Sorry, I didn't notice your link for the fix, but I've updated the file now and I can now see users in the admin console, which makes life a lot easier for me, thanks for that!
Currently, without the synchronization.autoCreatePeopleOnLogin=false setting, when I delete all of the users and restart the services, they don't appear in the users section, but if I attempt to login with any of the test users from either of the Alfresco/NonAlfresco groups, it allows me to log in and creates them as a user. If I apply that setting, it does not let me log in with the test users from either groups. I seem to get the same reaction from the system if I edit that setting out and use create.missing.people=false instead, so neither seem to be doing what I require. I have tried changing the searchbase properties to what you suggested:
ldap.synchronization.groupSearchBase=OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.userSearchBase=OU\=Alfresco,OU\=Users,OU\=Blackburn,DC\=chris,DC\=com
This doesn't seem to have any effect.
I have had a look at the tomcat errors (in alfrescotomcat-stdout.2020-04-15.log), but I'm not sure what error to look for to determine why Alfresco either allows no users to log in, or all of them.
Then it seems that Alfresco is not correctly synchronizing your ldap users. Look at alfresco.log at startup time, or share your alfresco.log file here. It could be an authentication error against your ldap, or maybe that Alfresco cannot reach your ldap server.
I'm not sure how to share my log file here, there doesn't seem to be any upload facility? I've checked the log file and found this error though:
org.alfresco.repo.security.authentication.AuthenticationException: 03150018 Failed to authenticate, username or password is wrong. User name:Administrator Reason [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]
I originally had a user called Alfresco for authentication and found that error in the log file, so I changed the username to the administrator UN/PW that I use for the server, but still getting the error for the Administrator account. I've set the settings in the following config:
ldap.synchronization.java.naming.security.principal=Alfresco
ldap.synchronization.java.naming.security.credentials=Pa55word
The previous error was the same:
org.alfresco.repo.security.authentication.AuthenticationException: 03150056 Failed to authenticate, username or password is wrong. User name:Alfresco Reason [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ]
Ok then the error is about ldap authentication. Don't provide your server user to authenticate against your AD, there must be some user in the same AD application that grants you read access to it.
Also you can try to connect from an external tool to check you can connect properly, or ask who provided you these credentials to check their validity.
Thanks a lot for your help, it turned out that the reason LDAP was not authenticating was due to the username I was using not containing @chris.com on the end of it, once I changed it to that it worked and I now only have the users I want in Alfresco. For anyone visiting this thread in the future, I will list my settings that are now working:
### LDAP - AUTHENTICATION ###
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ldap.authentication.active=true
ldap.authentication.java.naming.provider.url=ldap://192.168.56.220:389
ldap.authentication.userNameFormat=%s@chris.com
ldap.authentication.allowGuestLogin=false
create.missing.people=false
### LDAP - SYNCRONISATION ###
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=Administrator@chris.com
ldap.synchronization.java.naming.security.credentials=********
ldap.synchronization.groupSearchBase=OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.userSearchBase=OU\=Alfresco,OU\=Users,OU\=Blackburn,DC\=Chris,DC\=com
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=cn\=TechSupport,OU\=Alfresco,OU\=Groups,OU\=Blackburn,DC\=Chris,DC\=com))
synchronization.syncOnStartup=true
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.