LDAP Auth issue with openLDAP

anwoke8204 · ‎19 Dec 2017

LDAP Auth issue

Hi, im having an issue with LDAP on a new install.

I am copying my ldap auth file to see if I can get some help

# User name format ..
ldap.authentication.active=trueldap.authentication.userNameFormat=uid=%s,ou=users,dc=usswhitebuffalo,dc=org,

# IP address or name of your LDAP server - (port 389 is the default for LDAP)
ldap.authentication.java.naming.provider.url=ldap://myip:389

# Enable synchronisation ..
ldap.synchronization.active=true

# Security ..
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=cn\=admin,dc\=usswhitebuffalo,dc\=org
ldap.synchronization.java.naming.security.credentials=***********

# Object class names, OUs ..
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.groupSearchBase=ou\=groups,dc\=usswhitebuffalo,dc\=org
ldap.synchronization.userSearchBase=ou\=users,dc\=usswhitebuffalo,dc\=org

# The attribute name on people objects to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid
# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
# The attribute on group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
# The attribute on group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=cn
# The group type
ldap.synchronization.groupType=groupOfNames
# The person type
ldap.synchronization.personType=inetOrgPerson
# The attribute on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=share

it doesn't seem to want to connect to the server, and I need it to connect but only sync to the share group, not other groups on the LDAP server

amitkulhari26 · ‎20 Dec 2017

Hello,

Please refer the following configurations.

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=%s@example.foo
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://example.foo:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=administrator@example.foo
ldap.synchronization.java.naming.security.credentials=Alfr3sc0
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true

ldap.synchronization.groupQuery=objectclass\=group
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoAdmins,ou=alfresco,dc=example,dc=foo)(memberOf=cn\=AlfrescoUsers,ou=alfresco,dc=example,dc=foo)))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=AlfrescoAdmins,ou=alfresco,dc=example,dc=foo)(memberOf=cn\=AlfrescoUsers,ou=alfresco,dc=example,dc=foo))(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=ou\=alfresco,dc\=example,dc\=foo

ldap.synchronization.userSearchBase=dc\=example,dc\=foo

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

Thanks

Amit

pradip · ‎21 Dec 2017

Hello,

Please try following configuration:

ldap-authentication.properties

ldap.authentication.active=true

# Base DN containing users

ldap.authentication.userNameFormat=uid=%s,ou=users,dc=usswhitebuffalo,dc=org

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://myip:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=cn\=admin,dc\=usswhitebuffalo,dc\=org
ldap.synchronization.java.naming.security.credentials=***********

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(&(objectclass\=groupOfNames)(cn=share))

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=ou\=groups,dc\=usswhitebuffalo,dc\=org

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=ou\=users,dc\=usswhitebuffalo,dc\=org

# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o

# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronization.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronization.groupType=groupOfNames

# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member

alfresco-global.properties
ldap.enabled=true authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

Regards,
Pradip patel

Enprowess Technologies

anwoke8204 · ‎22 Dec 2017

Hello Pradip after copying your settings but setting the correct ip and password I am getting the following error:

2017-12-21 23:43:55,157 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'
2017-12-21 23:43:55,306 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving all groups from user registry 'ldap1'
2017-12-21 23:46:02,699 ERROR [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 11210018 Failed to communicate with ldap://openldap.domain.com:389. Reason javax.naming.CommunicationException, openldap.domain.com:389, java.net.ConnectException, Connection timed out (Connection timed out)

its like its not even trying to connect on the correct ip, and just defaulting to ldap://openldap.domain.com:389. I have double checked and I have the correct IP address and password set.

anwoke8204 · ‎22 Dec 2017

Ok, what I ended up having to do was put the config in my alfresco global properties file, and now users can authenicate using LDAP. however users who are not part of the Share group are also able to log in, and I need it so that only users who are part of the share group should be able to log in.