Hyland Connect

jbollom · ‎06-16-2014

Hey All,

I'm just setting up Alfresco 4.2f for the first time and currently have ldap-ad setup
I would like to restrict logins via group membership but i can not find any information on how to do this
Everything I read points to ldap sync filters but these details are not used when a user logs in
Only other thing I have read is that I can restrict users that don't exist in Alfresco from logging in but this is not really what I'm after

Is there a way to filter user logins at authentication point checking if the user is a member of a group before proceeding?
eg: (&(objectClass=user)(objectCategory=person)(memberOf:1.2.840.113556.1.4.1941:=CN=groupcn,OU=ougroup,DC=domain,DC=local)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Thanks,
Josh

nickburch · ‎06-26-2014

I don't think you can do it with only config. I believe you'll need to write some code

If you look in

alfresco/subsystems/Authentication/common-ldap-context.xml‍

you'll see the definition of the

authenticationComponent‍

based on

LDAPAuthenticationComponentImpl‍

which is what is used to authenticate users against LDAP. That in turn uses the config for

ldapInitialDirContextFactory‍

, and looks up users based on the

resolveDistinguishedName‍

in

LDAPUserRegistry‍

I think (though it's been a little while since I last delved into that code) that you'll need to provide a custom

LDAPUserRegistry‍

which extends from the default one, and have that provide an alternate

resolveDistinguishedName‍

method which adds in additional parts to the LDAP query. That will let you add in the extra constraints

Hyland Connect

ldap-ad filtering at point of authentication