cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP Authentication from 2 domains

booltrue
Champ in-the-making
Champ in-the-making

I am using alfresco Community - 5.1.0 (r127059-b7)

Currently I am doing LDAP authentication from 1 domain with the following entry in the config:

ldap.authentication.userNameFormat=%s@x.y.z

Now I need additionally a second domain like:

ldap.authentication.userNameFormat=%s@a.b.c

How I can do ldap authentication from 2 domains ?

Is that somehow possible?

How would be the entry in the config ?

thx for your help

33 REPLIES 33

heiko_robert
Star Collaborator
Star Collaborator

No - if you need multiple instances of a subsystem you can't define in the alfresco-global.properties.

It is no problem to define multiple ldap instances in one chain which will used for auth in sequence one by one until the end of the chain is reached, but the chain will only work for the web filter - not cifs and not for sso configs.‌: Maybe you have SSO configured?

mehe
Elite Collaborator
Elite Collaborator

Hi Heiko,

sorry but I think you didn't get me right. It's clear that that you need to have two subsystem definitions (and sync is already working for booltrue). We're just talking about LDAP Authentication and the Web-filter, not about Cifs or SSO, as far as I understood - But you have to put the authentication.chain definition with the two ldap subsystem-def-labels into the alfresco-global.properties to be able to ldap-authenticate against two ldap subsystem. See http://docs.alfresco.com/4.0/tasks/auth-example-twoldap-ad.html

booltrue
Champ in-the-making
Champ in-the-making

Here the current used ldap ad1, ad2 configs and the authentication chain from alfresco-global.properties.

Synchronization works properly for that configuration.

Authentication works only for ad1, that's our domain.

For the other domain authentication is not working.

Maybe helpful: we are using Windows Active Directory and the users login to alfresco share

Could another authentication chain property solves the problem ?

properties for ldap ad1:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@z.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://30.184.2.41:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@z.b.c
ldap.synchronization.java.naming.security.credentials=Alfresco123
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_Z_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_Z_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=GP_Z_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=z,DC\=b,DC\=c) (userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=GP_Z_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=z,DC\=b,DC\=c) (userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.groupSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

properties for ldap ad2:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@a.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://30.184.2.41:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@a.b.c
ldap.synchronization.java.naming.security.credentials=Alfresco123
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(|(CN\=GP_A_ALFRESCO) (CN\=GP_B_ALFRESCO)))
ldap.synchronization.personQuery=(&(objectclass\=user)(|(memberOf=CN\=GP_A_ALFRESCO,OU\=GOAHEAD,DC\=a,DC\=b,DC\=c)(memberOf=CN\=GP_B_ALFRESCO,OU\=GOAHEAD,DC\=a,DC\=b,DC\=c)) (userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(|(memberOf=CN\=GP_A_ALFRESCO,OU\=GOAHEAD,DC\=a,DC\=b,DC\=c)(memberOf=CN\=GP_B_ALFRESCO,OU\=GOAHEAD,DC\=a,DC\=b,DC\=c)) (userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.groupSearchBase=DC\=a,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=a,DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

alfresco-global.properties:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ad1:ldap-ad,ad2:ldap-ad
synchronization.synchronizeChangesOnly=true
synchronization.syncWhenMissingPeopleLogIn=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.authCreatePeopleOnLogin=false
synchronization.syncOnStartup=true
synchronization.import.cron=0 0/15 * ? * *

mehe
Elite Collaborator
Elite Collaborator

seems to be nearly identical to a working config that I use in a customer system (Alfresco 4.2)...

The only differences to mine are 

in alfresco-global.properties: 

ntlm.authentication.sso.enabled=false

in ldap ad properties I don't have

ldap.authentication.active=true

but this shouldn't be the problem, maybe it's just my older Alfresco Version...

heiko_robert
Star Collaborator
Star Collaborator

I don't have a ad with 2 realms to test at the moment. Could you please test with only the ad in the chain which does not work?

Martin Ehe‌: you config is different. you use ldap for sync only but ntlm for auth for both if you have set

ldap.authentication.active=true

means the subsystem is not used for authentication but for sync

booltrue
Champ in-the-making
Champ in-the-making

I could give it a try:

ntlm.authentication.sso.enabled=false

in alfresco-global.properties

and should I remove:

ldap.authentication.active=true

from both ldap properties and move it to alfresco-global.properties, or does it have not any effect ?

mehe
Elite Collaborator
Elite Collaborator

can't really say about ldap.authentication.active - this should have no effect. Has switching the order of your ad in the authentication.chain any effect?

booltrue
Champ in-the-making
Champ in-the-making

For our domain not, for the other domain I dont know.

Couldn't test it yet.

booltrue
Champ in-the-making
Champ in-the-making

So I keep the subsytem ad configs like they are, with

ldap.authentication.active=true in both sytem ?

I wanted to move that entry to alfresco-global.properties

But I will set in alfresco-global.properties

ntlm.authentication.sso.enabled=false

Ok, or any changes to try ?

I will test the ad in the chain, that does not work.

mehe
Elite Collaborator
Elite Collaborator

Heiko Robert I just overlooked the ldap.authentication.active=true (misspelled in the search 🙂 )

It's in the config - so config isn't different...