LDAP Authentication from 2 domains

cancel
Showing results for 
Search instead for 
Did you mean: 
booltrue
Member II

Re: LDAP Authentication from 2 domains

Just tried and I didn't get the expected result.

I think the problem is, that I have no access to the parent domain.

The domain tree is like:

b.c.

     ----a.b.c

     ----c.b.c

     ----

     ----

     ----z.b.c


Our domain is z.b.c.

I have in my group of domain z.b.c a cross domain member from the domain a.b.c

So I used the user search base b.c.

But when I try to sync with 2 ldap systems under the path tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad

I get the result as you can see in the logfile.

When I dont use any subsystem under extension folder, just use the alfresco-global.properties I get the user from the domain a.b.c. synced to

the group of the domain z.b.c, but only if in the group a user of the domain z.b.c already exists, otherwise not. I really dont understand.

But I need that both domains can register in alfresco, like

ldap.authentication.userNameFormat=%s@a.b.c and ldap.authentication.userNameFormat=%s@z.b.c

so I have to sync from two ldap subsystems

alfresco-global.properties without 2 subsystems:

# LDAP
authentication.chain=alfrescoNtlm1:alfrescoNtlm,myldap:ldap-ad
synchronization.synchronizeChangesOnly=true
synchronization.syncWhenMissingPeopleLogIn=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.authCreatePeopleOnLogin=false
synchronization.syncOnStartup=true
synchronization.import.cron=0 0/10 * ? * *

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@z.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xxx.xxx.xxx.xxx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@z.b.c
ldap.synchronization.java.naming.security.credentials=xxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(|(memberOf=CN\=GP_A_ALFRESCO_DEV,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c)))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(|(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c)))
ldap.synchronization.groupSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

alfresco.log without 2 subsystems:

2017-06-20 13:50:00,176 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronizing users and groups with user registry 'myldap'
2017-06-20 13:50:00,176 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Full synchronization with user registry 'myldap'
2017-06-20 13:50:00,176 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-20 13:50:00,207 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Retrieving groups changed since 20.06.2017 13:22:20 from user registry 'myldap'
2017-06-20 13:50:00,394 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-20 13:50:00,410 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 62 per second. 0 failures detected.
2017-06-20 13:50:00,410 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-20 13:50:39,349 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Retrieving users changed since 20.06.2017 01:52:04 from user registry 'myldap'
2017-06-20 13:51:12,734 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Commencing batch of 2 entries
2017-06-20 13:51:47,461 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Processed 2 entries out of 2. 100% complete. Rate: 0 per second. 0 failures detected.
2017-06-20 13:51:47,461 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Synchronization,Category=directory,id1=myldap,id2=6 User Creation and Association: Completed batch of 2 entries
2017-06-20 13:51:47,476 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] Finished synchronizing users and groups with user registry 'myldap'
2017-06-20 13:51:47,476 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-4] 2 user(s) and 1 group(s) processed
2017-06-20 14:00:00,323 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronizing users and groups with user registry 'myldap'
2017-06-20 14:00:00,323 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Full synchronization with user registry 'myldap'
2017-06-20 14:00:00,323 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-20 14:00:00,369 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Retrieving groups changed since 20.06.2017 13:22:20 from user registry 'myldap'
2017-06-20 14:00:00,557 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-20 14:00:00,572 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 66 per second. 0 failures detected.
2017-06-20 14:00:00,572 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-9] Synchronization,Category=directory,id1=myldap,id2=1 Group Analysis: Completed batch of 1 entries

booltrue
Member II

Re: LDAP Authentication from 2 domains

Is it possible to allow multiple domains in alfresco-global.properties,

without two ldap subsytems,i.e.:

ldap.authentication.userNameFormat=%s@z.b.c

ldap.authentication.userNameFormat=%s@a.b.c

How would be the format ?

ldap.authentication.userNameFormat=%s@?

using only %s is not working

booltrue
Member II

Re: LDAP Authentication from 2 domains

The right way for me to do was to bind two ldap-systems,

without any cross-domain members in any group (caused sync problems)

to be able to allow multiple domain sync.

Now I have the problem that users of the second domain are not be able to login.

Does anyone have an idea ?

mehe
Senior Member II

Re: LDAP Authentication from 2 domains

iisn't

ldap.authentication.userNameFormat=%s@z.b.c

in the first config and 

ldap.authentication.userNameFormat=%s@a.b.c

in the second not working?

booltrue
Member II

Re: LDAP Authentication from 2 domains

b.c.

     ----a.b.c

     ----c.b.c

     ----

     ----

     ----z.b.c (our domain)

ldap.authentication.userNameFormat=%s@a.b.c

yes, here the login doesnt work, but sync works lika a charm

on our domain z.b.c login works same before with only one ldap system

heiko_robert
Senior Member

Re: LDAP Authentication from 2 domains

Multidomain synchronisation and authentication has only a very limited support in Alfresco. We tried this just some months ago. To summarize:

Limitations

  • CIFS/WebDAV Auth, SSO using Kerberos support only one directory. We extended the kerberos implementation to handle the whole user principle instead of only the username part (which we know will conflict with the multi tenancy support) but stopped since we didn't want to rewrite the whole group sync.

You can:

  • define many independent domains (in Alfresco managed in zones) for sync and web authentication having different domains. You need to put all ldap subsystem instances in the auth chain. They work all independent and in sequence on login. Be careful if you have rules for failed logins on AD/LDAP if you work with different configs against the same AD/LDAP.

You cannot:

  • use the same groups accross different zones. You will see unexpected behavior since the groups will switch on sync from zone to zone and only the users belonging to the active zone will be members in the Alfresco group after sync. The group membership sync logic asumes a user as deleted if a user is not returned as memberOf attribute from the group. If the memberOf user is not member of the zone he will be ignored or cause a softfail.

So you should go ahead if you don't share groups managed on ldap/AD but you will fail if you require to use shared groups. If you only need to authenticate in the browser you may try having only one sync config since you have only one directory server. User query may be e.g.

   (& (objectClass=user)(|(userPrincipalName=*@abc.com)(userPrincipalName=*@xyz.net)))

You could then add a second ldap subsystem config only having authentication active
ldap.synchronization.active=false

ldap.authentication.active=true

ldap.authentication.userNameFormat=%s@xyz.net

mehe
Senior Member II

Re: LDAP Authentication from 2 domains

Just thinking: maybe a "ldap proxy" that gathers users and groups (with nlscd) in an alfresco compatible way could be a solution... but this would be a more than a "just try" job.

cesarista
Customer

Re: LDAP Authentication from 2 domains

booltrue booltrue A passthru based subsystem may be used or combined for authentication, using ldap-ad subsystem for syncing. Finally, completely agree with Heiko Robert‌ comments.

Regards.

--C.

booltrue
Member II

Re: LDAP Authentication from 2 domains

Thanks for detailed explanation, but I am a little confused what is the difference between your (‌) explanation and my attempt with two ldap subsytems, or maybe just I dont understand right.

I am syncing two different groups of two different child domains as you can see in the configs.

Maybe you can explain for me more clearer, due I dont understand.

What do I need to change, so that  both domains can authenticate.

Currently only members of our domain z.b.c can authenticte to the system,

the members of the other domain a.b.c can not do.

Syncing of both domains works properly.

mehe
Senior Member II

Re: LDAP Authentication from 2 domains

Maybe the problem is the authentication.chain

It seems to be defined in both subsystems and so only the secon one "wins". I think you have to move the authentication.chain into alfresco-global.properties (only), delete it from the subsystems and use both subsystems in the chain.