LDAP Authentication from 2 domains
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-19-2017 05:44 AM
I am using alfresco Community - 5.1.0 (r127059-b7)
Currently I am doing LDAP authentication from 1 domain with the following entry in the config:
ldap.authentication.userNameFormat=%s@x.y.z
Now I need additionally a second domain like:
ldap.authentication.userNameFormat=%s@a.b.c
How I can do ldap authentication from 2 domains ?
Is that somehow possible?
How would be the entry in the config ?
thx for your help
- Labels:
-
Alfresco Content Services
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2017 02:49 AM
No - if you need multiple instances of a subsystem you can't define in the alfresco-global.properties.
It is no problem to define multiple ldap instances in one chain which will used for auth in sequence one by one until the end of the chain is reached, but the chain will only work for the web filter - not cifs and not for sso configs.‌: Maybe you have SSO configured?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2017 03:49 AM
Hi Heiko,
sorry but I think you didn't get me right. It's clear that that you need to have two subsystem definitions (and sync is already working for booltrue). We're just talking about LDAP Authentication and the Web-filter, not about Cifs or SSO, as far as I understood - But you have to put the authentication.chain definition with the two ldap subsystem-def-labels into the alfresco-global.properties to be able to ldap-authenticate against two ldap subsystem. See http://docs.alfresco.com/4.0/tasks/auth-example-twoldap-ad.html
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2017 03:26 AM
Here the current used ldap ad1, ad2 configs and the authentication chain from alfresco-global.properties.
Synchronization works properly for that configuration.
Authentication works only for ad1, that's our domain.
For the other domain authentication is not working.
Maybe helpful: we are using Windows Active Directory and the users login to alfresco share
Could another authentication chain property solves the problem ?
properties for ldap ad1:
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@z.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://30.184.2.41:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@z.b.c
ldap.synchronization.java.naming.security.credentials=Alfresco123
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_Z_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_Z_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=GP_Z_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=z,DC\=b,DC\=c) (userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=GP_Z_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=z,DC\=b,DC\=c) (userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.groupSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
properties for ldap ad2:
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@a.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://30.184.2.41:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@a.b.c
ldap.synchronization.java.naming.security.credentials=Alfresco123
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(|(CN\=GP_A_ALFRESCO) (CN\=GP_B_ALFRESCO)))
ldap.synchronization.personQuery=(&(objectclass\=user)(|(memberOf=CN\=GP_A_ALFRESCO,OU\=GOAHEAD,DC\=a,DC\=b,DC\=c)(memberOf=CN\=GP_B_ALFRESCO,OU\=GOAHEAD,DC\=a,DC\=b,DC\=c)) (userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(|(memberOf=CN\=GP_A_ALFRESCO,OU\=GOAHEAD,DC\=a,DC\=b,DC\=c)(memberOf=CN\=GP_B_ALFRESCO,OU\=GOAHEAD,DC\=a,DC\=b,DC\=c)) (userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.groupSearchBase=DC\=a,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=a,DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
alfresco-global.properties:
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ad1:ldap-ad,ad2:ldap-ad
synchronization.synchronizeChangesOnly=true
synchronization.syncWhenMissingPeopleLogIn=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.authCreatePeopleOnLogin=false
synchronization.syncOnStartup=true
synchronization.import.cron=0 0/15 * ? * *
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2017 04:07 AM
seems to be nearly identical to a working config that I use in a customer system (Alfresco 4.2)...
The only differences to mine are
in alfresco-global.properties:
ntlm.authentication.sso.enabled=false
in ldap ad properties I don't have
ldap.authentication.active=true
but this shouldn't be the problem, maybe it's just my older Alfresco Version...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2017 04:42 AM
I don't have a ad with 2 realms to test at the moment. Could you please test with only the ad in the chain which does not work?
Martin Ehe‌: you config is different. you use ldap for sync only but ntlm for auth for both if you have set
ldap.authentication.active=true
means the subsystem is not used for authentication but for sync
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2017 04:19 AM
I could give it a try:
ntlm.authentication.sso.enabled=false
in alfresco-global.properties
and should I remove:
ldap.authentication.active=true
from both ldap properties and move it to alfresco-global.properties, or does it have not any effect ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2017 04:22 AM
can't really say about ldap.authentication.active - this should have no effect. Has switching the order of your ad in the authentication.chain any effect?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2017 04:36 AM
For our domain not, for the other domain I dont know.
Couldn't test it yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2017 04:55 AM
So I keep the subsytem ad configs like they are, with
ldap.authentication.active=true in both sytem ?
I wanted to move that entry to alfresco-global.properties
But I will set in alfresco-global.properties
ntlm.authentication.sso.enabled=false
Ok, or any changes to try ?
I will test the ad in the chain, that does not work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2017 05:01 AM
Heiko Robert I just overlooked the ldap.authentication.active=true (misspelled in the search 🙂 )
It's in the config - so config isn't different...