Weird thing with LDAP

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Active Member II

Weird thing with LDAP

Hi everyone !

I'm pretty new to Alfresco and I decided to use this solution for my intern needs. Since all my co-workers need it, I added Ldap authentification. Here is the configuration I use :


###############################
## Common Alfresco Properties #
###############################

dir.root=C:/ALFRES~1/alf_data

alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=8080
alfresco.protocol=http

share.context=share
share.host=127.0.0.1
share.port=8080
share.protocol=http

### database connection properties ###
db.driver=org.postgresql.Driver
db.username=[username]
db.password=[pwd]
db.name=alfresco
db.url=jdbcSmiley Tongueostgresql://localhost:5432/${db.name}
# Note: your database must also be able to accept at least this many connections.  Please see your database documentation for instructions on how to configure this.
db.pool.max=275
db.pool.validate.query=SELECT 1

# The server mode. Set value here
# UNKNOWN | TEST | BACKUP | PRODUCTION
system.serverMode=UNKNOWN

### FTP Server Configuration ###
ftp.port=21

### RMI registry port for JMX ###
alfresco.rmi.services.port=50500

### External executable locations ###
ooo.exe=C:/ALFRES~1/LIBREO~1/App/libreoffice/program/soffice.exe
ooo.enabled=true
ooo.port=8100
img.root=C:\\alfresco-community\\imagemagick
img.coders=${img.root}\\modules\\coders
img.config=${img.root}
img.exe=${img.root}\\convert.exe
alfresco-pdf-renderer.root=C:\\alfresco-community\\alfresco-pdf-renderer
alfresco-pdf-renderer.exe=${alfresco-pdf-renderer.root}\\alfresco-pdf-renderer.exe

jodconverter.enabled=false
jodconverter.officeHome=C:/ALFRES~1/LIBREO~1/App/libreoffice
jodconverter.portNumbers=8100

### Initial admin password ###
alfresco_user_store.adminpassword=9982df41980eb3559570ece9f97a8896

### E-mail site invitation setting ###
notification.email.siteinvite=false

### License location ###
dir.license.external=C:/ALFRES~1

### Solr indexing ###
index.subsystem.name=solr4
dir.keystore=${dir.root}/keystore
solr.host=localhost
solr.port.ssl=8443

### Allow extended ResultSet processing
security.anyDenyDenies=false

### Smart Folders Config Properties ###
smart.folders.enabled=false

### Remote JMX (Default: disabled) ###
alfresco.jmx.connector.enabled=false

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true

ldap.authentication.userNameFormat=%s@solicia.fr
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://[ip]:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=[username]

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=[username]@solicia.fr
ldap.synchronization.java.naming.security.credentials=[pwd]
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true

ldap.synchronization.groupQuery=objectclass\=group
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=Administrateur,ou=users,dc=solicia,dc=fr)(memberOf=ou=solicia,dc=solicia,dc=fr)))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=Administrateur,ou=users,dc=solicia,dc=fr)(memberOf=ou=solicia,dc=solicia,dc=fr))(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=ou\=solicia,dc\=solicia,dc\=fr

ldap.synchronization.userSearchBase=dc\=solicia,dc\=fr

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

The authentification by ldap is working fine (see the logs below), but there is something strange I wanted to know if it's possible to change. For example if I get into Alfresco with user Admin and then want to give rights to group1 to read and write a directory, now I can't until everyone who I want to give those rights log in. Why ? This is because I can find users only if they loged in at least once. 

When I check the logs, I see that Alfresco can find groups but no users in my Ldap.

2018-01-17 15:17:02,149 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap-ad1'
2018-01-17 15:17:02,493 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving all groups from user registry 'ldap-ad1'
2018-01-17 15:17:03,571 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Commencing batch of 39 entries
2018-01-17 15:17:03,665 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Processed 39 entries out of 39. 100 % complete. Rate: 414 per second. 0 failures detected.
2018-01-17 15:17:03,665 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Completed batch of 39 entries
2018-01-17 15:17:03,696 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Commencing batch of 39 entries
2018-01-17 15:17:06,827 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Processed 39 entries out of 39. 100 % complete. Rate: 12 per second. 0 failures detected.
2018-01-17 15:17:06,827 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Completed batch of 39 entries
2018-01-17 15:17:06,827 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving all users from user registry 'ldap-ad1'
2018-01-17 15:17:07,389 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Commencing batch of 0 entries
2018-01-17 15:17:07,471 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Completed batch of 0 entries
2018-01-17 15:17:07,471 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=4 Group Association Creation: Commencing batch of 2 entries
2018-01-17 15:17:07,612 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=4 Group Association Creation: Processed 2 entries out of 2. 100 % complete. Rate: 14 per second. 0 failures detected.
2018-01-17 15:17:07,612 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=4 Group Association Creation: Completed batch of 2 entries
2018-01-17 15:17:07,628 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Commencing batch of 102 entries
2018-01-17 15:17:07,628 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Processed 100 entries out of 102. 98 % complete. 0 failures detected.
2018-01-17 15:17:07,628 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Processed 102 entries out of 102. 100 % complete. 0 failures detected.
2018-01-17 15:17:07,628 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Completed batch of 102 entries
2018-01-17 15:17:07,659 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Finished synchronizing users and groups with user registry 'ldap-ad1'
2018-01-17 15:17:07,659 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] 0 utilisateur(s) et 39 groupe(s) traité(s)

I would be thankfull if you help me,

Have a nice day !

MACEK William.

7 Replies
Highlighted
Advanced II

Re: Weird thing with LDAP

Have you tried your user queries agains your LDAP server to check if it is returning the users?

If the query is not ok, there is no way Alfresco will be able to get the users to you.

You can use a tool like Apache Directory Studio to execute the tests.

Welcome to Apache Directory Studio — Apache Directory 

Highlighted
Active Member II

Re: Weird thing with LDAP

Thanks Douglas for the quick answer once again Smiley Happy

You got it, I downloaded Apache Directory Studio but it doesn't work on Server 2012 so I used Jxplorer to do the queries and ... the path is the problem. I don't know why but I really think the path is good since the user zip is in the OU named Users that is in the DC solicia in DC fr. Can the port be the issue here ? Because I don't know if my Ldap uses the default port (389 or not).

Highlighted
Advanced II

Re: Weird thing with LDAP

I didn't get that.

Can you share a screenshot of the structure?

I don't know about Jxplorer, but using the Apache Directory Studio you can copy the right path and simply paste it in the alfresco-global.properties.

About the port, I believe it is ok, or you would be seeing other kinds of errors in the log file, as Alfresco would not be able to connect into the LDAP server.

Highlighted
Active Member II

Re: Weird thing with LDAP

I made a mistake with Admin and user groups that's why it didn't work, now it finds me every users I've put in those groups.

The thing is that I've put only 9 users in the groups and I figured out that all users from my Ldap can log in (in the alfresco logs it tells me that 9 users and 2 groups have been found) so I don't understand this.

Highlighted
Advanced II

Re: Weird thing with LDAP

Ok, so you have more than 9 users on LDAP, but Alfresco is syncronizing just 9, is that right?

In this case, probably the thing is that other users are in a different place, not reached by Alfresco when querying for the users and groups.

Maybe a different OU or structure.

Highlighted
Active Member II

Re: Weird thing with LDAP

No, I meant that in my ldap I have more than 70 users. I only want 9 of them that are in ou=personnel,ou=exploitation,ou=informatique,ou=Solicia,dc=solicia,dc=fr to have the right to log in Alfresco. The thing is that everyone even if they are not in this ou can log into Alfresco...

Highlighted
Advanced II

Re: Weird thing with LDAP

All you have to do is to put the right query to the person queries, like:

ldap.synchronization.personQuery=(&(objectCategory\=user)(objectClass\=user)(memberOf\=CN\=[correct path]))
ldap.synchronization.personDifferentialQuery=(&(&(objectCategory\=user)(objectClass\=user)(memberOf\=CN\=[correct path]))(!(modifyTimestamp<\={0})))

Can you share your current configuration?

That will make it easier to help you.

More on the topic can be found in several threads here in the community:
Active Directory authentication: allow just group of users 

Alfresco user only from specific AD group member