Hyland Connect

eswbitto · ‎07-05-2013

So I'm on the downhill run for putting alfresco into production. I stumbled onto an issue that I need resolved.

I have LDAP setup for our society to be able to log into alfresco using their own credentials via AD. By default all users are consumers which is how we want to set things up. We are creating a few sites and certain users will belong to those sites.

That being said we want to limit the manageability of those sites to a very small amount of people. Either selected users assigned as Managers OR the IT department managing them. Logging into the default admin account (the one you create when you first install alfresco) I noticed that I wasn't able to search any users from active directory.

This is going to be a problem if this account is going to be used as a management for each site and assigning users etc…

Has anyone come across this issue and have they resolved it? and if so How?

Happy Friday Peeps!!

ESWBitto

bopolissimus · ‎07-05-2013

Hi,

I don't remember the details of your setup, below works for 4.2.b, 4.2.c.

1. are your selected AD users actually synchronized into alfresco so that they're now actually also alfresco users? I would check this by:
   A. browse to http(s)://[youralfrescodomain]/alfresco
   B. login as admin
   C. click on the Administration console icon (beside the icon that looks like a person with a notepad and items on it).
   D. click on Manage System Users and Show All

   you should see your AD users there (also users created inside alfresco). if that doesn't work (it should, but not
   sure what happens if lucene or solr is totally broken), you could look in "Company Home"/"User Homes" and see if
   the user home directories were created there. if you can't search for the AD users and their user directories aren't
   there then I don't think the AD users were imported. check your alfresco.log for ldap sync notifications/warnings/errors.

2. for any given site,
   A. if you're the site manager (or an alfresco admin), you can add persons or groups as additional
      site managers. go to /share and manage Users and Groups | Groups. For any given site you'll notice a
      group for the site (e.g., the training-site might have the folowing groups (site_training-site,
      site_training-site_SiteManager, and so on for SiteCollaborator, SiteContributor, SiteConsumer).
   B. click on the SiteManager group. You are now able to add individuals or groups to be site managers.
      Hover on the icons at top-right of the second pane. The rightmost one is add user, the middle one
      is add group. clicking on either of those will allow you to select groups or persons to add.

You can manage site managers either manually (adding persons to the site manager group or creating groups in alfresco, adding persons to those groups, and then adding the groups to the relevant site manager groups), or you can manage it half in AD/LDAP and half in alfresco.

   1. create the site manager groups in LDAP. have alfresco import those LDAP groups into alfresco
   2. in alfresco, after the groups have synced, add the relevant AD-imported groups as managers to their respective sites.

Moving forward, the method above of an alfresco administrator being able to add any person (usually him/herself) as a manager for a site is very useful. Sometimes current site managers are removed from LDAP (they move on to another job), they get auto-removed from alfresco at next sync, and sites are then left with no managers. the alfresco admin can use the method above to assign someone else as manager for the group.

eswbitto · ‎07-05-2013

@bopolissimus

I checked and the import for active directory did go through. I can see each user's home. Thanks for the tip!

I think what I was doing is when configuring the LDAP config I didn't put it in my global.properties file. I was modifying another file that alfresco people say not to. I believe I understand why they were saying you can only use one chain at a time doing that.

bopolissimus · ‎07-05-2013

"not to", if you were editing a file that was right under webapps/alfresco, yes. don't do that. Tomcat may decide to overwrite those files from the war file whenever it wants to (usually when the war file changes).

alfresco-global.properties is the first stop for setting up AD/LDAP.

So now, when you search for the users (in /share or in /alfresco admin console) you see them? Note that just because directories exist for users, it doesn't mean that the users exist. It just means that at some point the users were created and existed. When you remove a user though, the user home doesn't get auto-removed. That's why that was my second thing to check (if lucene/solr search is broken somehow and you can't actually find your users in either the /alfresco or /share interface). The first thing really is to look in alfresco to see if your users are really there.

Another way to look at your users (apart from /alfresco | admin console | manage system users) is:

1. browse to /alfresco as an admin
2. click on the administration console
3. click on Node Browser
4. click on user://alfrescoUserStore
5. under Children, click on the one system entry there.
6. you can now look at people or authorities. authorities are groups.
7. click on people
8. you should see your users there.

if you don't see your users then you'll need to fix things so they get re-imported by alfresco. put the LDAP config in alfresco-global.properties, restart, monitor the logs, check for your users again when alfresco comes up.

eswbitto · ‎07-08-2013

@bopolissimus

When I go either /share or /alfresco -> admin console -> manage system users…I can see all of my users and groups. I do not see them when I follow your instructions on going to the Node browser and below…etc.

fyi…I sent you a PM on another issue if you have some time.

Hyland Connect

LDAP and alfrescoNtlm1