Hello,

I am running Alfresco Community Edition  and trying to get ldap-ad authentication to work to my liking. I would like Alfresco to authenticate with our Active Directory, but only allow users of a specific group (Alfresco(My Alfresco group belogns to Users group)) to login to Alfresco, and deny any other login attempts.

My problem is, is that any user can login that is in AD, not just the members of the Alfresco  group I created.

Does anyone have any insight into why all users in AD are allowed to login, and not just users of the Alfresco  group? I read every answer to this question, but I didn't find solution.

This is my LDAP AD configuration:

#########################
#LDAP CONFIGURATION#
#########################

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad

ldap.authentication.allowGuestLogin=false
# Disable guest logins

ntlm.authentication.mapUnknownUserToGuest=false
# Disable guest logins

ntlm.authentication.sso.enabled=false
# Disable SSO logins

ldap.synchronization.userSearchBase=dc=domain,dc=net
# Domain search base

#########################
#LDAP AUTHENTIFICATION #
#########################

ldap.authentication.active=true
#when true enables use of this LDAP subsystem for authentication

ldap.authentication.allowGuestLogin=false
# Disable guest logins

ldap.authentication.userNameFormat=%s@domain.net
#In Active Directory, this can either be the user principal name (UPN) or DN.

ldap.authentication.java.naming.security.authentication=simple
#simple -The basic LDAPuthentication mechanism arequiring the user name and password to be passed over the wire unencrypted.

ldap.authentication.java.naming.read.timeout=30000
#If Alfresco Content Services cannot get a LDAP response within that period, it aborts the read attempt.

ldap.authentication.java.naming.provider.url=ldap://XXXXXXX:389
#AD server address

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

ldap.authentication.defaultAdministratorUserNames=Administrator
# Admin users logins

########################
#LDAP SYNCHRONISATION #
########################
ldap.synchronization.active=true

synchronization.syncWhenMissingPeopleLogIn=true
# Tries to find user in allowed Ad group

#####################
#LDAP PERSON QUERY #
#####################

ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf\=cn\=Alfresco,cn\=Users,dc\=domain,dc\=net)(userAccountControl:1.2.840.113556.1.4.803:=512))
# Query to grabb all users in alfresco group with full path

Thank you,

-Jelena

Hello friends,

I sign in alfresco and in the repository in user homes all the synchronized users of the ldap appear, I create a folder of each user of the ldap.

How can I make those folders not be created?

I want them to be created as long as you give them permission in alfresco to sign.

Hello friends,

I sign in alfresco "admin portal > repository> in user homes" all the synchronized users of the ldap appear, this create a folder of each user of the ldap .

How can I make those folders not be created with default synchronization?

I want them to be created as long as you give them permission in alfresco to sign only.

Hi Jeff,

In your reply you said that LDAP authentication can be done without enabling synchronization and you can restrict users through person query, right ? but I tried doing the same thing and it didn't work. Following are the properties that I configured on my Alfresco. I am running Alfresco v6.0.a (Docker based).

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap

ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.provider.url=ldap://<my-ldap-server-ip>:<port>
ldap.authentication.userNameFormat=uid=%s,ou=<myldap's-ou>,dc=<myldap's-dc>,dc=<myldap's-dc>

ldap.synchronization.active=false

ldap.synchronization.userSearchBase=ou=<myldap's-ou>,dc=<myldap's-dc>,dc=<myldap's-dc>
ldap.synchronization.personQuery=(&(objectclass\=sambaSamAccount)(accountStatus=\active)(sambaBadPasswordCount\=0)(category\=DMS))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=sambaSamAccount)(accountStatus\=active)(sambaBadPasswordCount\=0)(category\=DMS)(!(modifyTimestamp<\={0})))

As you can see the person query, I want the users whose account  are active can login into Alfresco.

Now the problem is all the users on my ldap's server are logging into Alfresco even if they're account on ldap server is deactivated. Moreover, I checked the logs on my ldap server and found that my Alfresco is connected perfectly with the ldap server but my person query cannot reach the ldap server. There are no parameters of my person query in my ldap's logs.

Kindly help me to resolve this issue. Please look into above mentioned configured properties that if I have missed something. Your help would be highly appreciated.

Thank you

Hi @Syedjunaid,

As this thread has an approved solution, I would recommend starting a new thread - people often overlook solved posts.

HTH,