AnsweredAssumed Answered

LDAP: Ignoring non-existent member

Question asked by bostaxola on Sep 29, 2014
Latest reply on Oct 1, 2014 by bostaxola
This is s side by side schema:


I want to filter the access to only members of "cn=TIT,ou=subjects,ou=groups,dc=domain,dc=com", inside this group members DN is stored in "member" attribute (http://i62.tinypic.com/29ekqp1.png). I've trying since Friday, but I can't sync the members attributes like, mail, name… just the uid. If I try log in with a group non-member user I can't. I have take a look at Active Directory authentication: allow just group of users and other post, but I can't seem to find the right configuration. I hope you can lend me a hand, thank you.


The catalina.out can be found in http://pastebin.com/0et0DVmU (Full sync part is at the end highlighted)

ldap-authentication.properties (/opt/alfresco-5.0.a/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-authentication.properties)


ldap.authentication.active=true

ldap.authentication.allowGuestLogin=false

ldap.authentication.defaultAdministratorUserNames=admin

ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false

#ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldaps://ldap.domain.com:636
ldap.authentication.java.naming.security.authentication=simple

ldap.authentication.userNameFormat=uid\=%s,ou\=people,dc\=domain,dc\=com

ldap.synchronization.active=true

ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

ldap.synchronization.enableProgressEstimation=true

ldap.synchronization.groupDifferentialQuery=(&(objectclass=groupOfNames)(!(modifyTimestamp<={0})))
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.groupQuery=(objectclass=groupOfNames)
ldap.synchronization.groupSearchBase=cn\=TIT,ou\=subjects,ou\=groups,dc\=domain,dc\=com
ldap.synchronization.groupType=groupOfNames

ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.credentials=******** [real password changed for *]
ldap.synchronization.java.naming.security.principal=uid\=admin,ou\=system,dc\=domain,dc\=com

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

ldap.synchronization.personDifferentialQuery=(&(cn\=TIT)(objectClass\=GroupOfNames)(uid\=%s,ou\=people,dc\=domain,dc\=com))!(modifyTimestamp<={0})))
ldap.synchronization.personQuery=(&(cn\=TIT)(objectClass\=GroupOfNames)(uid\=%s,ou\=people,dc\=domain,dc\=com))
ldap.synchronization.personType=inetOrgPerson

#ldap.synchronization.queryBatchSize=1000

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userLastNameAttributeName=schacSn1
ldap.synchronization.userOrganizationalIdAttributeName=eduPersonAffiliation
ldap.synchronization.userSearchBase=ou\=people,dc\=domain,dc\=com


alfresco-global.properties

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

#Sync Settings
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
# Full sync every minute to check only
synchronization.import.cron=0 0/1 * * * ?


Outcomes