04-08-2020 04:38 AM
Alfresco Community v6.2.0
I am connecting a test system to my test domain controller, in the LDAP configuration properties page (https://docs.alfresco.com/5.0/concepts/auth-ldap-props.html) it has a section for group and user search bases. The advice given is 'The DN below which to run the group queries.'. My test system is configured as follows:
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@chris.com
ldap.authentication.java.naming.provider.url=ldap://192.168.56.220:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.synchronization.java.naming.security.principal=xxxxxxxx
ldap.synchronization.java.naming.security.credentials=xxxxxxxx
ldap.synchronization.groupSearchBase=Alfresco,OU=Groups,OU=Blackburn,DC=Chris,DC=com
ldap.synchronization.userSearchBase=Alfresco,OU=Users,OU=Blackburn,DC=Chris,DC=com
Within both users and groups I have set up 2 OUs (alfresco & nonalfresco), then I have created a test user in each group. From the advice given, one would assume that only the users below the Alfresco OUs would be able to log in, but I can log in with the users in the nonalfresco OUs too, can anyone explain why this is?
04-08-2020 06:15 AM
I guess you're missing to set the "create.missing.people" flag.
https://docs.alfresco.com/community/concepts/auth-ldap-props.html
Add following configuration:
create.missing.people=false
04-08-2020 07:29 AM
Hi, thanks for your reply, I have added that configuration to the file and it has now prevented all users from logging in, even the built in admin/admin account
04-08-2020 07:34 AM
Check that you have also included both authentication systems:
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
And take a look at this video:
https://www.youtube.com/watch?v=pJNpqAOelmE
Hope that helps.
04-09-2020 08:22 AM
Hi, sorry about my last message... The reason I could not authenticate any users was because my VM had a network issue, so Alfresco could not contact the server. I have added in the create.missing.people=false setting and it will still allow users from another OU log in, so this has seemingly not changed anything that I can notice
04-10-2020 01:10 AM
To avoid auto-creation of users, we are currently using the following property:
synchronization.autoCreatePeopleOnLogin=false
We got this property by looking at default-synchronization.properties file. I think Alfresco should update the documentation about this.
I hope it solves your problem.
04-14-2020 05:59 AM
I've added that setting and it is still allowing users from the wrong OU in AD to log in. I'm using the Bitnami installer, would that make a difference? Something else worth pointing out too, is that when I navigate to:
http://127.0.0.1:81/share/page/console/admin-console/users
I get an error 'Error loading items'
04-14-2020 09:41 AM
This error is a known bug in share 6.2.
Regarding ldap users, have you checked that these users from the wrong OU are not there from past wrong logins? The simplest way would be checking that these users can change their password from share UI. Ldap users can't change their password from share UI.
Also, afaik, there is no bitnami installer for Alfresco 6.2...
04-15-2020 02:19 AM
If I log in to my build and click the alfresco logo, it gives me the following detail:
Alfresco Share v6.2.0
04-15-2020 04:39 AM
The error loading items issue is a known share 6.2 bug as I stated in last comment.
Regarding your ldap error, I think Alfresco is not synchronizing users correctly. Check your logs, and escape the equals signs in your usersSearchBase property value adding a backslash in front of them.
Explore our Alfresco products with the links below. Use labels to filter content by product module.