Help configuring LDAP

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Active Member II

Help configuring LDAP

Alfresco Community v6.2.0

I am connecting a test system to my test domain controller, in the LDAP configuration properties page (https://docs.alfresco.com/5.0/concepts/auth-ldap-props.html) it has a section for group and user search bases. The advice given is 'The DN below which to run the group queries.'. My test system is configured as follows:

 

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=false

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@chris.com
ldap.authentication.java.naming.provider.url=ldap://192.168.56.220:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.synchronization.java.naming.security.principal=xxxxxxxx
ldap.synchronization.java.naming.security.credentials=xxxxxxxx
ldap.synchronization.groupSearchBase=Alfresco,OU=Groups,OU=Blackburn,DC=Chris,DC=com
ldap.synchronization.userSearchBase=Alfresco,OU=Users,OU=Blackburn,DC=Chris,DC=com

 

Within both users and groups I have set up 2 OUs (alfresco & nonalfresco), then I have created a test user in each group. From the advice given, one would assume that only the users below the Alfresco OUs would be able to log in, but I can log in with the users in the nonalfresco OUs too, can anyone explain why this is?

14 Replies
Highlighted
Alfresco Employee

Re: Help configuring LDAP

I guess you're missing to set the "create.missing.people" flag.

https://docs.alfresco.com/community/concepts/auth-ldap-props.html

Add following configuration:

create.missing.people=false
Software Engineer in Alfresco Search Team.
Highlighted
Active Member II

Re: Help configuring LDAP

Hi, thanks for your reply, I have added that configuration to the file and it has now prevented all users from logging in, even the built in admin/admin account

Highlighted
Alfresco Employee

Re: Help configuring LDAP

Check that you have also included both authentication systems:

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

And take a look at this video:

https://www.youtube.com/watch?v=pJNpqAOelmE

Hope that helps.

Software Engineer in Alfresco Search Team.
Highlighted
Active Member II

Re: Help configuring LDAP

Hi, sorry about my last message... The reason I could not authenticate any users was because my VM had a network issue, so Alfresco could not contact the server. I have added in the create.missing.people=false setting and it will still allow users from another OU log in, so this has seemingly not changed anything that I can notice

Highlighted
Established Member II

Re: Help configuring LDAP

To avoid auto-creation of users, we are currently using the following property:

synchronization.autoCreatePeopleOnLogin=false

We got this property by looking at default-synchronization.properties file. I think Alfresco should update the documentation about this.

I hope it solves your problem.

Highlighted
Active Member II

Re: Help configuring LDAP

I've added that setting and it is still allowing users from the wrong OU in AD to log in. I'm using the Bitnami installer, would that make a difference? Something else worth pointing out too, is that when I navigate to:

 

http://127.0.0.1:81/share/page/console/admin-console/users

 

I get an error 'Error loading items'

Highlighted
Established Member II

Re: Help configuring LDAP

This error is a known bug in share 6.2.

Regarding ldap users, have you checked that these users from the wrong OU are not there from past wrong logins? The simplest way would be checking that these users can change their password from share UI. Ldap users can't change their password from share UI. 

Also, afaik, there is no bitnami installer for Alfresco 6.2... 

Highlighted
Active Member II

Re: Help configuring LDAP

If I log in to my build and click the alfresco logo, it gives me the following detail:

 

Alfresco Share v6.2.0

Highlighted
Established Member II

Re: Help configuring LDAP

The error loading items issue is a known share 6.2 bug as I stated in last comment.

Regarding your ldap error, I think Alfresco is not synchronizing users correctly. Check your logs, and escape the equals signs in your usersSearchBase property value adding a backslash in front of them.