cancel
Showing results for 
Search instead for 
Did you mean: 

Help configuring LDAP

ChrisAlker
Confirmed Champ
Confirmed Champ

Alfresco Community v6.2.0

I am connecting a test system to my test domain controller, in the LDAP configuration properties page (https://docs.alfresco.com/5.0/concepts/auth-ldap-props.html) it has a section for group and user search bases. The advice given is 'The DN below which to run the group queries.'. My test system is configured as follows:

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=false

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@chris.com
ldap.authentication.java.naming.provider.url=ldap://192.168.56.220:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.synchronization.java.naming.security.principal=xxxxxxxx
ldap.synchronization.java.naming.security.credentials=xxxxxxxx
ldap.synchronization.groupSearchBase=Alfresco,OU=Groups,OU=Blackburn,DC=Chris,DC=com
ldap.synchronization.userSearchBase=Alfresco,OU=Users,OU=Blackburn,DC=Chris,DC=com

Within both users and groups I have set up 2 OUs (alfresco & nonalfresco), then I have created a test user in each group. From the advice given, one would assume that only the users below the Alfresco OUs would be able to log in, but I can log in with the users in the nonalfresco OUs too, can anyone explain why this is?

14 REPLIES 14

Sorry, I didn't notice your link for the fix, but I've updated the file now and I can now see users in the admin console, which makes life a lot easier for me, thanks for that!

Currently, without the synchronization.autoCreatePeopleOnLogin=false setting, when I delete all of the users and restart the services, they don't appear in the users section, but if I attempt to login with any of the test users from either of the Alfresco/NonAlfresco groups, it allows me to log in and creates them as a user. If I apply that setting, it does not let me log in with the test users from either groups. I seem to get the same reaction from the system if I edit that setting out and use create.missing.people=false instead, so neither seem to be doing what I require. I have tried changing the searchbase properties to what you suggested:

ldap.synchronization.groupSearchBase=OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.userSearchBase=OU\=Alfresco,OU\=Users,OU\=Blackburn,DC\=chris,DC\=com

This doesn't seem to have any effect.

I have had a look at the tomcat errors (in alfrescotomcat-stdout.2020-04-15.log), but I'm not sure what error to look for to determine why Alfresco either allows no users to log in, or all of them.

Then it seems that Alfresco is not correctly synchronizing your ldap users. Look at alfresco.log at startup time, or share your alfresco.log file here. It could be an authentication error against your ldap, or maybe that Alfresco cannot reach your ldap server. 

I'm not sure how to share my log file here, there doesn't seem to be any upload facility? I've checked the log file and found this error though:

org.alfresco.repo.security.authentication.AuthenticationException: 03150018 Failed to authenticate, username or password is wrong. User name:Administrator Reason [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]

I originally had a user called Alfresco for authentication and found that error in the log file, so I changed the username to the administrator UN/PW that I use for the server, but still getting the error for the Administrator account. I've set the settings in the following config:

ldap.synchronization.java.naming.security.principal=Alfresco
ldap.synchronization.java.naming.security.credentials=Pa55word

The previous error was the same:

org.alfresco.repo.security.authentication.AuthenticationException: 03150056 Failed to authenticate, username or password is wrong. User name:Alfresco Reason [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]

Ok then the error is about ldap authentication. Don't provide your server user to authenticate against your AD, there must be some user in the same AD application that grants you read access to it. 

Also you can try to connect from an external tool to check you can connect properly, or ask who provided you these credentials to check their validity. 

Thanks a lot for your help, it turned out that the reason LDAP was not authenticating was due to the username I was using not containing @chris.com on the end of it, once I changed it to that it worked and I now only have the users I want in Alfresco. For anyone visiting this thread in the future, I will list my settings that are now working:

### LDAP - AUTHENTICATION ###

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ldap.authentication.active=true
ldap.authentication.java.naming.provider.url=ldap://192.168.56.220:389
ldap.authentication.userNameFormat=%s@chris.com
ldap.authentication.allowGuestLogin=false

create.missing.people=false

### LDAP - SYNCRONISATION ###

ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=Administrator@chris.com
ldap.synchronization.java.naming.security.credentials=********

ldap.synchronization.groupSearchBase=OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.groupQuery=(objectclass\=group)

ldap.synchronization.userSearchBase=OU\=Alfresco,OU\=Users,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=cn\=TechSupport,OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com))

synchronization.syncOnStartup=true