Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Authentication from 2 domains

booltrue
Champ in-the-making
Champ in-the-making

‎06-19-2017 05:44 AM

I am using alfresco Community - 5.1.0 (r127059-b7)

Currently I am doing LDAP authentication from 1 domain with the following entry in the config:

ldap.authentication.userNameFormat=%s@x.y.z

Now I need additionally a second domain like:

ldap.authentication.userNameFormat=%s@a.b.c

How I can do ldap authentication from 2 domains ?

Is that somehow possible?

How would be the entry in the config ?

thx for your help

Labels:
0 Kudos
33 REPLIES 33

mehe
Elite Collaborator
Elite Collaborator

‎06-19-2017 07:29 AM

Hi,

never had to use this, but maybe a starting point:

Example: authentication and synchronization with two ldap-ad subsystems | Alfresco Documentation 

Regards,

Martin

0 Kudos

cesarista
World-Class Innovator
World-Class Innovator

‎06-19-2017 07:34 AM

Hi:

Consider a more complex authentication chain composed by two ldap-ad in alfresco-global.properties

authentication.chain=ldap1:ldap-ad,ldap2:ldap-ad

And you have to create an structure under

$TOMCAT/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad

.
├── ldap1
│  └── ldap-ad-authentication.properties

└── ldap2
    └── ldap-ad-authentication.properties

for the corresponding properties, than now are not in alfresco-global.properties

Example: authentication and synchronization with two ldap-ad subsystems | Alfresco Documentation 

Regards.

--C.

cesarista
World-Class Innovator
World-Class Innovator
In response to cesarista

‎06-19-2017 07:36 AM

You are faster Martin Ehe Smiley Happy

--C.

mehe
Elite Collaborator
Elite Collaborator
In response to cesarista

‎06-19-2017 07:40 AM

...but your answer is more detailed Smiley Happy (more quality takes more time)

cesarista
World-Class Innovator
World-Class Innovator
In response to cesarista

‎06-19-2017 07:39 AM

By the way, regarding the example I would say that in recent Alfresco 5 versions, it is not possible to copy the authentication subsystem sample properties from WEB-INF. Now they are inside a jar.

Regards.

--C. 

booltrue
Champ in-the-making
Champ in-the-making

‎06-19-2017 09:13 AM

I tried that way already, but the users of the other domain will not be synced.

Our current domain is ldap2, group and users are from the same domain z.b.c,

ldap1 is in in the tree, but not current domain, group is in z.b.c, the users coming from a.b.c

As you can see in the logfile, ldap2 will be synced properly, group+users

but ldap1 only the group will be synced, not the users.

properties for ldap1:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@a.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@a.b.c
ldap.synchronization.java.naming.security.credentials=xxxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c))
ldap.synchronization.groupSearchBase=DC\=a,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

ldap properties for ldap2:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@z.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@z.b.c
ldap.synchronization.java.naming.security.credentials=xxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_B_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_B_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=GP_B_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=GP_B_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c))
ldap.synchronization.groupSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

alfresco.log:

2017-06-19 15:00:00,222 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronizing users and groups with user registry 'ad1'
2017-06-19 15:00:00,222 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Full synchronization with user registry 'ad1'
2017-06-19 15:00:00,222 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-19 15:00:00,238 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving groups changed since 19.06.2017 14:03:34 from user registry 'ad1'
2017-06-19 15:00:00,643 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-19 15:00:00,659 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 62 per second. 0 failures detected.
2017-06-19 15:00:00,659 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-19 15:00:18,053 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving all users from user registry 'ad1'
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=6 User Creation and Association: Commencing batch of 0 entries
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=6 User Creation and Association: Completed batch of 0 entries
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Commencing batch of 2 entries
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Processed 2 entries out of 2. 100% complete. 0 failures detected.
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Completed batch of 2 entries
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Finished synchronizing users and groups with user registry 'ad1'
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] 0 user(s) and 1 group(s) processed
2017-06-19 15:00:32,405 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronizing users and groups with user registry 'ad2'
2017-06-19 15:00:32,405 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Full synchronization with user registry 'ad2'
2017-06-19 15:00:32,405 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-19 15:00:32,421 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving groups changed since 19.06.2017 14:00:50 from user registry 'ad2'
2017-06-19 15:00:32,452 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-19 15:00:32,452 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. 0 failures detected.
2017-06-19 15:00:32,452 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-19 15:00:32,499 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving users changed since 19.06.2017 12:04:51 from user registry 'ad2'
2017-06-19 15:00:32,499 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Commencing batch of 16 entries
2017-06-19 15:00:32,608 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Processed 16 entries out of 16. 100% complete. Rate: 146 per second. 0 failures detected.
2017-06-19 15:00:32,608 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Completed batch of 16 entries
2017-06-19 15:00:32,624 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Finished synchronizing users and groups with user registry 'ad2'
2017-06-19 15:00:32,624 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] 16 user(s) and 1 group(s) processed

0 Kudos

mehe
Elite Collaborator
Elite Collaborator

‎06-19-2017 10:46 AM

just a question for understanding:

Is the LDAP Source ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx

the same in both configurations?

0 Kudos

booltrue
Champ in-the-making
Champ in-the-making

‎06-20-2017 04:02 AM

yes, it's same address

0 Kudos

mehe
Elite Collaborator
Elite Collaborator
In response to booltrue

‎06-20-2017 04:08 AM

have you tried your queries with a ldap tool (like Apache Directory Studio) to verify the results?

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2025 Khoros, LLC