ldap.authentication.java.naming.security.authentication=simple
      ldap.authentication.escapeCommasInBind=true
      ldap.authentication.escapeCommasInUid=true
      ldap.authentication.defaultAdministratorUserNames=
      ldap.synchronization.active=true
      ldap.synchronization.java.naming.security.authentication=simple
      ldap.synchronization.java.naming.security.principal=cn\=admin,dc\=capsulecorp,dc\=com
      ldap.synchronization.java.naming.security.credentials=PASSWORD
      ldap.synchronization.queryBatchSize=0
      ldap.synchronization.attributeBatchSize=0
      ldap.synchronization.groupQuery=(&(objectclass\=groupOfNames)(cn\=ecm))
      ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
      ldap.synchronization.personQuery=(&(objectclass\=inetOrgPerson)(memberof\=cn\=ecm,ou\=Groups,dc\=capsulecorp,dc\=com))
      ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
      ldap.synchronization.groupSearchBase=cn\=ecm,ou\=Groups,dc\=capsulecorp,dc\=com
      ldap.synchronization.userSearchBase=ou\=Users,dc\=capsulecorp,dc\=com
      ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
      ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
      ldap.synchronization.userIdAttributeName=uid
      ldap.synchronization.userFirstNameAttributeName=givenName
      ldap.synchronization.userLastNameAttributeName=sn
      ldap.synchronization.userEmailAttributeName=mail
      ldap.synchronization.userOrganizationalIdAttributeName=o
      ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
      ldap.synchronization.groupIdAttributeName=cn
      ldap.synchronization.groupDisplayNameAttributeName=description
      ldap.synchronization.groupType=groupOfNames
      ldap.synchronization.personType=inetOrgPerson
      ldap.synchronization.groupMemberAttributeName=member
      ldap.synchronization.enableProgressEstimation=true
      ldap.authentication.java.naming.read.timeout=0
      - The most important config variables are answering my Query question:
        -> ldap.authentication.userNameFormat=
          - This variable should be empty as you can see for making an LDAP query
        -> ldap.synchronization.personQuery=(&(objectclass\=inetOrgPerson)(memberof\=cn\=ecm,ou\=Groups,dc\=capsulecorp,dc\=com))
          - This is the group member checker query for LDAP
        -> ldap.synchronization.userIdAttributeName=uid
          - This attribute will be the username at logging into Alfresco!
    3, ldap-authentication-context.xml
      - Default Path:
      /opt/bitnami/apache-tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication-context.xml
      - New Path:
      /opt/bitnami/apache-tomcat/shared/classes/alfresco/subsystems/Authentication/myldap/ldap-authentication-context.xml
      - Modifications: Change the short row in the file as Example 3 said (you can find link above) to this:
      <import resource="classpath*:alfresco/subsystems/Authentication/common-ldap-context.xml" />

    4, ldap-synchronization.properties
      - Path:
      /opt/bitnami/apache-tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Synchronization/default/default-synchronization.properties
      - Modifications:

      synchronization.synchronizeChangesOnly=true
      synchronization.import.cron=0 0 0 * * ?
      synchronization.syncWhenMissingPeopleLogIn=true
      synchronization.syncOnStartup=true
      synchronization.autoCreatePeopleOnLogin=true
      synchronization.loggingInterval=100
      synchronization.workerThreads=2
      synchronization.allowDeletions=true
      - Note: Actually I did not change anything
THIRD STEP
Finally You should restart the Apache-Tomcat server.
Type the row below anywhere in the directory system:
sudo /opt/bitnami/ctlscript.sh restart
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC