Help

LDAP - allow login specific groups

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jeorgen
Member II
‎24 Nov 2020 4:09 PM

LDAP - allow login specific groups

Hello, I have a Alfresco 6.2 through Docker. I want to be able login only few groups from AD.

I created two configuration files. In the first config. was loaded all users and groups and disabled authetification.

In the second config. is enabled authetification so people mapped in groups in personQuery are able to login.

Problem is that login can everyone. Also I have this error:

org.alfresco.error.AlfrescoRuntimeException: 10240018 Error during LDAP Search. Reason:[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:

'DC=sp,DC=local'

]

I think i have a bad logic with this. Can someone please provide me some correct info? To allow login only for specific group, not for everyone.

First Config

ntlm.authentication.sso.enabled=false

synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true

ldap.synchronization.active=true
ldap.authentication.active=false
#KREDENC
ldap.synchronization.java.naming.security.principal=login
ldap.synchronization.java.naming.security.credentials=password
ldap.authentication.userNameFormat=%s@domain
ldap.authentication.java.naming.provider.url=ldap://ip:port

ldap.synchronization.userEmailAttributeName=mail
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco

ldap.synchronization.groupSearchBase=ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local
ldap.synchronization.userSearchBase=cn\=Users,cn\=cp,dc\=kl,dc\=local

ldap.synchronization.groupQuery=objectclass\=group
ldap.synchronization.personQuery=objectclass\=user

Second Config

ldap.authentication.active=true
ldap.synchronization.active=false


ldap.synchronization.java.naming.security.principal=login
ldap.synchronization.java.naming.security.credentials=password
ldap.authentication.userNameFormat=%s@domain
ldap.authentication.java.naming.provider.url=ldap://ip:port


ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco

ldap.synchronization.groupSearchBase=ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local
ldap.synchronization.userSearchBase=cn\=Users,cn\=cp,dc\=kl,dc\=local


ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userType=user
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=cn\=GROUP1,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(memberOf=cn\=GROUP2,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(userAccountControl:1.2.840.113556.1.4.803:=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=cn\=GROUP1,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(memberOf=cn\=GROUP2,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(userAccountControl:1.2.840.113556.1.4.803:=512))

 

Labels
0 Kudos
Reply
1 Reply
heiko_robert
Senior Member
‎25 Nov 2020 0:04 PM

Re: LDAP - allow login specific groups

@jeorgen,

why should you need both configs? did you place your two configs in two independant subsystems? For my understanding the second one including the group memberOf filter should be fine for both (sync & login).

How does your authentication.chain look like?

Please check you have autoCreatePeopleOnLogin disabled to prevent user creating from any successfull ldap auth request ignoring your sync paths:

# Should we auto create a missing person on log in?
synchronization.autoCreatePeopleOnLogin=false

 

Reply
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.