ldap-ad: allow login for users of specific security group

cancel
Showing results for 
Search instead for 
Did you mean: 
jahu
Active Member

ldap-ad: allow login for users of specific security group

Jump to solution

Hello,

I am running Alfresco Community Edition 201702 and trying to get ldap-ad authentication to work to my liking. I would like Alfresco to synchronize with our Active Directory, but only allow users of a specific group (AlfrescoUsers) to login to Alfresco, and deny any other login attempts.

Currently, I have synchronization working, and I can login to Alfresco with AD users. My problem is, is that any user can login that is in AD, not just the members of the AlfrescoUsers security group I created.

Does anyone have any insight into why all users in AD are allowed to login, and not just users of the AlfrescoUsers security group?

I have attached my alfresco-global.properties that I have all of my configuration in, and also the synchronization section of alfresco.log

Thank you,

-Jason

1 Solution

Accepted Solutions
mehe
Senior Member II

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Hi Jason,

your person LDAP query seems to be wrong:

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net)))

i think you want objectclass=user AND userAcountControl... AND memberOf... but you put an OR "|" before memberOf condition.

So

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net))

should be ok (without having verified it in real life).

regards,

Martin

View solution in original post

25 Replies
mehe
Senior Member II

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Hi Jason,

your person LDAP query seems to be wrong:

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net)))

i think you want objectclass=user AND userAcountControl... AND memberOf... but you put an OR "|" before memberOf condition.

So

(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=net))

should be ok (without having verified it in real life).

regards,

Martin

jpotts
Professional

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Who do you want to show up in Alfresco? If the answer is "everyone in LDAP" while the answer to "Who do you want to be able to authenticate?" is "a subset of users as specified by this group" then the answer is that you have to create two LDAP configurations, one will be enabled for sync-only and will sync the entire LDAP directory. The other will be disabled for sync but enabled for authentication and it will specify the person query that points to the group you want to restrict to.

I should mention that this technique was first described to me by Axel Faust in the #alfresco IRC channel.

cesarista
Customer

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Yes, Martin's query will work for the users under defined user base. 

But maybe the differential query will not, because you deal everything inside the AD group, so the timestamp of the user is not touched when adding users to the AD group (whenChanged). A walkaround for this is to define user differential query equal to user query, but full sync is done everyday instead of differential.

Another way of selecting a group of users belonging to different levels in the AD, is via custom extension attributes in AD (i.e: "alf") users, so you have to include the extension attribute in the users query. This will respect whenChanged parameter, because the user is modified (changing the timestamp) when applying the extension attribute.

Regards.

--C.

cesarista
Customer

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Hi Jason:

All users are allowed to authenticate via LDAP-AD in principle. By default Alfresco, create and sync accounts on login when they does not exist. But if you set the properties below, you would restrict the ldap auth only to those synced users.

create.missing.people=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false

Regards.

--C.

mehe
Senior Member II

Re: ldap-ad: allow login for users of specific security group

Jump to solution

...the query I mentioned is exact the one Jason has defined in his attached alfresco-global.properties. He just added the OR sign in the query, which should not be the case for his intentions.

He also defined the differential query in then right way (again, just the OR sign is too much)

Because the query will only import Users which are members of ou=Alfresco, only those user will be able to login (allowDeletions=true, so the user not in ou=Alfresco will be deleted - no login possible).

I would let synchronization.syncWhen... =true, so new users in ou Alfresco will be able to log in without having to wait for a scheduled LDAP Sync - what do you think Cesar?

Setting the two other values (create) to false should be fine.

Are you sure that a change in "memberOf" would not affect the whenChanged/modifiedTimestamp setting?

jahu
Active Member

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Thank you all for your help and suggestions. I have applied all of the changes/additions that you have suggested, and I believe it is working for me now. These are the changes/additions I've made to the alfresco-global.properties configuration file:

Added:

create.missing.people=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false

 

I also changed my person queries as well:

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=com))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(&(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=groups,dc=domain,dc=com))(!(modifyTimestamp<\={0})))

(basically just change OR to AND).

One more question: Because I was syncing all users before, any users that were synced before I made the configuration change are still able to login. Is there a way to clear Alfresco's user/authentication cache, or (this may be an entirely different subject) is there a way to make Alfresco sync directly from AD, instead of caching users?

Thank you all again, I appreciate it!

-Jason

cesarista
Customer

Re: ldap-ad: allow login for users of specific security group

Jump to solution

Hi Martin:

Regarding synchronization.syncWhen... =true, I'm not completely sure if this property depends on the other ones. By the way, with the new OOTB Support Tools addon, I think you can run the scheduled job on demand (I did not tested yet). If it is not possible it would be a nice feature for Support Tools in Beecon hackathon (Axel Faust‌). This is a nice feature of the Support Tools in EE edition.

If you only change the group object I will say no. Before, you may do a minor "tricky" user modification to change the timestamp, and it will work for this user.

Regards.

--C.

afaust
Master

Re: ldap-ad: allow login for users of specific security group

Jump to solution

"Scheduled Jobs" tool is already included in OOTBee Support Tools. What might be of added value in the future might be to provide a tool for configuring LDAP at runtime so your test cycles can be shorter.

mehe
Senior Member II

Re: ldap-ad: allow login for users of specific security group

Jump to solution

I don't think the users are cached but not deleted by now. You can see this in the user administration (admin console). Because your ...allowDeletions flag is true, all you need is a full-sync.

Your can force this by temporarily setting the differential query to the same value as the full query like Cesar Capillas mentioned above, and restart alfresco.

But alfresco has already created a user home for each of your users. These home directories will not be deleted (this is normally a good thing, because you don't want to have user-data deleted when you accidentally misconfigured the sync).

Make sure the value of synchronization.allowDeletions is really true, because if set to false, all your unwanted-synced users will only be untagged and converted to local users (uahhh). But this is explained in the docs http://docs.alfresco.com/5.2/concepts/sync-delete.html

I fear you'd have to write a script to delete the home-folders of the non-existing/allowed users. Maybe someone in the community has done that already.

...or you just don't care about the unused folders Smiley Happy - but they can behave bad, when you sync a formerly not allowed user. Then a second home folder with a number added to the username will be created.