AnsweredAssumed Answered

Authentication problem.

Question asked by statira on Oct 31, 2014
Latest reply on Nov 5, 2014 by statira
Hi guys! I encountered a strange problem with my alfresco. The thing is I have two accounts for each user, one in format name - John Doe, username - jdoe; and another in format name - jdoe, username - jdoe@company.com. Users can login only with account in jdoe@company.com format, which is fine untill they want to give others access rights for some document because they're looking for the user by his name John Doe which gives them the wrong account jdoe and, of course, the rights given to this account have no effect as he actually uses another account jdoe@company.com! How can I get rid of this double accounts? Why is this even happening?
I'm running version 5.0.a on Ubuntu 14.04. Users access it from their Windows machines. I guess I misconfigured ldap authentication, but current configuration is the only one working, everything else I've tried resulted in another errors.
And another funny thing: if I use
ldap.authentication.userNameFormat=%s@company.com
instead of
ldap.authentication.userNameFormat=%s
the search stop working! Not entirely, advanced search still works fine, but if I just type something in the search box it results in a blank page. But I have one and only account for each user.))

Here is my config.:
### LDAP ###
authentication.chain=passthru1:passthru,ldap1:ldap

### Passthru Config ###
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=10.1.1.1
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=admin@company.com
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true

ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false

### LDAP-AD Auth ###
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://10.1.1.1:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=admin@company.com

### LDAP-AD Synch ###
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=admin@company.com
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=dc=diasoft,dc=ru
ldap.synchronization.userSearchBase=dc=diasoft,dc=ru
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

Outcomes