11-24-2020 11:09 AM
Hello, I have a Alfresco 6.2 through Docker. I want to be able login only few groups from AD.
I created two configuration files. In the first config. was loaded all users and groups and disabled authetification.
In the second config. is enabled authetification so people mapped in groups in personQuery are able to login.
Problem is that login can everyone. Also I have this error:
org.alfresco.error.AlfrescoRuntimeException: 10240018 Error during LDAP Search. Reason:[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=sp,DC=local'
]
I think i have a bad logic with this. Can someone please provide me some correct info? To allow login only for specific group, not for everyone.
First Config
ntlm.authentication.sso.enabled=false synchronization.synchronizeChangesOnly=false synchronization.syncOnStartup=true ldap.synchronization.active=true ldap.authentication.active=false #KREDENC ldap.synchronization.java.naming.security.principal=login ldap.synchronization.java.naming.security.credentials=password ldap.authentication.userNameFormat=%s@domain ldap.authentication.java.naming.provider.url=ldap://ip:port ldap.synchronization.userEmailAttributeName=mail ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco ldap.synchronization.groupSearchBase=ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local ldap.synchronization.userSearchBase=cn\=Users,cn\=cp,dc\=kl,dc\=local ldap.synchronization.groupQuery=objectclass\=group ldap.synchronization.personQuery=objectclass\=user
Second Config
ldap.authentication.active=true ldap.synchronization.active=false ldap.synchronization.java.naming.security.principal=login ldap.synchronization.java.naming.security.credentials=password ldap.authentication.userNameFormat=%s@domain ldap.authentication.java.naming.provider.url=ldap://ip:port ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco ldap.synchronization.groupSearchBase=ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local ldap.synchronization.userSearchBase=cn\=Users,cn\=cp,dc\=kl,dc\=local ldap.synchronization.userIdAttributeName=sAMAccountName ldap.synchronization.userType=user ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=cn\=GROUP1,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(memberOf=cn\=GROUP2,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(userAccountControl:1.2.840.113556.1.4.803:=512)) ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=cn\=GROUP1,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(memberOf=cn\=GROUP2,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(userAccountControl:1.2.840.113556.1.4.803:=512))
11-25-2020 07:04 AM
why should you need both configs? did you place your two configs in two independant subsystems? For my understanding the second one including the group memberOf filter should be fine for both (sync & login).
How does your authentication.chain look like?
Please check you have autoCreatePeopleOnLogin disabled to prevent user creating from any successfull ldap auth request ignoring your sync paths:
# Should we auto create a missing person on log in? synchronization.autoCreatePeopleOnLogin=false
Explore our Alfresco products with the links below. Use labels to filter content by product module.