12-11-2019 09:00 AM
Hi,
i see a strange behavior in my active directory integration (Alfresco 5.2com on Centos 7).
Sometimes user must capitalize one or more letter to authenticate (es. if username is "duck" they have to try with "Duck" and after "DUck".
This with various browser (IE11, Edge, Firefox, Chrome)
Can someone help me?
THX
Natale
12-11-2019 10:21 AM
I doubt that anyone can help just with that description. This is an extremely strange behaviour, one which I have never observed in ten years of working with Alfresco systems integrated with Active Directory. I can also not think of any reasonable cause / trigger for such a behaviour within Alfresco.
Did you only configure the LDAP-AD integration, or did you also configure Kerberos / passthru for authentication? What is the authentication chain configuration? Ideally, it helps in such situations if you can provide your full configuration (wihthout passwords / sensitive infos of course - but best replace them with xxx instead of not providing those properties).
12-13-2019 02:14 AM
Thanks
These are LDAP configurations
Global
### LDAP
authentication.chain=alfinst:alfrescoNtlm,ad1:ldap-ad,ad2:ldap-ad,ad-tu:ldap-ad,ad-te:ldap-ad,ad-sa:ldap-ad,ad-ra:ldap-ad,ad-is:ldap-ad,ad-in:ldap-ad,ad-en:ldap-ad,ad-bc:ldap-ad,ad-ap:ldap-ad
ntlm.authentication.sso.enabled=false
####
ad1 chain
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@bilancioaisi.local
ldap.authentication.java.naming.provider.url=ldap://172.28.112.15:389
ldap.authentication.defaultAdministratorUserNames=************
ldap.synchronization.java.naming.security=simple
ldap.synchronization.java.naming.security.principal=********@bilancioaisi.local
ldap.synchronization.java.naming.security.credentials=*********
ldap.synchronization.person.differential.query=(&=(ObjectClass)=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)((WhenChanged<\={0}))
ldap.synchronization.groupSearchBase=ou=Economia,dc=bilancioaisi,dc=local
ldap.synchronization.userSearchBase=ou=Economia,dc=bilancioaisi,dc=local
other ldap chain differs only SearchBase
12-13-2019 12:01 PM
Leave only one sync/author subsustem for one AD. Write proper queries to find all users and groups in all dark corners of your AD. Replace IP address 172.28.112.15 to DNS name.
12-16-2019 03:15 AM
@fedorow wrote:1)Leave only one sync/author subsustem for one AD.
2)Write proper queries to find all users and groups in all dark corners of your AD.
3) Replace IP address 172.28.112.15 to DNS name.
1) What do you intend for this?
2) I have more of 50,000 user and about 1000 OU's entry in my AD and i need select users of certain OU's (Economia, Territorio etc)
3) Done
12-16-2019 09:15 AM
My mistake. 1) and 2) not about your case.
Explore our Alfresco products with the links below. Use labels to filter content by product module.