Hyland Connect

yyovkov · ‎11-10-2008

Hi all,

I was able to configure Alfresco to work with LDAP users and groups on Linux. But I am not able to use existing LDAP groups which makes me confuse. What is the problems:
I found that Alfresco is looking for next record in LDAP groups:


dn: cn=group01,ou=groups,dc=company,dc=com
obectClass…
…
member=uid=user01,ou=people,dc=company,dc=com <– Here is the weak point
‍‍‍‍‍‍

In Unix world the group entry should look like:


dn: cn=group01,ou=groups,dc=company,dc=com
ObjectClass…
…
memberUID=user01
‍‍‍‍‍‍

Is there any way to configure Alfresco to collect group members based on their memberUID, not on the full user DN?

ofrxnz · ‎11-11-2008

To use LDAP groups you need to use LDAP Synchronization.

I believe alfresco synchronization works out of the box with more standard compliant servers such as OpenLDAP

When i configured it to work against a Windows Active Directory server, the trick was in the

ldap-Synchronization.properties

file where i had to change this value

ldap.synchronisation.groupQuery=<something>‍

to

ldap.synchronisation.groupQuery=(objectclass=groupOfNames)‍

This variable basically tells That Groups are identified by the possession of this attribute

objectclass=groupOfNames‍

There were a few other modifications that were made.

All group attributes are in the Synchronization settings. You just need to figure out what ldap group attributes alfresco needs to look at.

Hopefully this helps.

yyovkov · ‎11-13-2008

Hi ofrxnz,

thank you for your answer, first!

You are right. To be able to user LDAP groups you have to configure ldap-syncronization. I have done this and the groups are working fine. My question is that:
Currently the attribute which specifies who are members should contain dn of the user (like member=uid=username,ou=people,dc=company,dc=com). I am interesting if there is an option to use only the username (like memberUID=username)

Regards,
Yovko Yovkov

ofrxnz · ‎11-13-2008

Yovko,

if the users names and groups appear correctly in alfresco I don't think i know the answer to this one.

If i were you i would try the following.

if all of your users are in the same base DN, set your ldap.synchronisation.groupSearchBase=ou=people,dc=company,dc=com then create a group member by hand with the memberUID=username and see if it picks it up next time it syncs.

My gut tells me that what you want is not possible because the full DN is the only primary key of an LDAP server. For example, if you didnt use the full DN, alfresco would see both of the following users as the same person even though they are technically two different and unique enteries

uid=username,ou=people,dc=company,dc=com
uid=username,ou=orgUnit2,ou=people,dc=company,dc=com

My guess is the alfresco folk would stay with a primary key where ever possible.

Just in case i misunderstood what you want, this is the attribute associated with the username when a person imports it can be set to any ldap attribute you want that is in a user container. (eg sn,email,phone)
ldap.synchronisation.userIdAttributeName=UID
This attribute is an alias for the Full DN so, if your uid=yovko yovkov,ou=people,dc=company,dc=com
and that entry contained your surname as attribute 'sn' is value 'yovkov' (sn=yovkov)
you could set ldap.synchronisation.userIdAttributeName=sn and login using the username yokov

I have been having issues in alfresco labs 3 with ldap usernames. But, I am authenticating against an Active Directory server which stores the username as sAMAccountName. Basically the ldap.synchronisation.userIdAttributeName portion has not been working for me in labs 3 B and C

yyovkov · ‎12-19-2008

Hi ofrxnz,

My LDAP groups are working correctly in my current setup. But it is not the case. I would like to use my central authentication system (Company Identity System) as a authentication source for Alfresco. My system is using POSIX groups and accounts, which read "memeber" attribute. I will not start here a flame about which is best POSIXGROUP or GROUPOFUNIQUE members, as there is a plenty of the internet.

Regarding the goups dn, I think it would not be any problem if there are two members like:

dn: uid=user_one,ou=groups1,dc=company,dc=com

and
dn: uid=user_one,ou=groups2,dc=company,dc=com

as in the xml file I am specifying which exactly group dn to read from.

What I will try is to fulfil LDAP group with member=user_one, and the to aplly uid=%memeber,%ldap.synchronisation.groupSearchBase. So I will need some help, as I am not a programmer. But I think this is not very painful and this will solve the issue and will make Alfresco more flexible.

Thank you for you answer,

I believe in arguing with smart people!

ericme · ‎01-12-2009

Hello,

I would also like to use PosixGroup, yyovkov have you find a solution?

thanks you for you answer

yyovkov · ‎01-19-2009

Hi EricMe,

yes, I found a solution.
I am still using atrribute uniqueMember, just my posix groups looks like:
— cut —
dn: cn=users,ou=groups,dc=company,dc=com
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
cn: users
gidNumber: 501
uniqueMember: uid=user1,ou=people,dc=company,dc=com
uniqueMember: uid=user2,ou=people,dc=company,dc=com
uniqueMember: uid=user3,ou=people,dc=company,dc=com
— cut —

I hope this will help you!

dward · ‎07-16-2009

FYI experimental support for posixGroup has been added in the next Community nightly build. See

http://forums.alfresco.com/en/viewtopic.php?f=9&t=20408&p=66718#p66718

Hyland Connect

SOLVED: Alfresco LDAP Linux and Supplementary user groups