03-16-2017 08:25 AM
Hello,
I am running Alfresco Community Edition 201702 and trying to get ldap-ad authentication to work to my liking. I would like Alfresco to synchronize with our Active Directory, but only allow users of a specific group (AlfrescoUsers) to login to Alfresco, and deny any other login attempts.
Currently, I have synchronization working, and I can login to Alfresco with AD users. My problem is, is that any user can login that is in AD, not just the members of the AlfrescoUsers security group I created.
Does anyone have any insight into why all users in AD are allowed to login, and not just users of the AlfrescoUsers security group?
I have attached my alfresco-global.properties that I have all of my configuration in, and also the synchronization section of alfresco.log
Thank you,
-Jason
03-16-2017 09:47 AM
Hi Jason,
your person LDAP query seems to be wrong:
(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net)))
i think you want objectclass=user AND userAcountControl... AND memberOf... but you put an OR "|" before memberOf condition.
So
(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net))
should be ok (without having verified it in real life).
regards,
Martin
03-16-2017 09:47 AM
Hi Jason,
your person LDAP query seems to be wrong:
(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net)))
i think you want objectclass=user AND userAcountControl... AND memberOf... but you put an OR "|" before memberOf condition.
So
(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net))
should be ok (without having verified it in real life).
regards,
Martin
03-16-2017 12:14 PM
Yes, Martin's query will work for the users under defined user base.
But maybe the differential query will not, because you deal everything inside the AD group, so the timestamp of the user is not touched when adding users to the AD group (whenChanged). A walkaround for this is to define user differential query equal to user query, but full sync is done everyday instead of differential.
Another way of selecting a group of users belonging to different levels in the AD, is via custom extension attributes in AD (i.e: "alf") users, so you have to include the extension attribute in the users query. This will respect whenChanged parameter, because the user is modified (changing the timestamp) when applying the extension attribute.
Regards.
--C.
04-27-2020 12:03 PM
Hello friends,
I sign in alfresco "admin portal > repository> in user homes" all the synchronized users of the ldap appear, this create a folder of each user of the ldap .
How can I make those folders not be created with default synchronization?
I want them to be created as long as you give them permission in alfresco to sign only.
03-16-2017 11:00 AM
Who do you want to show up in Alfresco? If the answer is "everyone in LDAP" while the answer to "Who do you want to be able to authenticate?" is "a subset of users as specified by this group" then the answer is that you have to create two LDAP configurations, one will be enabled for sync-only and will sync the entire LDAP directory. The other will be disabled for sync but enabled for authentication and it will specify the person query that points to the group you want to restrict to.
I should mention that this technique was first described to me by Axel Faust in the #alfresco IRC channel.
05-14-2020 08:56 AM
Hi Jeff,
In your reply you said that LDAP authentication can be done without enabling synchronization and you can restrict users through person query, right ? but I tried doing the same thing and it didn't work. Following are the properties that I configured on my Alfresco. I am running Alfresco v6.0.a (Docker based).
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap ldap.authentication.active=true ldap.authentication.java.naming.security.authentication=simple ldap.authentication.java.naming.provider.url=ldap://<my-ldap-server-ip>:<port> ldap.authentication.userNameFormat=uid=%s,ou=<myldap's-ou>,dc=<myldap's-dc>,dc=<myldap's-dc>
ldap.synchronization.active=false
ldap.synchronization.userSearchBase=ou=<myldap's-ou>,dc=<myldap's-dc>,dc=<myldap's-dc> ldap.synchronization.personQuery=(&(objectclass\=sambaSamAccount)(accountStatus=\active)(sambaBadPasswordCount\=0)(category\=DMS)) ldap.synchronization.personDifferentialQuery=(&(objectclass\=sambaSamAccount)(accountStatus\=active)(sambaBadPasswordCount\=0)(category\=DMS)(!(modifyTimestamp<\={0})))
As you can see the person query, I want the users whose account are active can login into Alfresco.
Now the problem is all the users on my ldap's server are logging into Alfresco even if they're account on ldap server is deactivated. Moreover, I checked the logs on my ldap server and found that my Alfresco is connected perfectly with the ldap server but my person query cannot reach the ldap server. There are no parameters of my person query in my ldap's logs.
Kindly help me to resolve this issue. Please look into above mentioned configured properties that if I have missed something. Your help would be highly appreciated.
Thank you
05-14-2020 09:59 AM
Hi @Syedjunaid,
As this thread has an approved solution, I would recommend starting a new thread - people often overlook solved posts.
HTH,
03-16-2017 12:27 PM
Hi Jason:
All users are allowed to authenticate via LDAP-AD in principle. By default Alfresco, create and sync accounts on login when they does not exist. But if you set the properties below, you would restrict the ldap auth only to those synced users.
create.missing.people=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false
Regards.
--C.
03-16-2017 01:04 PM
...the query I mentioned is exact the one Jason has defined in his attached alfresco-global.properties. He just added the OR sign in the query, which should not be the case for his intentions.
He also defined the differential query in then right way (again, just the OR sign is too much)
Because the query will only import Users which are members of ou=Alfresco, only those user will be able to login (allowDeletions=true, so the user not in ou=Alfresco will be deleted - no login possible).
I would let synchronization.syncWhen... =true, so new users in ou Alfresco will be able to log in without having to wait for a scheduled LDAP Sync - what do you think Cesar?
Setting the two other values (create) to false should be fine.
Are you sure that a change in "memberOf" would not affect the whenChanged/modifiedTimestamp setting?
03-17-2017 01:34 AM
Hi Martin:
Regarding synchronization.syncWhen... =true, I'm not completely sure if this property depends on the other ones. By the way, with the new OOTB Support Tools addon, I think you can run the scheduled job on demand (I did not tested yet). If it is not possible it would be a nice feature for Support Tools in Beecon hackathon (Axel Faust). This is a nice feature of the Support Tools in EE edition.
If you only change the group object I will say no. Before, you may do a minor "tricky" user modification to change the timestamp, and it will work for this user.
Regards.
--C.
Explore our Alfresco products with the links below. Use labels to filter content by product module.