cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP users disabled so cannot login

barbaro
Champ in-the-making
Champ in-the-making
Hi to all!
  I'm a new user of Alfresco and I'm trying to integrate on a Windows Server 2008 machine a fresh istance with our LDAP - Active Directory.
After a lot of google reads and tests I was able to make Alfresco read my AD user but it is always disabled, so I'm not able to login with it.

So I'll share with you the content of alfresco-global.properties.sample (I've substituted only the references to our internal names of servers and users):

ldap.authentication.active=true
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=false

ldap.authentication.userNameFormat=%s@<domain>.local
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.security.authentication=SIMPLE
ldap.authentication.java.naming.read.timeout=30000
ldap.authentication.java.naming.provider.url=ldap://<server>:389

### LDAP Synchronization ###
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=<user>@<domain>.local
ldap.synchronization.java.naming.security.credentials=<pass>
ldap.synchronization.groupSearchBase=OU\=Sistemi Informativi…
ldap.synchronization.userSearchBase=OU\=Sistemi Informativi…
ldap.synchronization.userEmailAttributeName=mail

This is the relevant part, is there someone of you who could help me understand where I'm wrong?
Moreover, is there a way to make the logs more verbose and trace my login failure attempts?

Thanks in advance,
Marco
6 REPLIES 6

borisstankov
Champ in-the-making
Champ in-the-making
Hello,

Have you setup the service accout appropriete?

Also it's goo practice by my oppinion to put this raw: ldap.authentication.active=true
just before this one: ldap.authentication.userNameFormat=%s@.local
On the other hand you need this raw between the two above (without caps): ldap.synchronization.java.naming.security.authentication=simple

After those changes what heppens? Any change or not? If not please check your log files for error messages. At this point you do not need any verbose mode to check what is the status of this.


All the best.

barbaro
Champ in-the-making
Champ in-the-making
Hi Boris,
  many thanks for your reply. I did what you suggested about properties rows but it still not works, my AD user is marked as disabled.

Just to be sure I did it well here is the new properties file:

### Authentication ###
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=false
ldap.authentication.defaultAdministratorUserNames=admin

ldap.authentication.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s@pam.local
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.security.authentication=SIMPLE
ldap.authentication.java.naming.read.timeout=30000
ldap.authentication.java.naming.provider.url=ldap://…:389

### LDAP Synchronization ###
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=…@pam.local
ldap.synchronization.java.naming.security.credentials=…
ldap.synchronization.groupSearchBase=OU\=Sistemi Informativi,OU\=GRUPPO PAM,DC\=pam,DC\=local
ldap.synchronization.userSearchBase=OU\=Sistemi Informativi,OU\=GRUPPO PAM,DC\=pam,DC\=local

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.personType=user
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.defaultAdministratorUserNames=admin


Just one doubt: what did you mean with:

"Have you setup the service accout appropriete?"

Thanks again,  
  Marco

romschn
Star Collaborator
Star Collaborator
At a glance I read that users are disabled. Just a quick thought - as users are already synced from LDAP to the repository, try login with admin user and search for any one user synced from LDAP. If the user is disabled, enable the user and then try login with that user and see if that works or not. I understand that this is not a solution but just a thought to see if this workaround helps to get nearer to solution or not.

Hope this helps.

barbaro
Champ in-the-making
Champ in-the-making
Hi Ramesh, 
   I am able to login with alfresco local admin user (obviously) but the user flag which could enable/disable the AD/LDAP user I use to test (mine AD user) is greyed out and not clickable!
So,
   I don't know what to do…
Have you got other ideas?
Thanks again,
   Marco

borisstankov
Champ in-the-making
Champ in-the-making
Hello Marco,


>>>>Just one doubt: what did you mean with:

>>>>"Have you setup the service accout appropriete?"

I meant that you need to mark the user that you using to login to the AD from Alfresco as Service account with expiration of the pass and no need t ochange the pass in few months. Nothing more.

Now I need to ask what do you mean by:
"my AD user is marked as disabled."

I agree with romschn about his suggestion. Also I cannot see any logs/errors that you posted. Please check your logs about any of that, they help alot in such cases. Smiley Happy

All the best!

barbaro
Champ in-the-making
Champ in-the-making
Hi folks,
   thanks for the suggestions, finally I solved the issue.
What I did is uninstall Alfresco e reinstall it on the same VM.
Then I opened alfresco-global.properties (not the sample one as I did before) and modified the file as above.
This done I started Alfresco and I was able to access it wth my LDAP user.

Marco