Hyland Connect

simon · ‎04-20-2006

Hi Andy,

Another LDAP question for you… I'm sorry.

We are trying to authenticate against OpenLDAP. All our users are stored in 1 OU in 1 LDAP, no referrals or chaining (let's keep it simple for once).

Not all the users have the same objectclasses, some of them are form the person object class, some have the user objectclass, some use both.

There is a property (in the ldap-authentication-context.xml file) for the people synchronisation to limit the query to a certain objectclass:

<property name="personQuery">
    <value>(objectclass=inetOrgPerson)</value>
</property>‍‍‍

We would like to do exactly the same for authentication: only allow the accounts with this specific objectclass and ignore the others.

Is there such a property that could be specified for the ldapInitialDirContextFactory bean? And if there isn't… :roll:

Thanks!

andy · ‎04-21-2006

Hi Simon

There is nothing in Alfresco to do this. I don't think there is anything in the underlying support either.

Your best bet is to use digest authentication in OpenLDAP.
This has a redirection query to find the user entry from the user id.
You could use this query to limit the users actually found.

If you are using simple authentication you want it to be as if some DN is not visible. The only way I can think of to do this is with permissions. I am not sure how permissions and authentication interact in OpenLDAP.

Regards

Andy

simon · ‎04-26-2006

You are right…

We use simple authentication (DIGEST-MD5 is not an option, we need to encrypt the password afterwards to use SASL as described in some other topic) but I forgot about the DN stuff. Indeed, there is no way to filter the DN if we specify the full path.

Well have to find another way out of this. Thanks anyway!

Hyland Connect

LDAP: objecclass definition with authentication