cancel
Showing results for 
Search instead for 
Did you mean: 

ldap-ad: allow login for users of specific security group

jahu
Champ on-the-rise
Champ on-the-rise

Hello,

I am running Alfresco Community Edition 201702 and trying to get ldap-ad authentication to work to my liking. I would like Alfresco to synchronize with our Active Directory, but only allow users of a specific group (AlfrescoUsers) to login to Alfresco, and deny any other login attempts.

Currently, I have synchronization working, and I can login to Alfresco with AD users. My problem is, is that any user can login that is in AD, not just the members of the AlfrescoUsers security group I created.

Does anyone have any insight into why all users in AD are allowed to login, and not just users of the AlfrescoUsers security group?

I have attached my alfresco-global.properties that I have all of my configuration in, and also the synchronization section of alfresco.log

Thank you,

-Jason

1 ACCEPTED ANSWER

mehe
Elite Collaborator
Elite Collaborator

Hi Jason,

your person LDAP query seems to be wrong:

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net)))

i think you want objectclass=user AND userAcountControl... AND memberOf... but you put an OR "|" before memberOf condition.

So

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net))

should be ok (without having verified it in real life).

regards,

Martin

View answer in original post

25 REPLIES 25

mehe
Elite Collaborator
Elite Collaborator

Hi Jason,

your person LDAP query seems to be wrong:

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net)))

i think you want objectclass=user AND userAcountControl... AND memberOf... but you put an OR "|" before memberOf condition.

So

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net))

should be ok (without having verified it in real life).

regards,

Martin

cesarista
World-Class Innovator
World-Class Innovator

Yes, Martin's query will work for the users under defined user base. 

But maybe the differential query will not, because you deal everything inside the AD group, so the timestamp of the user is not touched when adding users to the AD group (whenChanged). A walkaround for this is to define user differential query equal to user query, but full sync is done everyday instead of differential.

Another way of selecting a group of users belonging to different levels in the AD, is via custom extension attributes in AD (i.e: "alf") users, so you have to include the extension attribute in the users query. This will respect whenChanged parameter, because the user is modified (changing the timestamp) when applying the extension attribute.

Regards.

--C.

nlemus
Champ in-the-making
Champ in-the-making

Hello friends,

I sign in alfresco "admin portal > repository> in user homes" all the synchronized users of the ldap appear, this create a folder of each user of the ldap .

How can I make those folders not be created with default synchronization?

I want them to be created as long as you give them permission in alfresco to sign only.

jpotts
World-Class Innovator
World-Class Innovator

Who do you want to show up in Alfresco? If the answer is "everyone in LDAP" while the answer to "Who do you want to be able to authenticate?" is "a subset of users as specified by this group" then the answer is that you have to create two LDAP configurations, one will be enabled for sync-only and will sync the entire LDAP directory. The other will be disabled for sync but enabled for authentication and it will specify the person query that points to the group you want to restrict to.

I should mention that this technique was first described to me by Axel Faust in the #alfresco IRC channel.

Hi Jeff,

In your reply you said that LDAP authentication can be done without enabling synchronization and you can restrict users through person query, right ? but I tried doing the same thing and it didn't work. Following are the properties that I configured on my Alfresco. I am running Alfresco v6.0.a (Docker based).

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap

ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.provider.url=ldap://<my-ldap-server-ip>:<port>
ldap.authentication.userNameFormat=uid=%s,ou=<myldap's-ou>,dc=<myldap's-dc>,dc=<myldap's-dc>
ldap.synchronization.active=false
ldap.synchronization.userSearchBase=ou=<myldap's-ou>,dc=<myldap's-dc>,dc=<myldap's-dc>
ldap.synchronization.personQuery=(&(objectclass\=sambaSamAccount)(accountStatus=\active)(sambaBadPasswordCount\=0)(category\=DMS))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=sambaSamAccount)(accountStatus\=active)(sambaBadPasswordCount\=0)(category\=DMS)(!(modifyTimestamp<\={0})))

As you can see the person query, I want the users whose account  are active can login into Alfresco.

Now the problem is all the users on my ldap's server are logging into Alfresco even if they're account on ldap server is deactivated. Moreover, I checked the logs on my ldap server and found that my Alfresco is connected perfectly with the ldap server but my person query cannot reach the ldap server. There are no parameters of my person query in my ldap's logs.

Kindly help me to resolve this issue. Please look into above mentioned configured properties that if I have missed something. Your help would be highly appreciated.

Thank you

EddieMay
World-Class Innovator
World-Class Innovator

Hi @Syedjunaid,

As this thread has an approved solution, I would recommend starting a new thread - people often overlook solved posts.

HTH,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!

cesarista
World-Class Innovator
World-Class Innovator

Hi Jason:

All users are allowed to authenticate via LDAP-AD in principle. By default Alfresco, create and sync accounts on login when they does not exist. But if you set the properties below, you would restrict the ldap auth only to those synced users.

create.missing.people=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false

Regards.

--C.

mehe
Elite Collaborator
Elite Collaborator

...the query I mentioned is exact the one Jason has defined in his attached alfresco-global.properties. He just added the OR sign in the query, which should not be the case for his intentions.

He also defined the differential query in then right way (again, just the OR sign is too much)

Because the query will only import Users which are members of ou=Alfresco, only those user will be able to login (allowDeletions=true, so the user not in ou=Alfresco will be deleted - no login possible).

I would let synchronization.syncWhen... =true, so new users in ou Alfresco will be able to log in without having to wait for a scheduled LDAP Sync - what do you think Cesar?

Setting the two other values (create) to false should be fine.

Are you sure that a change in "memberOf" would not affect the whenChanged/modifiedTimestamp setting?

cesarista
World-Class Innovator
World-Class Innovator

Hi Martin:

Regarding synchronization.syncWhen... =true, I'm not completely sure if this property depends on the other ones. By the way, with the new OOTB Support Tools addon, I think you can run the scheduled job on demand (I did not tested yet). If it is not possible it would be a nice feature for Support Tools in Beecon hackathon (Axel Faust‌). This is a nice feature of the Support Tools in EE edition.

If you only change the group object I will say no. Before, you may do a minor "tricky" user modification to change the timestamp, and it will work for this user.

Regards.

--C.