cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP with Multiple domain

pp20218
Champ in-the-making
Champ in-the-making
Hi all,

I am doing Zimbra LDAP with Alfresco. When I have only 1 domain i can able to login but when I have multiple doman I cant login.
Suppose I have 2 domains abc.com and xyz.com

How can I configure in ldap-authentication.properties for these multiple domain scenario.

Here is what my ldap-authentication.properties looks like

# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=true

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.allowGuestLogin=true
# How to map the user id entered by the user to that passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      uid=%s,ou=People,dc=company,dc=com
# - digest
#    - usually pass through what is entered
#      %s
# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will
# be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to
# appear in the DN.
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=xyz,dc=com

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://10.200.100.458:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

# Comma separated list of user names who should be considered administrators by default
ldap.authentication.defaultAdministratorUserNames=admin

# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true

# The default principal to use (only used for LDAP sync)
ldap.synchronization.java.naming.security.principal=uid=admin,ou=people,dc=xyz,dc=com

# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=xyz12345

# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=0

# If positive, this property indicates that range retrieval should be used to fetch
# multi-valued attributes (such as member) in batches of the specified size.
# Overcomes any size limits imposed by Active Directory.       
ldap.synchronization.attributeBatchSize=0

# The query to select all objects that represent the groups to import.
#ldap.synchronization.groupQuery=(objectclass\=groupOfNames)


ldap.synchronisation.groupQuery=(objectclass=zimbraDistributionList)(zimbraMailStatus=enabled)


# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.
#ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)

ldap.synchronization.personQuery=(&(objectClass=organizationalPerson)(zimbraMailStatus=enabled))

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
#ldap.synchronization.groupSearchBase=ou\=Groups,dc\=company,dc\=com

ldap.synchronization.groupSearchBase=dc=xyz,dc=com

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=ou\=People,dc\=xyz,dc\=com

# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=ou

# The default home folder provider to use for people created via LDAP import
#ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

ldap.synchronisation.defaultHomeFolderProvider=personalHomeFolderProvider

# The attribute on LDAP group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn

# The attribute on LDAP group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=description

# The group type in LDAP
#ldap.synchronization.groupType=groupOfNames


ldap.synchronisation.groupType=zimbraDistributionList

# The person type in LDAP
#ldap.synchronization.personType=inetOrgPerson

ldap.synchronisation.personType=organizationalPerson

# The attribute in LDAP on group objects that defines the DN for its members
#ldap.synchronization.groupMemberAttributeName=member


ldap.synchronisation.groupMemberAttributeName=zimbraMailForwardingAddress

# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true

Pls help.
Thanx in advance.
Regards
PP
10 REPLIES 10

fstnboy
Champ on-the-rise
Champ on-the-rise
Hi PP,

One clean solution would be to create 2 authentication subsystem configurations (one against abc.com and the other one against xyz.com). Then in the authentication chain property, you would specify one after the other. That way, if one fails, alfresco will try to authenticate using the second config (against the second domain).

Another solution would be Alfresco to point to the Global Catalog, this node of the LDAP tree has access to all domains, you'll just have to figure out the userSearchQuery to look up in both domains.

Hope this helps.
If you have any further questions don't hesitate to ask.

Regards

pp20218
Champ in-the-making
Champ in-the-making
Hi ,
Thanks a lot for your reply.

Just need some clarification.
For 1st scenario are you telling the change as below.(Considering abc and xyz as 2 domains) ??

ldap.synchronization.userSearchBase=ou\=People,dc\=abc,dc\=com
ldap.synchronization.userSearchBase=ou\=People,dc\=xyz,dc\=com
NOTE: I have already tried like this but no luck.

In 2nd case
We are connecting to Open LDAP server. So what do you mean by Global Catalog ?? I am totally confused on this way.

NOTE: I am connecting with Zimbra LDAP. I have created 2 domains in Alfresco as abc.com and xyz.com for Multi tenancy purpose.
When I have a single domain and
(1) I login as admin@abc.com it is not at all accepting.
(2)If I login as only admin it is accepting.


When I have 2 domains and I configured as
ldap.synchronization.userSearchBase=ou\=People,dc\=abc,dc\=com
ldap.synchronization.userSearchBase=ou\=People,dc\=xyz,dc\=com
then also the same problem.
(1) only accepting "admin" as the user but not admin@abc.com or admin@xyz.com.
.

Thanks a lot for your attention.

Regards
PP

fstnboy
Champ on-the-rise
Champ on-the-rise
Hi PP,

I may not have explained properly in my response. Have a look at the example 2 of the Authentication Chain Configuration. It shows how to use two LDAP directories, but you can use it with one LDAP directory and 2 different domains. the configuration would be the same, the only different thing would be the ldap.synchronization.userSearchBase

For the first one you would use:
ldap.synchronization.userSearchBase=ou\=People,dc\=abc,dc\=com

For the second one you would use:
ldap.synchronization.userSearchBase=ou\=People,dc\=xyz,dc\=com

So they wouldn't go in the same file.

Hope this clarifies a bit more at it helps you with it.

Regards,
Adei

pp20218
Champ in-the-making
Champ in-the-making
Hi Adei,

Thanks alot for your reply.
As per the solution provided, when I configure 2 ldaps, People of 2 different domains can now able to login.

But the problem is, it is still not compatible with multi tenancy environment.

I have created 2 tenants in alfresco.Consider abc.com and xyz.com. So when the admins of these 2 domains will login to alfresco is, as usernames  "admin@abc.com"  and  "admin@xyz.com".
When I configred LDAP, the multi tenancy is not working.The people of 2 domains are connected to only one alfresco instance. There is no tenants at all.

This multi tenancy feature is working fine when there is no LDAP configured. Can you pls provide your inputs?

Thanks in advance.

Regards
PP

fstnboy
Champ on-the-rise
Champ on-the-rise
Hi PP,

I totally forgot about the multitenancy and focused in LDAP authentication.

Unfortunately, I have not much experience in multitenancy, but checking the wiki page of Multi-tenancy in the section Not Implemented it seems that LDAP solution is not supported/implemented/tested, the only authentication method supported/implemented/tested is "alfresco"…

I guess that you'll have to implement your own solution for that purpose.

Regards,
Adei

PD: If this post or the previous post was helpful, please click Yes on the Post Rating

pp20218
Champ in-the-making
Champ in-the-making
Hi Adei,

Thanks for your reply. Can u provide some inputs how to go ahead?

Regards
PP

fstnboy
Champ on-the-rise
Champ on-the-rise
Hi PP,

now that you've got the LDAP working, which is the username format? is it username@domain?

pp20218
Champ in-the-making
Champ in-the-making
Hi Adei,

user@domain is not working. you need to login only as user.

Suppose I have LDAP1 with domain abc.com where users are L1,L2 and L3. and I have LDAP2 with domain xyz.com where users are M1,M2,M3.
The users will directly login as L1,L2,M1.. like wise.
If the user login as L1@abc.com then it is not allowing the user to login.

fstnboy
Champ on-the-rise
Champ on-the-rise
Hi PP,

can you post your LDAP config file?