Help configuring LDAP

cancel
Showing results for 
Search instead for 
Did you mean: 
ChrisAlker
Active Member II

Re: Help configuring LDAP

Sorry, I didn't notice your link for the fix, but I've updated the file now and I can now see users in the admin console, which makes life a lot easier for me, thanks for that!

Currently, without the synchronization.autoCreatePeopleOnLogin=false setting, when I delete all of the users and restart the services, they don't appear in the users section, but if I attempt to login with any of the test users from either of the Alfresco/NonAlfresco groups, it allows me to log in and creates them as a user. If I apply that setting, it does not let me log in with the test users from either groups. I seem to get the same reaction from the system if I edit that setting out and use create.missing.people=false instead, so neither seem to be doing what I require. I have tried changing the searchbase properties to what you suggested:

ldap.synchronization.groupSearchBase=OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.userSearchBase=OU\=Alfresco,OU\=Users,OU\=Blackburn,DC\=chris,DC\=com

This doesn't seem to have any effect.

I have had a look at the tomcat errors (in alfrescotomcat-stdout.2020-04-15.log), but I'm not sure what error to look for to determine why Alfresco either allows no users to log in, or all of them.

narkuss
Established Member II

Re: Help configuring LDAP

Then it seems that Alfresco is not correctly synchronizing your ldap users. Look at alfresco.log at startup time, or share your alfresco.log file here. It could be an authentication error against your ldap, or maybe that Alfresco cannot reach your ldap server. 

ChrisAlker
Active Member II

Re: Help configuring LDAP

I'm not sure how to share my log file here, there doesn't seem to be any upload facility? I've checked the log file and found this error though:

 

org.alfresco.repo.security.authentication.AuthenticationException: 03150018 Failed to authenticate, username or password is wrong. User name:Administrator Reason [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]

 

I originally had a user called Alfresco for authentication and found that error in the log file, so I changed the username to the administrator UN/PW that I use for the server, but still getting the error for the Administrator account. I've set the settings in the following config:

ldap.synchronization.java.naming.security.principal=Alfresco
ldap.synchronization.java.naming.security.credentials=Pa55word

The previous error was the same:

 

org.alfresco.repo.security.authentication.AuthenticationException: 03150056 Failed to authenticate, username or password is wrong. User name:Alfresco Reason [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]

narkuss
Established Member II

Re: Help configuring LDAP

Ok then the error is about ldap authentication. Don't provide your server user to authenticate against your AD, there must be some user in the same AD application that grants you read access to it. 

Also you can try to connect from an external tool to check you can connect properly, or ask who provided you these credentials to check their validity. 

ChrisAlker
Active Member II

Re: Help configuring LDAP

Thanks a lot for your help, it turned out that the reason LDAP was not authenticating was due to the username I was using not containing @chris.com on the end of it, once I changed it to that it worked and I now only have the users I want in Alfresco. For anyone visiting this thread in the future, I will list my settings that are now working:

 

### LDAP - AUTHENTICATION ###

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ldap.authentication.active=true
ldap.authentication.java.naming.provider.url=ldap://192.168.56.220:389
ldap.authentication.userNameFormat=%s@chris.com
ldap.authentication.allowGuestLogin=false

create.missing.people=false

### LDAP - SYNCRONISATION ###

ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=Administrator@chris.com
ldap.synchronization.java.naming.security.credentials=********

ldap.synchronization.groupSearchBase=OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.groupQuery=(objectclass\=group)

ldap.synchronization.userSearchBase=OU\=Alfresco,OU\=Users,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=cn\=TechSupport,OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com))

synchronization.syncOnStartup=true