Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Authentication from 2 domains

booltrue
Champ in-the-making
Champ in-the-making

‎06-19-2017 05:44 AM

I am using alfresco Community - 5.1.0 (r127059-b7)

Currently I am doing LDAP authentication from 1 domain with the following entry in the config:

ldap.authentication.userNameFormat=%s@x.y.z

Now I need additionally a second domain like:

ldap.authentication.userNameFormat=%s@a.b.c

How I can do ldap authentication from 2 domains ?

Is that somehow possible?

How would be the entry in the config ?

thx for your help

Labels:
0 Kudos
33 REPLIES 33

booltrue
Champ in-the-making
Champ in-the-making

‎06-20-2017 08:03 AM

Just tried and I didn't get the expected result.

I think the problem is, that I have no access to the parent domain.

The domain tree is like:

b.c.

     ----a.b.c

     ----c.b.c

     ----

     ----

     ----z.b.c


Our domain is z.b.c.

I have in my group of domain z.b.c a cross domain member from the domain a.b.c

So I used the user search base b.c.

But when I try to sync with 2 ldap systems under the path tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad

I get the result as you can see in the logfile.

When I dont use any subsystem under extension folder, just use the alfresco-global.properties I get the user from the domain a.b.c. synced to

the group of the domain z.b.c, but only if in the group a user of the domain z.b.c already exists, otherwise not. I really dont understand.

But I need that both domains can register in alfresco, like

ldap.authentication.userNameFormat=%s@a.b.c and ldap.authentication.userNameFormat=%s@z.b.c

so I have to sync from two ldap subsystems

alfresco-global.properties without 2 subsystems:

# LDAP
authentication.chain=alfrescoNtlm1:alfrescoNtlm,myldap:ldap-ad
synchronization.synchronizeChangesOnly=true
synchronization.syncWhenMissingPeopleLogIn=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.authCreatePeopleOnLogin=false
synchronization.syncOnStartup=true
synchronization.import.cron=0 0/10 * ? * *

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@z.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xxx.xxx.xxx.xxx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@z.b.c
ldap.synchronization.java.naming.security.credentials=xxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(|(memberOf=CN\=GP_A_ALFRESCO_DEV,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c)))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(|(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c)))
ldap.synchronization.groupSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

alfresco.log without 2 subsystems:

2017-06-20 13:50:00,176 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronizing users and groups with user registry 'myldap'
2017-06-20 13:50:00,176 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Full synchronization with user registry 'myldap'
2017-06-20 13:50:00,176 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-20 13:50:00,207 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Retrieving groups changed since 20.06.2017 13:22:20 from user registry 'myldap'
2017-06-20 13:50:00,394 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-20 13:50:00,410 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 62 per second. 0 failures detected.
2017-06-20 13:50:00,410 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-20 13:50:39,349 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Retrieving users changed since 20.06.2017 01:52:04 from user registry 'myldap'
2017-06-20 13:51:12,734 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Commencing batch of 2 entries
2017-06-20 13:51:47,461 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Processed 2 entries out of 2. 100% complete. Rate: 0 per second. 0 failures detected.
2017-06-20 13:51:47,461 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Completed batch of 2 entries
2017-06-20 13:51:47,476 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Finished synchronizing users and groups with user registry 'myldap'
2017-06-20 13:51:47,476 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] 2 user(s) and 1 group(s) processed
2017-06-20 14:00:00,323 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronizing users and groups with user registry 'myldap'
2017-06-20 14:00:00,323 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Full synchronization with user registry 'myldap'
2017-06-20 14:00:00,323 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-20 14:00:00,369 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Retrieving groups changed since 20.06.2017 13:22:20 from user registry 'myldap'
2017-06-20 14:00:00,557 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-20 14:00:00,572 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 66 per second. 0 failures detected.
2017-06-20 14:00:00,572 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Completed batch of 1 entries

0 Kudos

booltrue
Champ in-the-making
Champ in-the-making

‎06-21-2017 04:20 AM

Is it possible to allow multiple domains in alfresco-global.properties,

without two ldap subsytems,i.e.:

ldap.authentication.userNameFormat=%s@z.b.c

ldap.authentication.userNameFormat=%s@a.b.c

How would be the format ?

ldap.authentication.userNameFormat=%s@?

using only %s is not working

0 Kudos

booltrue
Champ in-the-making
Champ in-the-making

‎06-23-2017 07:37 AM

The right way for me to do was to bind two ldap-systems,

without any cross-domain members in any group (caused sync problems)

to be able to allow multiple domain sync.

Now I have the problem that users of the second domain are not be able to login.

Does anyone have an idea ?

0 Kudos

mehe
Elite Collaborator
Elite Collaborator
In response to booltrue

‎06-23-2017 10:54 AM

iisn't

ldap.authentication.userNameFormat=%s@z.b.c

in the first config and 

ldap.authentication.userNameFormat=%s@a.b.c

in the second not working?

0 Kudos

booltrue
Champ in-the-making
Champ in-the-making

‎06-23-2017 11:00 AM

b.c.

     ----a.b.c

     ----c.b.c

     ----

     ----

     ----z.b.c (our domain)

ldap.authentication.userNameFormat=%s@a.b.c

yes, here the login doesnt work, but sync works lika a charm

on our domain z.b.c login works same before with only one ldap system

0 Kudos

heiko_robert
Star Collaborator
Star Collaborator

‎06-23-2017 05:25 PM

Multidomain synchronisation and authentication has only a very limited support in Alfresco. We tried this just some months ago. To summarize:

Limitations

  • CIFS/WebDAV Auth, SSO using Kerberos support only one directory. We extended the kerberos implementation to handle the whole user principle instead of only the username part (which we know will conflict with the multi tenancy support) but stopped since we didn't want to rewrite the whole group sync.

You can:

  • define many independent domains (in Alfresco managed in zones) for sync and web authentication having different domains. You need to put all ldap subsystem instances in the auth chain. They work all independent and in sequence on login. Be careful if you have rules for failed logins on AD/LDAP if you work with different configs against the same AD/LDAP.

You cannot:

  • use the same groups accross different zones. You will see unexpected behavior since the groups will switch on sync from zone to zone and only the users belonging to the active zone will be members in the Alfresco group after sync. The group membership sync logic asumes a user as deleted if a user is not returned as memberOf attribute from the group. If the memberOf user is not member of the zone he will be ignored or cause a softfail.

So you should go ahead if you don't share groups managed on ldap/AD but you will fail if you require to use shared groups. If you only need to authenticate in the browser you may try having only one sync config since you have only one directory server. User query may be e.g.

   (& (objectClass=user)(|(userPrincipalName=*@abc.com)(userPrincipalName=*@xyz.net)))

You could then add a second ldap subsystem config only having authentication active
ldap.synchronization.active=false

ldap.authentication.active=true

ldap.authentication.userNameFormat=%s@xyz.net

0 Kudos

mehe
Elite Collaborator
Elite Collaborator
In response to heiko_robert

‎06-24-2017 03:52 AM

Just thinking: maybe a "ldap proxy" that gathers users and groups (with nlscd) in an alfresco compatible way could be a solution... but this would be a more than a "just try" job.

0 Kudos

cesarista
World-Class Innovator
World-Class Innovator
In response to mehe

‎06-24-2017 06:01 AM

booltrue booltrue A passthru based subsystem may be used or combined for authentication, using ldap-ad subsystem for syncing. Finally, completely agree with Heiko Robert‌ comments.

Regards.

--C.

0 Kudos

booltrue
Champ in-the-making
Champ in-the-making

‎06-26-2017 11:59 AM

Thanks for detailed explanation, but I am a little confused what is the difference between your (‌) explanation and my attempt with two ldap subsytems, or maybe just I dont understand right.

I am syncing two different groups of two different child domains as you can see in the configs.

Maybe you can explain for me more clearer, due I dont understand.

What do I need to change, so that  both domains can authenticate.

Currently only members of our domain z.b.c can authenticte to the system,

the members of the other domain a.b.c can not do.

Syncing of both domains works properly.

0 Kudos

mehe
Elite Collaborator
Elite Collaborator
In response to booltrue

‎06-27-2017 01:01 AM

Maybe the problem is the authentication.chain

It seems to be defined in both subsystems and so only the secon one "wins". I think you have to move the authentication.chain into alfresco-global.properties (only), delete it from the subsystems and use both subsystems in the chain.

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2025 Khoros, LLC