OpenLDAP authentication, if username already existed, both authentications are valid after sync

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
skushnerenko
Active Member II

OpenLDAP authentication, if username already existed, both authentications are valid after sync

We have to provide authentication with OpenLDAP so, that after synchronization with OpenLDAP usernames from OpenLDAP, which already existed for  alfrescoNtlm authentication, would keep all the access to owned documents.

That is, we had user John with alfrescoNtlm authentication, which had long working background in repository with owned documents. The same user John is in OpenLDAP, but with different password.

After synchronization with OpenLDAP, I have found that both user types with same username are valid. So that user John can login with both passwords, alfrescoNtlm and OpenLDAP. 

It could be even fine, but what discourages is that in admin tools only one old user John is displayed.

If we disable it, the OpenLDAP user still can login.

Lucene search

TYPE:"{http://www.alfresco.org/model/content/1.0}person"

also display only one user John, not two of them.

Is it normal situation, or we should have deleted old user John before synchronization with OpenLDAP? And how about access to documents of user John in this case?

Below is alfresco-global.properties

authentication.protection.enabled=false
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false

ldap.authentication.active=true
ldap.synchronization.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=Users,dc=some,dc=ua
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://10.0.1.15:389
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple
ldap.authentication.defaultAdministratorUserNames=Admin

#
ldap.synchronization.java.naming.security.principal=uid\=someUser,ou\=users,dc\=some,dc\=ua
ldap.synchronization.java.naming.security.credentials=12356


ldap.synchronization.groupSearchBase=ou\=Users,dc\=some,dc\=ua
ldap.synchronization.userSearchBase=ou\=Users,dc\=some,dc\=ua


ldap.synchronization.groupQuery=(&(objectclass\=posixGroup)(CN\=someGroup))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(CN\=someGoup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))


ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=inetOrgPerson
ldap.authentication.java.naming.read.timeout=0
ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled
ldap.synchronization.disabledAccountPropertyValue=true
ldap.synchronization.userFirstNameAttributeName=givenName

ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupMemberAttributeName=member

ldap.synchronization.enableProgressEstimation=true

ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=fine

synchronization.autoCreatePeopleOnLogin=true
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true

synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1

# sync every 15 minutes
#synchronization.import.cron=0 0/15 * * * ?

Another question, is it possible not to provide parameters ldap.synchronization.java.naming.security.principal and ldap.synchronization.java.naming.security.credentials, as OpenLDAP is accessible without them?

If I simply turn them off, there is error while synchronization with OpenLDAP:

2019-02-13 10:33:24,550 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Failed initial synchronize with user registries org.alfresco.repo.security.authentication.AuthenticationException: 01130001 Failed to authenticate, username or password is wrong. User name:cn=Manager,dc=company,dc=com Reason [LDAP: error code 49 - Invalid Credentials]

Alfresco Community (Build: 201612)

1 Reply
skushnerenko
Active Member II

Re: OpenLDAP authentication, if username already existed, both authentications are valid after sync

Using SQL queries I have found the difference between user created with NATIVE Alfresco authentication and user with same username imported from LDAP.

So, NATIVE user is stored in database table alf_node with types user and person.

Mixed user also has both types.

LDAP user has only  type person.

Besides, with db objects alf_child_assoc it was found, that NATIVE person object is owned by AUTH.ALF object, while LDAP person object is owned by AUTH.EXT.ldap1 object.

Mixed person object is owned by both AUTH.ALF and AUTH.EXT.ldap1 objects.

ACL is made by db object alf_authority where username is stored as String.

So I hope that ACL made by native user will be effective for both LDAP and mixed user with same name.

The same may be true for access to documents owned by NATIVE user - I suppose access to these documents will be effective for LDAP and mixed user with same username.

The only problem is that field authority in alf_authority is case sensitive while username is case insensitive. 

So in case if LDAP username and NATIVE username have different case, there may be problem with access of LDAP user to documetns of NATIVE user.