AnsweredAssumed Answered

Weird thing with LDAP

Question asked by willi78400 on Jan 17, 2018
Latest reply on Jan 19, 2018 by douglascrp

Hi everyone !

 

I'm pretty new to Alfresco and I decided to use this solution for my intern needs. Since all my co-workers need it, I added Ldap authentification. Here is the configuration I use :

 


###############################
## Common Alfresco Properties #
###############################

 

dir.root=C:/ALFRES~1/alf_data

 

alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=8080
alfresco.protocol=http

 

share.context=share
share.host=127.0.0.1
share.port=8080
share.protocol=http

 

### database connection properties ###
db.driver=org.postgresql.Driver
db.username=[username]
db.password=[pwd]
db.name=alfresco
db.url=jdbc:postgresql://localhost:5432/${db.name}
# Note: your database must also be able to accept at least this many connections.  Please see your database documentation for instructions on how to configure this.
db.pool.max=275
db.pool.validate.query=SELECT 1

 

# The server mode. Set value here
# UNKNOWN | TEST | BACKUP | PRODUCTION
system.serverMode=UNKNOWN

 

### FTP Server Configuration ###
ftp.port=21

 

### RMI registry port for JMX ###
alfresco.rmi.services.port=50500

 

### External executable locations ###
ooo.exe=C:/ALFRES~1/LIBREO~1/App/libreoffice/program/soffice.exe
ooo.enabled=true
ooo.port=8100
img.root=C:\\alfresco-community\\imagemagick
img.coders=${img.root}\\modules\\coders
img.config=${img.root}
img.exe=${img.root}\\convert.exe
alfresco-pdf-renderer.root=C:\\alfresco-community\\alfresco-pdf-renderer
alfresco-pdf-renderer.exe=${alfresco-pdf-renderer.root}\\alfresco-pdf-renderer.exe

 

jodconverter.enabled=false
jodconverter.officeHome=C:/ALFRES~1/LIBREO~1/App/libreoffice
jodconverter.portNumbers=8100

 

### Initial admin password ###
alfresco_user_store.adminpassword=9982df41980eb3559570ece9f97a8896

 

### E-mail site invitation setting ###
notification.email.siteinvite=false

 

### License location ###
dir.license.external=C:/ALFRES~1

 

### Solr indexing ###
index.subsystem.name=solr4
dir.keystore=${dir.root}/keystore
solr.host=localhost
solr.port.ssl=8443

 

### Allow extended ResultSet processing
security.anyDenyDenies=false

 

### Smart Folders Config Properties ###
smart.folders.enabled=false

 

### Remote JMX (Default: disabled) ###
alfresco.jmx.connector.enabled=false

 

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true

ldap.authentication.userNameFormat=%s@solicia.fr
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://[ip]:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=[username]

 

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=[username]@solicia.fr
ldap.synchronization.java.naming.security.credentials=[pwd]
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true

 

ldap.synchronization.groupQuery=objectclass\=group
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

 

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=Administrateur,ou=users,dc=solicia,dc=fr)(memberOf=ou=solicia,dc=solicia,dc=fr)))

 

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=Administrateur,ou=users,dc=solicia,dc=fr)(memberOf=ou=solicia,dc=solicia,dc=fr))(!(modifyTimestamp<\={0})))

 

ldap.synchronization.groupSearchBase=ou\=solicia,dc\=solicia,dc\=fr

 

ldap.synchronization.userSearchBase=dc\=solicia,dc\=fr

 

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

 

The authentification by ldap is working fine (see the logs below), but there is something strange I wanted to know if it's possible to change. For example if I get into Alfresco with user Admin and then want to give rights to group1 to read and write a directory, now I can't until everyone who I want to give those rights log in. Why ? This is because I can find users only if they loged in at least once. 

When I check the logs, I see that Alfresco can find groups but no users in my Ldap.

 

2018-01-17 15:17:02,149 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap-ad1'
2018-01-17 15:17:02,493 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving all groups from user registry 'ldap-ad1'
2018-01-17 15:17:03,571 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Commencing batch of 39 entries
2018-01-17 15:17:03,665 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Processed 39 entries out of 39. 100 % complete. Rate: 414 per second. 0 failures detected.
2018-01-17 15:17:03,665 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Completed batch of 39 entries
2018-01-17 15:17:03,696 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Commencing batch of 39 entries
2018-01-17 15:17:06,827 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Processed 39 entries out of 39. 100 % complete. Rate: 12 per second. 0 failures detected.
2018-01-17 15:17:06,827 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Completed batch of 39 entries
2018-01-17 15:17:06,827 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving all users from user registry 'ldap-ad1'
2018-01-17 15:17:07,389 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Commencing batch of 0 entries
2018-01-17 15:17:07,471 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Completed batch of 0 entries
2018-01-17 15:17:07,471 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=4 Group Association Creation: Commencing batch of 2 entries
2018-01-17 15:17:07,612 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=4 Group Association Creation: Processed 2 entries out of 2. 100 % complete. Rate: 14 per second. 0 failures detected.
2018-01-17 15:17:07,612 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=4 Group Association Creation: Completed batch of 2 entries
2018-01-17 15:17:07,628 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Commencing batch of 102 entries
2018-01-17 15:17:07,628 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Processed 100 entries out of 102. 98 % complete. 0 failures detected.
2018-01-17 15:17:07,628 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Processed 102 entries out of 102. 100 % complete. 0 failures detected.
2018-01-17 15:17:07,628 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Completed batch of 102 entries
2018-01-17 15:17:07,659 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Finished synchronizing users and groups with user registry 'ldap-ad1'
2018-01-17 15:17:07,659 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] 0 utilisateur(s) et 39 groupe(s) traité(s)

 

 

I would be thankfull if you help me,

 

Have a nice day !

 

MACEK William.

Outcomes