Hyland Connect

luisg · ‎04-28-2009

Hi there.

I have been trying to configure Alfresco with Active Directory. Now, all the users in Active Directory can login in Alfresco.
The thing is, I just want that some specific users, inside a specific group, can login.
My AD tree is something like:

DC=company, DC=pt
   OU=AlfrescoOU
      CN=AlfrescoUsers
         CN=alfresco, CN=Users, DC=company, DC=pt
         CN=user1, OU=Alfresco, DC=company, DC=pt
         CN=user2, OU=Support, DC=company, DC=pt
                              ….
   OU=…
   CN=…

I want that only the users in CN=AlfrescoUsers, OU=AlfrescoOU, DC=company, DC=pt can login!

ldap-authentication.properties:

ldap.authentication.userNameFormat=%s@company.pt
I tryed:
#ldap.authentication.userNameFormat=CN=%s@company.pt, CN=AlfrescoUsers, OU=Alfresco, DC=company, DC=pt

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

ldap.authentication.java.naming.provider.url=ldap://<server>:389/

ldap.authentication.java.naming.security.authentication=simple

ldap.authentication.java.naming.security.principal=alfresco

ldap.authentication.java.naming.security.credentials=(password)

ldap.authentication.escapeCommasInBind=true

ldap.authentication.escapeCommasInUid=true


Synchronization is not operating too, because the alfresco is not to import the information in the Active Directory.
ldap-synchronization.properties:

ldap.synchronisation.personQuery=(objectclass=user)

ldap.synchronisation.personSearchBase=cn=AlfrescoUsers,ou=AlfrescoOU,dc=company,dc=pt

ldap.synchronisation.userIdAttributeName=sAMAccountName

ldap.synchronisation.userFirstNameAttributeName=givenName

ldap.synchronisation.userLastNameAttributeName=sn

ldap.synchronisation.userEmailAttributeName=mail

ldap.synchronisation.userOrganizationalIdAttributeName=o

ldap.synchronisation.defaultHomeFolderProvider=personalHomeFolderProvider

ldap.synchronisation.groupQuery=(objectclass=group)

ldap.synchronisation.groupSearchBase=ou=AlfrescoOU,dc=company,dc=pt

ldap.synchronisation.groupIdAttributeName=cn

ldap.synchronisation.groupType=groupOfNames

ldap.synchronisation.personType=inetOrgPerson

ldap.synchronisation.groupMemberAttributeName=member

ldap.synchronisation.import.person.cron=0 0 * * * ?

ldap.synchronisation.import.group.cron=0 30 * * * ?

ldap.synchronisation.import.group.clearAllChildren=true

Any of you can help me?

Thanks,

Luis

luisg · ‎05-07-2009

So…

Any of you can answer my question?

I can only login with AD users if I use %s@company.com in ldap.authentication.userNameFormat.

If I use something like: ldap.authentication.userNameFormat=CN=%s@company.pt, CN=AlfrescoUsers, OU=Alfresco, DC=company, DC=com, the users and the groups are imported, but I cant login…

Any of you had this problem?

Thanks

luisg · ‎05-19-2009

Hi there…

Just passed to say that I solved the thing….

The ldap.authentication.userNameFormat= is just %s@company.pt.

And if I want only the users in some OU, lets say, OU=Users,OU=Alfresco,dc=company,dc=com, I should do that in ldap-synchronization.properties.

This is frustrating… I spend so many time in this stupid thing.
Why didnt you help me?!

bye

itbeb · ‎05-20-2009

Luis

Found this thread very interesting, however we have e-directory and ldap, but I suppose the query from the Alfresco side to ldap would look the the same ….

The %s@nwu doesn't work ….

If I have a user ABC, sitting in my ldap in ou=ACTIVE, ou=USERS,o=nwu and I want only the authorized users in cn=ALFRESCO, ou=GROUPS,o=nwu to be authenticated, how would my query from Alfresco look like??

Please help!

luisg · ‎06-25-2009

hi itbeb

one question… is 'o=nwu' correct? or should be 'ou=nwu'? I dont have a deep knowledge in AD, so I dont know if this is correct!

ATM i did some configurations of Alfresco and AD, and all are workin.Except for the CIFS+AD thing!

See this ldap-authentication.properties file I have (workin):

ldap.authentication.userNameFormat=%s@company.com
Giving this the user just need to give is username to login in Alfresco. If a user is registed as jack@company.com, he just need to give jack in alfresco login form.

Other thing, check if your ldap.authentication.java.naming.provider.url as the right name. This is very important!

ldap.authentication.java.naming.security.authentication = simple

ldap.authentication.java.naming.security.principal=alfresco -> 'alfresco' is a user created in AD
ldap.authentication.java.naming.security.credentials=(pass) -> pass for user 'alfresco'
ldap.authentication.escapeCommasInBind=true
ldap.authentication.escapeCommasInUid=true

In ldap.synchronization.properties i have:
ldap.synchronisation.personQuery=(objectclass=user) -> If you see, this was changed from his original value: (objectclass=inetOrgPerson)

ldap.synchronisation.personSearchBase=ou=Users,ou=abc,dc=company,dc=com
in you case, you will have:
ldap.synchronisation.personSearchBase=cn=ALFRESCO,ou=GROUPS,o=nwu,dc=company,dc=com

ldap.synchronisation.userIdAttributeName=sAMAccountName - I changed uid to sAMAccountName

ldap.synchronisation.userFirstNameAttributeName=givenName - not changed

ldap.synchronisation.userLastNameAttributeName=sn- not changed

ldap.synchronisation.userEmailAttributeName=mail- not changed

ldap.synchronisation.userOrganizationalIdAttributeName=o- not changed

ldap.synchronisation.defaultHomeFolderProvider=userHomesHomeFolderProvider - changed frompersonalHomeFolderProvider to userHomesHomeFolderProvider to get users home folders in Users Home space

ldap.synchronisation.groupQuery=(objectclass=group) - changed from (objectclass=groupOfNames) to (objectclass=group)

the rest still the default values.

Remember… If you want to access only the user in a specific path (OU=Users, OU=…) you do that in the ldap.synchronization.properties file.

Hope this helps

see ya

Hyland Connect

[SOLVED]Alfresco + Active Directory