I am using alfresco Community - 5.1.0 (r127059-b7)
Currently I am doing LDAP authentication from 1 domain with the following entry in the config:
ldap.authentication.userNameFormat=%s@x.y.z
Now I need additionally a second domain like:
ldap.authentication.userNameFormat=%s@a.b.c
How I can do ldap authentication from 2 domains ?
Is that somehow possible?
How would be the entry in the config ?
thx for your help
Hi,
never had to use this, but maybe a starting point:
Example: authentication and synchronization with two ldap-ad subsystems | Alfresco Documentation
Regards,
Martin
Hi:
Consider a more complex authentication chain composed by two ldap-ad in alfresco-global.properties
authentication.chain=ldap1:ldap-ad,ldap2:ldap-ad
And you have to create an structure under
$TOMCAT/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad
.
├── ldap1
│ └── ldap-ad-authentication.properties└── ldap2
└── ldap-ad-authentication.properties
for the corresponding properties, than now are not in alfresco-global.properties
Example: authentication and synchronization with two ldap-ad subsystems | Alfresco Documentation
Regards.
--C.
You are faster Martin Ehe
--C.
By the way, regarding the example I would say that in recent Alfresco 5 versions, it is not possible to copy the authentication subsystem sample properties from WEB-INF. Now they are inside a jar.
Regards.
--C.
...but your answer is more detailed (more quality takes more time)
I tried that way already, but the users of the other domain will not be synced.
Our current domain is ldap2, group and users are from the same domain z.b.c,
ldap1 is in in the tree, but not current domain, group is in z.b.c, the users coming from a.b.c
As you can see in the logfile, ldap2 will be synced properly, group+users
but ldap1 only the group will be synced, not the users.
properties for ldap1:
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@a.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@a.b.c
ldap.synchronization.java.naming.security.credentials=xxxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_A_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=GP_A_ALFRESCO,OU\=Groups,OU\=TEST,OU\=ME,DC\=a,DC\=b,DC\=c))
ldap.synchronization.groupSearchBase=DC\=a,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap properties for ldap2:
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@z.b.c
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@z.b.c
ldap.synchronization.java.naming.security.credentials=xxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=GP_B_ALFRESCO))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=GP_B_ALFRESCO))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=GP_B_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=GP_B_ALFRESCO,OU\=Groups,OU\=NO,OU\=WAY,DC\=z,DC\=b,DC\=c))
ldap.synchronization.groupSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.userSearchBase=DC\=z,DC\=b,DC\=c
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
alfresco.log:
2017-06-19 15:00:00,222 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronizing users and groups with user registry 'ad1'
2017-06-19 15:00:00,222 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Full synchronization with user registry 'ad1'
2017-06-19 15:00:00,222 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-19 15:00:00,238 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving groups changed since 19.06.2017 14:03:34 from user registry 'ad1'
2017-06-19 15:00:00,643 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-19 15:00:00,659 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 62 per second. 0 failures detected.
2017-06-19 15:00:00,659 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-19 15:00:18,053 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving all users from user registry 'ad1'
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=6 User Creation and Association: Commencing batch of 0 entries
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=6 User Creation and Association: Completed batch of 0 entries
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Commencing batch of 2 entries
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Processed 2 entries out of 2. 100% complete. 0 failures detected.
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad1,id2=5 User Association: Completed batch of 2 entries
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Finished synchronizing users and groups with user registry 'ad1'
2017-06-19 15:00:32,390 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] 0 user(s) and 1 group(s) processed
2017-06-19 15:00:32,405 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronizing users and groups with user registry 'ad2'
2017-06-19 15:00:32,405 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Full synchronization with user registry 'ad2'
2017-06-19 15:00:32,405 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Some users and groups previously created by synchronization with this user registry may be removed.
2017-06-19 15:00:32,421 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving groups changed since 19.06.2017 14:00:50 from user registry 'ad2'
2017-06-19 15:00:32,452 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Commencing batch of 1 entries
2017-06-19 15:00:32,452 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. 0 failures detected.
2017-06-19 15:00:32,452 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=1 Group Analysis: Completed batch of 1 entries
2017-06-19 15:00:32,499 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Retrieving users changed since 19.06.2017 12:04:51 from user registry 'ad2'
2017-06-19 15:00:32,499 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Commencing batch of 16 entries
2017-06-19 15:00:32,608 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Processed 16 entries out of 16. 100% complete. Rate: 146 per second. 0 failures detected.
2017-06-19 15:00:32,608 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ad2,id2=6 User Creation and Association: Completed batch of 16 entries
2017-06-19 15:00:32,624 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Finished synchronizing users and groups with user registry 'ad2'
2017-06-19 15:00:32,624 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] 16 user(s) and 1 group(s) processed
just a question for understanding:
Is the LDAP Source ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx
the same in both configurations?
yes, it's same address
have you tried your queries with a ldap tool (like Apache Directory Studio) to verify the results?
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.