Hyland Community
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Login issue after LDAP Sync

heraclesbzh
Champ in-the-making
Champ in-the-making

‎08-26-2009 04:01 PM

Hi there,

I've set up a LDAP synchronization which is apparently working in a 3.2 alfresco :

15:40:00,515  INFO  [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.ldap1'15:40:00,515  INFO  [security.sync.ChainingUserRegistrySynchronizer] 20 user(s) and 1 group(s) processed‍‍‍

But now I'm unable to log in my Alfresco, it says "Unable to login - unknown username/password."

The only modification to my alfresco-global.properties since it was working without LDAP is :

authentication.chain=ldap1:ldap‍‍‍

Is there any other configuration I missed ?

Thank's

Stéven
Labels:
0 Kudos
2 REPLIES 2

dward
Champ on-the-rise
Champ on-the-rise

‎08-27-2009 04:54 AM

This suggests that the sync side is working, but the authentication side isn't.

A parameter to check is

ldap.authentication.userNameFormat

This is the template for how user IDs are expanded into LDAP distinguished names (DNs). A typical example on OpenLDAP is

ldap.authentication.userNameFormat=uid=%s,ou=People,dc=company,dc=com

Note that this assumes a fixed DN format with only one OU. If you have multiple OUs, you might be best to switch to DIGEST-MD5 binding by changing the following:

ldap.authentication.java.naming.security.authentication=DIGEST-MD5
ldap.authentication.userNameFormat=%s
ldap.synchronization.java.naming.security.principal=Manager #(previously this was a DN - now it should be a UID)

Then configure the SASL user ID mappings in OpenLDAP, as in http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Sample_Configuration
0 Kudos

heraclesbzh
Champ in-the-making
Champ in-the-making

‎08-31-2009 04:21 PM

Thank's for reply it was effectively bad. I have now an issue with BerckeleyDB and OpenLDAP but I'm working on that by myself.

I reproduced this configuration but with a sync with an AD now and I have same problem : synchronisation works but I can't log into my alfresco.

Here is my ldap-ad-authentication.properties :
# This flag enables use of this LDAP subsystem for authentication. It may be# that this subsytem should only be used for synchronization, in which case# this flag should be set to false.ldap.authentication.active=true## This properties file brings together the common options for LDAP authentication rather than editing the bean definitions#ldap.authentication.allowGuestLogin=true# How to map the user id entered by the user to taht passed through to LDAP# In Active Directory, this can either be the user principal name (UPN) or DN.# UPNs are in the form <sAMAccountName>@domain and are held in the userPrincipalName attribute of a userldap.authentication.userNameFormat=%s@domain# The LDAP context factory to useldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory# The URL to connect to the LDAP server ldap.authentication.java.naming.provider.url=ldap://192.168.0.2:389# The authentication mechanism to useldap.authentication.java.naming.security.authentication=simple# Escape commas entered by the user at bind time# Useful when using simple authentication and the CN is part of the DN and contains commasldap.authentication.escapeCommasInBind=false# Escape commas entered by the user when setting the authenticated user# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is # pulled in as part of an LDAP sync# If this option is set to true it will break the default home folder provider as space names can not contain \ldap.authentication.escapeCommasInUid=false# Comma separated list of user names who should be considered administrators by defaultldap.authentication.defaultAdministratorUserNames=Administrator# This flag enables use of this LDAP subsystem for user and group# synchronization. It may be that this subsytem should only be used for # authentication, in which case this flag should be set to false.ldap.synchronization.active=true# The default principal to bind with (only used for LDAP sync). This should be a UPN or DNldap.synchronization.java.naming.security.principal=alfrescocifs@test.bur# The password for the default principal (only used for LDAP sync)ldap.synchronization.java.naming.security.credentials=password# If positive, this property indicates that RFC 2696 paged results should be# used to split query results into batches of the specified size. This# overcomes any size limits imposed by the LDAP server.ldap.synchronization.queryBatchSize=1000# The query to select all objects that represent the groups to import.ldap.synchronization.groupQuery=(objectclass\=group)# The query to select objects that represent the groups to import that have changed since a certain time.ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))# The query to select all objects that represent the users to import.#ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))ldap.synchronization.personQuery=(&(objectclass\=user))# The query to select objects that represent the users to import that have changed since a certain time.ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.ldap.synchronization.groupSearchBase=cn\=Users,dc\=test,dc\=bur# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.ldap.synchronization.userSearchBase=cn\=Users,dc\=test,dc\=bur# The name of the operational attribute recording the last update time for a group or user.ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp# The timestamp format. Unfortunately, this varies between directory servers.ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'# The attribute name on people objects found in LDAP to use as the uid in Alfrescoldap.synchronization.userIdAttributeName=sAMAccountName# The attribute on person objects in LDAP to map to the first name property in Alfrescoldap.synchronization.userFirstNameAttributeName=givenName# The attribute on person objects in LDAP to map to the last name property in Alfrescoldap.synchronization.userLastNameAttributeName=sn# The attribute on person objects in LDAP to map to the email property in Alfrescoldap.synchronization.userEmailAttributeName=mail# The attribute on person objects in LDAP to map to the organizational id  property in Alfrescoldap.synchronization.userOrganizationalIdAttributeName=test.bur# The default home folder provider to use for people created via LDAP importldap.synchronization.defaultHomeFolderProvider=personalHomeFolderProvider# The attribute on LDAP group objects to map to the gid property in Alfrecsoldap.synchronization.groupIdAttributeName=cn# The group type in LDAPldap.synchronization.groupType=group# The person type in LDAPldap.synchronization.personType=user# The attribute in LDAP on group objects that defines the DN for its membersldap.synchronization.groupMemberAttributeName=member‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

and my alfresco-global.properties has been adjusted to 
authentication.chain=ldap-ad1:ldap-ad‍‍‍

So as you can see my ldap.authentication.userNameFormat is done to work with the UPN of the AD but as I already said, there's no login possible.

I looked for a log where I can see some debug about that but I didn't found anything nether how to actiate it in log4j

Thank's
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC
Top