LDAP Authentication from 2 domains

cancel
Showing results for 
Search instead for 
Did you mean: 
booltrue
Member II

LDAP Authentication from 2 domains

I am using alfresco Community - 5.1.0 (r127059-b7)

Currently I am doing LDAP authentication from 1 domain with the following entry in the config:

ldap.authentication.userNameFormat=%s@x.y.z

Now I need additionally a second domain like:

ldap.authentication.userNameFormat=%s@a.b.c

How I can do ldap authentication from 2 domains ?

Is that somehow possible?

How would be the entry in the config ?

thx for your help

33 Replies
mehe
Senior Member II

Re: LDAP Authentication from 2 domains

Hi,

never had to use this, but maybe a starting point:

Example: authentication and synchronization with two ldap-ad subsystems | Alfresco Documentation 

Regards,

Martin

cesarista
Customer

Re: LDAP Authentication from 2 domains

Hi:

Consider a more complex authentication chain composed by two ldap-ad in alfresco-global.properties

authentication.chain=ldap1:ldap-ad,ldap2:ldap-ad

And you have to create an structure under

$TOMCAT/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad

.
├── ldap1
│  └── ldap-ad-authentication.properties

└── ldap2
    └── ldap-ad-authentication.properties

for the corresponding properties, than now are not in alfresco-global.properties

Example: authentication and synchronization with two ldap-ad subsystems | Alfresco Documentation 

Regards.

--C.

cesarista
Customer

Re: LDAP Authentication from 2 domains

You are faster Martin Ehe Smiley Happy

--C.

cesarista
Customer

Re: LDAP Authentication from 2 domains

By the way, regarding the example I would say that in recent Alfresco 5 versions, it is not possible to copy the authentication subsystem sample properties from WEB-INF. Now they are inside a jar.

Regards.

--C. 

mehe
Senior Member II

Re: LDAP Authentication from 2 domains

...but your answer is more detailed Smiley Happy (more quality takes more time)

booltrue
Member II

Re: LDAP Authentication from 2 domains

I tried that way already, but the users of the other domain will not be synced.

Our current domain is ldap2, group and users are from the same domain z.b.c,

ldap1 is in in the tree, but not current domain, group is in z.b.c, the users coming from a.b.c

As you can see in the logfile, ldap2 will be synced properly, group+users

but ldap1 only the group will be synced, not the users.

properties for ldap1:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@a.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@a.b.c
ldap.synchronization.java.naming.security.credentials=xxxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c))
ldap.synchronization.groupSearchBase=DC\=a,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

ldap properties for ldap2:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@z.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@z.b.c
ldap.synchronization.java.naming.security.credentials=xxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_B_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_B_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=GP_B_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=GP_B_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c))
ldap.synchronization.groupSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

alfresco.log:

2017-06-19 15:00:00,222 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronizing users and groups with user registry 'ad1'
2017-06-19 15:00:00,222 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Full synchronization with user registry 'ad1'
2017-06-19 15:00:00,222 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-19 15:00:00,238 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving groups changed since 19.06.2017 14:03:34 from user registry 'ad1'
2017-06-19 15:00:00,643 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-19 15:00:00,659 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 62 per second. 0 failures detected.
2017-06-19 15:00:00,659 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-19 15:00:18,053 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving all users from user registry 'ad1'
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=6 User Creation and Association: Commencing batch of 0 entries
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=6 User Creation and Association: Completed batch of 0 entries
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Commencing batch of 2 entries
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Processed 2 entries out of 2. 100% complete. 0 failures detected.
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Completed batch of 2 entries
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Finished synchronizing users and groups with user registry 'ad1'
2017-06-19 15:00:32,390 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] 0 user(s) and 1 group(s) processed
2017-06-19 15:00:32,405 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronizing users and groups with user registry 'ad2'
2017-06-19 15:00:32,405 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Full synchronization with user registry 'ad2'
2017-06-19 15:00:32,405 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-19 15:00:32,421 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving groups changed since 19.06.2017 14:00:50 from user registry 'ad2'
2017-06-19 15:00:32,452 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-19 15:00:32,452 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. 0 failures detected.
2017-06-19 15:00:32,452 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-19 15:00:32,499 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving users changed since 19.06.2017 12:04:51 from user registry 'ad2'
2017-06-19 15:00:32,499 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Commencing batch of 16 entries
2017-06-19 15:00:32,608 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Processed 16 entries out of 16. 100% complete. Rate: 146 per second. 0 failures detected.
2017-06-19 15:00:32,608 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Completed batch of 16 entries
2017-06-19 15:00:32,624 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Finished synchronizing users and groups with user registry 'ad2'
2017-06-19 15:00:32,624 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] 16 user(s) and 1 group(s) processed

mehe
Senior Member II

Re: LDAP Authentication from 2 domains

just a question for understanding:

Is the LDAP Source ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx

the same in both configurations?

booltrue
Member II

Re: LDAP Authentication from 2 domains

yes, it's same address

mehe
Senior Member II

Re: LDAP Authentication from 2 domains

have you tried your queries with a ldap tool (like Apache Directory Studio) to verify the results?