Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Authentication (no sync) is creating users?!?

acn
Champ in-the-making
Champ in-the-making

‎09-15-2015 05:07 AM

Hallo,

I've installed Alfresco 5.0.d and want to use LDAP authentication for users that I create manually in Alfresco - as I do not have the possibility to use LDAP groups or any other filter method on the LDAP server.

So I want to create a specific user, enter the LDAP login (+ a random password) and then the user can login in Alfresco via LDAP credentials.

I have configured this setup (sort of…) via the settings below, but the following problem accurs:

Whenever a user logs in who is NOT have a Alfresco user (i.e. who I did not create manually), Alfresco creates this user by itself and the user can log in.

Using some magic debug statements, I got the following output in catalina.out when such a user logs in:

[authentication.ldap.LDAPAuthenticationComponentImpl] […] Authenticating user "<userid>"
[authentication.ldap.LDAPAuthenticationComponentImpl] […] User "<userid>" does not exist in Alfresco. Attempting to import / create the user.
[authentication.ldap.LDAPAuthenticationComponentImpl] […] Setting the current user to "<userid>"
[authentication.ldap.LDAPAuthenticationComponentImpl] […] User "<userid>" authenticated successfully


That is NOT what I want!

How can I achieve my goal? What settings did I miss?

My configuration in alfresco-global.properties:


authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm

alfresco.authentication.allowGuestLogin=false
ntlm.authentication.sso.enabled=false
ntlm.authentication.allowGuestLogin=false
ntlm.authentication.mapUnknownUserToGuest=false

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.read.timeout=30000

ldap.authentication.userNameFormat=uid=%s,ou=people,o=xxxxxn,c=DE
ldap.authentication.escapeCommasInBind=true
ldap.authentication.java.naming.provider.url=ldaps://our.ldap.server:636
ldap.authentication.java.naming.security.protocol=ssl
ldap.authentication.truststore.path=/opt/alfresco/alf_data/keystore/ldap/ldap-keystore
ldap.authentication.truststore.passphrase=our-password
ldap.authentication.truststore.type=JKS

ldap.synchronization.active=false
# out of despair, I added these settings, which do not seem to help:
ldap.synchronization.syncWhenMissingPeopleLogIn=false
ldap.synchronization.autoCreatePeopleOnLogin=false


Thank you!

Kind regards
Anna Christina Naß
Labels:
0 Kudos
3 REPLIES 3

mrogers
Star Contributor
Star Contributor

‎09-15-2015 12:19 PM

The other setting is on the person service. 

# Some authentication mechanisms may need to create people
# in the repository on demand. This enables that feature.
# If disabled an error will be generated for missing
# people. If enabled then a person will be created and
# persisted.
create.missing.people
0 Kudos

acn
Champ in-the-making
Champ in-the-making
In response to mrogers

‎09-17-2015 04:28 AM

Hallo,

Where do I have to set this?

It seems to me that it is documented nowhere… 😞
Also 
/opt/alfresco$ grep "create.missing.people" -R *
does not find a corresponding file for this setting.

It would be great if you could tell me where I have to set this flag.

Thank you!

Anna Christina Naß
0 Kudos

mrogers
Star Contributor
Star Contributor

‎09-17-2015 07:19 AM

As with most alfresco config put it into alfresco-global.properties
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC