cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP Authentification

mdubois
Confirmed Champ
Confirmed Champ

Hi,

I need to establish a LDAP Authentification on my Alfresco Community.
In Alfresco-global.propertie, I add some lines but when I try to connect on Alfresco Share with my AD account, it didn't work. I add this line :

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap

ldap.authentication.java.naming.provider.url=ldap://IPAdressOfMyAD:389

ldap.synchronization.userSearchBase=uids=%s,ou=\Utilisateurs,dc=\DOMAIN,dc=\fr 

ldap.authentification.active=true

ldap.synchronization.active=false

Did I need to add other line or edit other files ?

19 REPLIES 19

fedorow
Elite Collaborator
Elite Collaborator

You should give information about synchronization user - name and password.

ldap.synchronization.java.naming.security.principal=alfresco@domain.com
ldap
.synchronization.java.naming.security.credentials=secret

And add a format of user names for authentication.

ldap.authentication.userNameFormat=%s@domain.com

It would be nice to add admin and guest policy:

ldap.authentication.allowGuestLogin=false
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco

For mo information look at example:

http://docs.alfresco.com/community/tasks/auth-example-oneldap-ad.html

And documentation:

http://docs.alfresco.com/community/concepts/auth-ldap-intro.html

mdubois
Confirmed Champ
Confirmed Champ

Thank a lot about your help !

About ldap synchronization, I need name and password of my AD/DC or of my Alfresco server ?

fedorow
Elite Collaborator
Elite Collaborator

naming.security.principal is an AD user witch should have read permissions on LDAP (AD).

defaultAdministratorUserNames can be coma separated local alfresco users or/and synchronized AD users.

mdubois
Confirmed Champ
Confirmed Champ

Thank a lot, it's the solution !

mdubois
Confirmed Champ
Confirmed Champ

Just one more question, this line didn't work : 

ldap.synchronization.groupSearchBase=ou=Groupes d'accès,dc=domain,dc=com

##Group from AD to Alfresco

fedorow
Elite Collaborator
Elite Collaborator

It's search base of your AD. It points to place where you groups stored. 

You can check how it work by LDAP browser, filter everything you need and add to alfresco-global.properties yours base and query.

The full query parameters are:

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=group)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=OU\=Unit,DC\=domain,DC\=com

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=OU\=Unit,DC\=domain,DC\=com

mdubois
Confirmed Champ
Confirmed Champ

It didn't work, i think I don't really understand how to complete those lines :


# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=group)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=OU\=Groupes d'accès,DC\=domain,DC\=com

fedorow
Elite Collaborator
Elite Collaborator

Try

ldap.synchronization.groupSearchBase=ou=Groupes d'accès,ou=RAPIDO,ou=CCAR,ou=RAPIDO_VDL,dc=rapido53,dc=com

or

ldap.synchronization.groupSearchBase=OU\=Groupes d'accès,OU\=RAPIDO,OU\=CCAR,OU\=RAPIDO_VDL,DC\=rapido53,DC\=com

mdubois
Confirmed Champ
Confirmed Champ

It didn't work...

I try this 2 option and let this enable:

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=group)

 

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))

But when I connect with admin account, go to admin tools and user and groups when I write a group of my AD i have nothing. I don't know if this command respond to my needing.

For examble, I got a group name "Informatique" with 4 users, I want to import this group to alfresco and when i'm in alfresco I want to have this 4 users import and I want they are in a group name "Informatique" to just add rights on this group for all user in.

Sorry, my english sound french Smiley Happy