Alfresco Community v6.2.0
I am connecting a test system to my test domain controller, in the LDAP configuration properties page (https://docs.alfresco.com/5.0/concepts/auth-ldap-props.html) it has a section for group and user search bases. The advice given is 'The DN below which to run the group queries.'. My test system is configured as follows:
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@chris.com
ldap.authentication.java.naming.provider.url=ldap://192.168.56.220:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.synchronization.java.naming.security.principal=xxxxxxxx
ldap.synchronization.java.naming.security.credentials=xxxxxxxx
ldap.synchronization.groupSearchBase=Alfresco,OU=Groups,OU=Blackburn,DC=Chris,DC=com
ldap.synchronization.userSearchBase=Alfresco,OU=Users,OU=Blackburn,DC=Chris,DC=com
Within both users and groups I have set up 2 OUs (alfresco & nonalfresco), then I have created a test user in each group. From the advice given, one would assume that only the users below the Alfresco OUs would be able to log in, but I can log in with the users in the nonalfresco OUs too, can anyone explain why this is?
I guess you're missing to set the "create.missing.people" flag.
https://docs.alfresco.com/community/concepts/auth-ldap-props.html
Add following configuration:
create.missing.people=false
Hi, thanks for your reply, I have added that configuration to the file and it has now prevented all users from logging in, even the built in admin/admin account
Check that you have also included both authentication systems:
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
And take a look at this video:
https://www.youtube.com/watch?v=pJNpqAOelmE
Hope that helps.
Hi, sorry about my last message... The reason I could not authenticate any users was because my VM had a network issue, so Alfresco could not contact the server. I have added in the create.missing.people=false setting and it will still allow users from another OU log in, so this has seemingly not changed anything that I can notice
To avoid auto-creation of users, we are currently using the following property:
synchronization.autoCreatePeopleOnLogin=false
We got this property by looking at default-synchronization.properties file. I think Alfresco should update the documentation about this.
I hope it solves your problem.
I've added that setting and it is still allowing users from the wrong OU in AD to log in. I'm using the Bitnami installer, would that make a difference? Something else worth pointing out too, is that when I navigate to:
http://127.0.0.1:81/share/page/console/admin-console/users
I get an error 'Error loading items'
This error is a known bug in share 6.2.
Regarding ldap users, have you checked that these users from the wrong OU are not there from past wrong logins? The simplest way would be checking that these users can change their password from share UI. Ldap users can't change their password from share UI.
Also, afaik, there is no bitnami installer for Alfresco 6.2...
If I log in to my build and click the alfresco logo, it gives me the following detail:
Alfresco Share v6.2.0
The error loading items issue is a known share 6.2 bug as I stated in last comment.
Regarding your ldap error, I think Alfresco is not synchronizing users correctly. Check your logs, and escape the equals signs in your usersSearchBase property value adding a backslash in front of them.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.