cancel
Showing results for 
Search instead for 
Did you mean: 

Help configuring LDAP

ChrisAlker
Confirmed Champ
Confirmed Champ

Alfresco Community v6.2.0

I am connecting a test system to my test domain controller, in the LDAP configuration properties page (https://docs.alfresco.com/5.0/concepts/auth-ldap-props.html) it has a section for group and user search bases. The advice given is 'The DN below which to run the group queries.'. My test system is configured as follows:

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=false

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@chris.com
ldap.authentication.java.naming.provider.url=ldap://192.168.56.220:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.synchronization.java.naming.security.principal=xxxxxxxx
ldap.synchronization.java.naming.security.credentials=xxxxxxxx
ldap.synchronization.groupSearchBase=Alfresco,OU=Groups,OU=Blackburn,DC=Chris,DC=com
ldap.synchronization.userSearchBase=Alfresco,OU=Users,OU=Blackburn,DC=Chris,DC=com

Within both users and groups I have set up 2 OUs (alfresco & nonalfresco), then I have created a test user in each group. From the advice given, one would assume that only the users below the Alfresco OUs would be able to log in, but I can log in with the users in the nonalfresco OUs too, can anyone explain why this is?

14 REPLIES 14

angelborroy
Community Manager Community Manager
Community Manager

I guess you're missing to set the "create.missing.people" flag.

https://docs.alfresco.com/community/concepts/auth-ldap-props.html

Add following configuration:

create.missing.people=false
Hyland Developer Evangelist

Hi, thanks for your reply, I have added that configuration to the file and it has now prevented all users from logging in, even the built in admin/admin account

Check that you have also included both authentication systems:

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

And take a look at this video:

https://www.youtube.com/watch?v=pJNpqAOelmE

Hope that helps.

Hyland Developer Evangelist

Hi, sorry about my last message... The reason I could not authenticate any users was because my VM had a network issue, so Alfresco could not contact the server. I have added in the create.missing.people=false setting and it will still allow users from another OU log in, so this has seemingly not changed anything that I can notice

To avoid auto-creation of users, we are currently using the following property:

synchronization.autoCreatePeopleOnLogin=false

We got this property by looking at default-synchronization.properties file. I think Alfresco should update the documentation about this.

I hope it solves your problem.

I've added that setting and it is still allowing users from the wrong OU in AD to log in. I'm using the Bitnami installer, would that make a difference? Something else worth pointing out too, is that when I navigate to:

http://127.0.0.1:81/share/page/console/admin-console/users

I get an error 'Error loading items'

This error is a known bug in share 6.2.

Regarding ldap users, have you checked that these users from the wrong OU are not there from past wrong logins? The simplest way would be checking that these users can change their password from share UI. Ldap users can't change their password from share UI. 

Also, afaik, there is no bitnami installer for Alfresco 6.2... 

If I log in to my build and click the alfresco logo, it gives me the following detail:

Alfresco Share v6.2.0

The error loading items issue is a known share 6.2 bug as I stated in last comment.

Regarding your ldap error, I think Alfresco is not synchronizing users correctly. Check your logs, and escape the equals signs in your usersSearchBase property value adding a backslash in front of them.