Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ldap-ad: allow login for users of specific security group

Go to answer
jahu
Champ on-the-rise
Champ on-the-rise

‎03-16-2017 11:25 AM

Hello,

I am running Alfresco Community Edition 201702 and trying to get ldap-ad authentication to work to my liking. I would like Alfresco to synchronize with our Active Directory, but only allow users of a specific group (AlfrescoUsers) to login to Alfresco, and deny any other login attempts.

Currently, I have synchronization working, and I can login to Alfresco with AD users. My problem is, is that any user can login that is in AD, not just the members of the AlfrescoUsers security group I created.

Does anyone have any insight into why all users in AD are allowed to login, and not just users of the AlfrescoUsers security group?

I have attached my alfresco-global.properties that I have all of my configuration in, and also the synchronization section of alfresco.log

Thank you,

-Jason

Labels:
alfresco-global.properties.zip
alfresco.log.zip
0 Kudos
1 ACCEPTED ANSWER

Go to answer
mehe
Elite Collaborator
Elite Collaborator

‎03-16-2017 12:47 PM

Hi Jason,

your person LDAP query seems to be wrong:

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net)))

i think you want objectclass=user AND userAcountControl... AND memberOf... but you put an OR "|" before memberOf condition.

So

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net))

should be ok (without having verified it in real life).

regards,

Martin

View answer in original post

0 Kudos
25 REPLIES 25

Go to answer
afaust
Legendary Innovator
Legendary Innovator
In response to cesarista

‎03-17-2017 12:30 PM

You should not have any issues / errors executing that script. Are you executing it with a proper authentication (you can set other runAs contexts with JavaScript Console)?

0 Kudos

Go to answer
cesarista
World-Class Innovator
World-Class Innovator
In response to afaust

‎03-17-2017 12:56 PM

Thank you Axel. Yes, running as admin (in the third tab)  

Regards.

--C.

0 Kudos

Go to answer
nlemus
Champ in-the-making
Champ in-the-making
In response to cesarista

‎04-27-2020 02:55 PM

Hello friends,

I sign in alfresco and in the repository in user homes all the synchronized users of the ldap appear, I create a folder of each user of the ldap.

How can I make those folders not be created?

I want them to be created as long as you give them permission in alfresco to sign.

0 Kudos

Go to answer
cesarista
World-Class Innovator
World-Class Innovator
In response to jahu

‎03-17-2017 11:19 AM

No, you can also set:

synchronization.synchronizeChangesOnly=false

The default is true. But this only applies on cron syncs, not for the subsystem startup for example.

Regards.

--C.

0 Kudos

Go to answer
mehe
Elite Collaborator
Elite Collaborator
In response to jahu

‎03-17-2017 11:33 AM

Hi Jason, no (see the other answers) but it is an easy way to force the full sync if you need it just now - without installing anything else. 

0 Kudos

Go to answer
jelenajjovanosk
Champ on-the-rise
Champ on-the-rise

‎10-10-2019 11:36 AM

Hello,

I am running Alfresco Community Edition  and trying to get ldap-ad authentication to work to my liking. I would like Alfresco to authenticate with our Active Directory, but only allow users of a specific group (Alfresco(My Alfresco group belogns to Users group)) to login to Alfresco, and deny any other login attempts.

My problem is, is that any user can login that is in AD, not just the members of the Alfresco  group I created.

Does anyone have any insight into why all users in AD are allowed to login, and not just users of the Alfresco  group? I read every answer to this question, but I didn't find solution.

This is my LDAP AD configuration:

#########################
#LDAP CONFIGURATION#
#########################

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad

ldap.authentication.allowGuestLogin=false
# Disable guest logins

ntlm.authentication.mapUnknownUserToGuest=false
# Disable guest logins

ntlm.authentication.sso.enabled=false
# Disable SSO logins

ldap.synchronization.userSearchBase=dc=domain,dc=net
# Domain search base


#########################
#LDAP AUTHENTIFICATION #
#########################


ldap.authentication.active=true
#when true enables use of this LDAP subsystem for authentication

ldap.authentication.allowGuestLogin=false
# Disable guest logins

ldap.authentication.userNameFormat=%s@domain.net
#In Active Directory, this can either be the user principal name (UPN) or DN.

ldap.authentication.java.naming.security.authentication=simple
#simple -The basic LDAPuthentication mechanism arequiring the user name and password to be passed over the wire unencrypted.

ldap.authentication.java.naming.read.timeout=30000
#If Alfresco Content Services cannot get a LDAP response within that period, it aborts the read attempt.

ldap.authentication.java.naming.provider.url=ldap://XXXXXXX:389
#AD server address

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

ldap.authentication.defaultAdministratorUserNames=Administrator
# Admin users logins

########################
#LDAP SYNCHRONISATION #
########################
ldap.synchronization.active=true

synchronization.syncWhenMissingPeopleLogIn=true
# Tries to find user in allowed Ad group

#####################
#LDAP PERSON QUERY #
#####################


ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf\=cn\=Alfresco,cn\=Users,dc\=domain,dc\=net)(userAccountControl:1.2.840.113556.1.4.803:=512))
# Query to grabb all users in alfresco group with full path

Thank you,

-Jelena

Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2025 Khoros, LLC