ldap-ad: allow login for users of specific security group

cancel
Showing results for 
Search instead for 
Did you mean: 
mehe
Senior Member II

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Hi Cesar,

thank you for clarifying the "memberOf" thing - I always wondered why some users weren't synced like expected, but a few days later they were in sync - probably of some change I didn't notice (bad password time...)

I also saw that whenChanged seem not to be propagated between multiple DCs, which has the effect that I had to use a distinct DC for syncing...

...and thanks to Axel Faust and the others who work(ed) on the OOTBee Support Tools Smiley Happy

cesarista
Customer

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Maybe a modification of this script helps (for iterating between a defined array of users, and not for all users). Be careful with deletions.

Alfresco, massive delete of users | Programming and So 

Regards.

--C.

afaust
Master

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Even if you have the allowDeletions set to false you can still technically trigger a synchronisation that deletes users that should no longer exist. This can be done via the JavaScript Console tool and I have a Gist that shows how synchronisation can be triggered with a different setting than may be configured for synchronisation.

mehe
Senior Member II

Re: ldap-ad: allow login for users of specific security group

Jump to solution

...I should setup a knowledge base for things like these with a sophisticated solr/elasticsearch index Smiley Happy

Thanx again Axel

jahu
Active Member

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Ah, thank you. If you can't tell already, I'm extremely green with Alfresco! I didn't know it was as easy as removing the user in the admin console, I figured there would be more cleanup to do.

I am not worried about the users home directory, those can live on into eternity. If I do run into problems later on, I will find a way to remove them, most likely using Cesar's suggestion with modifying the mass user deletion script he linked to.

One more side question since it's been mentioned a few times: Is the only way to do a full sync is by setting the differential query the same as the full query, then restarting the Alfresco server? 

Thank you again everyone!

-Jason

afaust
Master

Re: ldap-ad: allow login for users of specific security group

Jump to solution

No - there are alternatives. See my response further up the chain. Using the JavaScript Console you can always trigger a full synchronisation.

cesarista
Customer

Re: ldap-ad: allow login for users of specific security group

Jump to solution

No, you can also set:

synchronization.synchronizeChangesOnly=false

The default is true. But this only applies on cron syncs, not for the subsystem startup for example.

Regards.

--C.

mehe
Senior Member II

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Hi Jason, no (see the other answers) but it is an easy way to force the full sync if you need it just now - without installing anything else. 

cesarista
Customer

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Hi Axel, I tried with JS Console with the mentioned script.

I run the script and I obtained this error in JS Console,

500 Internal Error
Stacktrace-Details:
org.springframework.extensions.webscripts.WebScriptException: 02170092 Wrapped Exception (with status template): A valid SecureContext was not provided in the RequestContext

.

.

Caused by: net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext
at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:481)

But the INFO logs in catalina.out seem correct and without errors.

2017-03-17 16:40:56,596 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronizing users and groups with user registry 'myldap'
2017-03-17 16:40:56,642 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Retrieving groups changed since 13-mar-2017 11:25:54 from user registry 'myldap'
2017-03-17 16:40:56,668 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Commencing batch of 0 entries
2017-03-17 16:40:56,668 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Completed batch of 0 entries
2017-03-17 16:40:56,670 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Retrieving users changed since 13-mar-2017 11:21:34 from user registry 'myldap'
2017-03-17 16:40:56,674 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Commencing batch of 16 entries
2017-03-17 16:40:56,752 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Processed 16 entries out of 16. 100% complete. Rate: 205 per second. 0 failures detected.
2017-03-17 16:40:56,753 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Completed batch of 16 entries
2017-03-17 16:40:56,788 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] Finished synchronizing users and groups with user registry 'myldap'
2017-03-17 16:40:56,788 INFO [security.sync.ChainingUserRegistrySynchronizer] [http-apr-8080-exec-10] 16 usuarios y 0 grupos procesados

Does it have sense ?

Regards.

--C.

afaust
Master

Re: ldap-ad: allow login for users of specific security group

Jump to solution

You should not have any issues / errors executing that script. Are you executing it with a proper authentication (you can set other runAs contexts with JavaScript Console)?