Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

only allow synced users to authenticate

astacey
Champ in-the-making
Champ in-the-making

‎11-11-2014 06:49 AM

Hello All,

Is it possible to only allow synchronized users to login to the share web gui? If so what strings need to be added to the global properties?

Many thanks in advance for any replies.
Labels:
0 Kudos
8 REPLIES 8

lutz_horn
Champ in-the-making
Champ in-the-making

‎11-11-2014 07:41 AM

Which users do you not want to be able to login?
0 Kudos

mrogers
Star Contributor
Star Contributor

‎11-11-2014 10:01 AM

No.
0 Kudos

astacey
Champ in-the-making
Champ in-the-making

‎11-12-2014 05:08 AM

So how do i define which users can login to alfresco? i do not want every user in my AD to be able to login. I now have an ldap authentication subsystem working and alfresco is only synchronizing users in a certain AD security group. but i only want users in this security group to authenticate to the share web gui.
0 Kudos

mrogers
Star Contributor
Star Contributor

‎11-12-2014 05:24 AM

you need to change your ldap query to only select those users you want to be able to log in.    There will be examples in these forums where someone restricts alfresco to members of another ldap group.
0 Kudos

astacey
Champ in-the-making
Champ in-the-making

‎11-12-2014 06:08 AM

Hi mrogers,

I have been all over the internet trying to find what this query is. do you have an example?

Here is what i am using so far:

### LDAP authentication chain
authentication.chain=ldap1:ldap-ad
ntlm.authentication.sso.enabled=true

### LDAP Authentication
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@domain.co.uk
ldap.authentication.java.naming.provider.url=ldap://dc01.domain.co.uk:389
ldap.authentication.defaultAdministratorUserNames=adminuser1,adminuser2,adminuser3

### LDAP Synchronization
ldap.synchronization.java.naming.security.principal=alfrescohttp@domain.co.uk
ldap.synchronization.java.naming.security.credentials=ssssshhhhh
ldap.synchronization.active=true
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupSearchBase=ou=Int,ou=Manage,dc=domain,dc=co,dc=uk
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.personType=user
ldap.synchronization.personQuery=(&(|(memberof=CN=alfresco.users,OU=Int,OU=Manage,DC=domain,DC=co,DC=uk)(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=organizationalPerson)(!(userAccountControl\:1.2.840.113556.1.4.803\:\=2))(!(modifyTimestamp<\={0})))
ldap.synchronization.userSearchBase=ou=Admin Accounts,ou=company,dc=domain,dc=co,dc=uk


I am also getting this issue in the alfresco.log:

10:36:19,270 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'
10:36:19,335 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since Nov 11, 2014 10:53:10 AM from user registry 'ldap1'
10:36:19,377 WARN  [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'alfresco.users' with distinguished name: CN=adminuser1,OU=Admin,OU=Users,DC=domain,DC=co,DC=uk
10:36:19,377 WARN  [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'alfresco.users' with distinguished name: CN=adminuser2,OU=Admin,OU=Users,DC=domain,DC=co,DC=uk
10:36:19,378 WARN  [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'alfresco.users' with distinguished name: CN=adminuser3,OU=Admin,OU=Users,DC=domain,DC=co,DC=uk
10:36:19,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 1 entries
10:36:19,427 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 27 per second. 0 failures detected.
10:36:19,427 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 1 entries
10:36:19,435 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving users changed since Nov 10, 2014 1:26:10 PM from user registry 'ldap1'
10:36:19,440 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Commencing batch of 0 entries
10:36:19,441 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Completed batch of 0 entries
10:36:19,470 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Finished synchronizing users and groups with user registry 'ldap1'
10:36:19,470 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] 0 user(s) and 1 group(s) processed
10:36:19,543 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Synchronization' subsystem, ID: [Synchronization, default] complete

Do you have any idea why this is failing to resolve the user when it is finding the information? As these users are in a different OU to my searchbase, could this be causing the issue? do i need to add this OU to my searchbase as well?
0 Kudos

astacey
Champ in-the-making
Champ in-the-making

‎11-13-2014 06:16 AM

I am getting closer with this but i am now getting this warn message when trying to syncronize a security group in AD

11:13:03,785 WARN  [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Missing GID on {member;range=0-*=member;range=0-*: CN=adminuser1,OU=Admin,OU=Users,DC=domain,DC=co,DC=uk, CN=adminuser2,OU=Admin,OU=Users,DC=domain,DC=co,DC=uk, whenchanged=whenChanged: 20141112145257.0Z}


Does anyone know why this is missing the gid?
0 Kudos

catar4
Champ in-the-making
Champ in-the-making
In response to astacey

‎11-13-2014 11:03 AM

"GID" stands for Group ID. Did you also adjust your "groupSelection" query ? I would guess the synchronization needs to sync groups as well as users. That or the users it's trying to sync are not in any groups (and they'd need to be) ? Just a quick guess.
0 Kudos

astacey
Champ in-the-making
Champ in-the-making

‎11-18-2014 11:36 AM

Hi all,

so it seems that it is possible to allow only syncronized users to be able to login:

synchronization.syncOnStartup=true
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false


Just need to add this to the gloabl properties.

It concerns me that that senior software engineers do not know this. but i spose they are like this software.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC