07-19-2023 05:41 AM
Hi everyone,
I'm running the newest Alfresco Community Edition using the alfresco-docker-installer. I have modified the alfresco-global.properties file to add support for LDAP synchronization and authentication. I wanted only users in the 'alfresco-users' group to be able to log in, and create other LDAP groups to limit access to sites. Right now we've managed to make Alfresco only allow users in the group to log in. However, when I go to Admin Tools -> Groups, I can see all the LDAP groups, but they're all empty - Alfresco syncs the groups but fails to populate them with users. I'm using FreeIPA LDAP and Alfresco CE 7.4. Below is my alfresco-global.properties file.
sample.site.disabled=false authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap ldap.authentication.active=true ldap.authentication.allowGuestLogin=false ldap.authentication.userNameFormat=uid=%s,cn=users,cn=accounts,dc=domain,dc=com ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory ldap.authentication.java.naming.provider.url=ldap://freeipa.domain.com:389 ldap.authentication.java.naming.security.authentication=simple ldap.authentication.escapeCommasInBind=false ldap.authentication.escapeCommasInUid=false ldap.authentication.defaultAdministratorUserNames=administrator create.missing.people=false synchronization.synchronizeChangesOnly=false ldap.synchronization.active=true ldap.synchronization.allowDeletions=true ldap.synchronization.autoCreatePeopleOnLogin=false ldap.synchronization.syncWhenMissingPeopleLogin=false ldap.synchronization.java.naming.security.authentication=simple ldap.synchronization.java.naming.security.principal=uid=read-access-user,cn=users,cn=accounts,dc=domain,dc=com ldap.synchronization.java.naming.security.credentials=<secret> ldap.synchronization.queryBatchSize=1000 ldap.synchronization.attributeBatchSize=1000 ldap.synchronization.groupQuery=(objectclass\=groupofnames) ldap.synchronization.personQuery=(&(objectclass\=inetorgperson)(memberOf\=cn=alfresco-users,cn\=groups,cn\=accounts,dc\=domain,dc\=com)) ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupofnames)(!(modifyTimestamp<\={0}))) ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetorgperson)(memberOf\=cn\=alfresco-users,cn\=groups,cn\=accounts,dc\=domain,dc\=com)(!(modifyTimestamp<\={0}))) ldap.synchronization.groupSearchBase=cn=groups,cn=accounts,dc=domain,dc=com ldap.synchronization.userSearchBase=cn=users,cn=accounts,dc=domain,dc=com ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z' ldap.synchronization.userIdAttributeName=uid ldap.synchronization.userFirstNameAttributeName=givenName ldap.synchronization.userLastNameAttributeName=sn ldap.synchronization.userEmailAttributeName=mail ldap.synchronization.groupIdAttributeName=cn ldap.synchronization.groupDisplayNameAttributeName=description ldap.synchronization.groupMemberAttributeName=memberOf synchronization.import.cron=0 * * * * ?
Thanks for the help.
07-19-2023 03:52 PM
You should try to change the ldap.synchronization.groupQuery in a similar way:
ldap.synchronization.groupQuery=(&(objectclass=groupOfNames)(|(CN=alfresco-users))
Consider that I think that the objectclass, if I'm not wrong, it should be case sensitive.
Hope this helps.
Explore our Alfresco products with the links below. Use labels to filter content by product module.