AnsweredAssumed Answered

LDAP/AD disabled, but alfresco user still enabled

Question asked by xarope on Jan 18, 2018

I'm running Alfresco 5.2 CE (201702).  I have setup a test environment with synchronization to two active directory servers, and also authentication to these same two AD servers, as well as internal alfresco users.

 

This is working, in terms of synchronization of users (e.g. daily added), as well as authentication (users can login, those who are disabled in the AD cannot).

 

However, what is not working, is that users who are newly disabled in the AD, are NOT disabled in alfresco.  I can see the synchronization subsystem running each night, and it is picking up changes, e.g.

 2018-01-16 00:01:40,038  WARN  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Full synchronization with user registry 'ldap2'
 2018-01-16 00:01:40,038  WARN  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Some users and groups previously created by synchronization with this user registry may be removed.
 2018-01-16 00:01:40,054  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Retrieving groups changed since 12 Jan, 2018 5:08:45 PM from user registry 'ldap2'
 2018-01-16 00:01:40,604  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Synchronization,Category=directory,id1=ldap2,id2=1 Group Analysis: Commencing batch of 4 entries

 2018-01-16 00:01:40,604  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Synchronization,Category=directory,id1=ldap2,id2=1 Group Analysis: Processed 4 entries out of 4. 100% complete. Rate: 22 per second. 0 failures detected.
 2018-01-16 00:01:40,604  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Synchronization,Category=directory,id1=ldap2,id2=1 Group Analysis: Completed batch of 4 entries
 2018-01-16 00:01:43,763  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Retrieving users changed since 14 Jan, 2018 10:46:45 PM from user registry 'ldap2'
 2018-01-16 00:01:43,984  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Synchronization,Category=directory,id1=ldap2,id2=6 User Creation and Association: Commencing batch of 32 entries
 2018-01-16 00:01:44,289  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Synchronization,Category=directory,id1=ldap2,id2=6 User Creation and Association: Processed 32 entries out of 32. 100% complete. Rate: 104 per second. 0 failures detected.
 2018-01-16 00:01:44,289  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Synchronization,Category=directory,id1=ldap2,id2=6 User Creation and Association: Completed batch of 32 entries
 2018-01-16 00:01:45,175  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] Finished synchronizing users and groups with user registry 'ldap2'
 2018-01-16 00:01:45,175  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-1] 32 user(s) and 0 group(s) processed

But the users continue to remain "enabled".

 

Has anybody else encountered this situation, and can help check what I've done wrong?  My configuration as follows:

 

alfresco-global.properties (just showing the relevant bits):

authentication.chain=passthru1:passthru,alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad,ldap2:ldap-ad

ntlm.authentication.sso.enabled=false

passthru.authentication.servers=domain1\\10.1.0.1,domain2\\10.2.0.1

synchronization.authCreatePeopleOnLogin=false

synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1,ldap2

 

/opt/alfresco/tomcat/shared/classes/alfresco/extension/subsystem/Authentication/ldap-ad/ldap1 (and similarly ldap2), the full file:

ldap.authentication.active=false

ldap.authentication.allowGuestLogin=false

ldap.authentication.userNameFormat=%s

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

ldap.authentication.java.naming.provider.url=ldap://10.1.0.1:389

ldap.authentication.java.naming.security.authentication=simple

ldap.authentication.escapeCommasInBind=false

ldap.authentication.escapeCommasInUid=false

ldap.authentication.defaultAdministratorUserNames=Administrator

ldap.synchronization.active=true

ldap.synchronization.java.naming.security.authentication=simple

ldap.synchronization.java.naming.security.principal=readonlyuser@domain1.local

ldap.synchronization.java.naming.security.credentials=<thepasswordforreadonlyuser>

ldap.synchronization.queryBatchSize=100

ldap.synchronization.attributeBatchSize=100

ldap.synchronization.groupQuery=(objectclass\=group)

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))

ldap.synchronization.groupSearchBase=dc\=domain1,dc\=local,dc\=alfrescogroups

ldap.synchronization.userSearchBase=dc\=domain1,dc\=local,dc\=alfrescousers

ldap.synchronization.modifyTimestampAttributeName=whenChanged

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

ldap.synchronization.userIdAttributeName=sAMAccountName

ldap.synchronization.userFirstNameAttributeName=givenName

ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.userOrganizationalIdAttributeName=company

ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider

ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupDisplayNameAttributeName=displayName

ldap.synchronization.groupType=group

ldap.synchronization.personType=user

ldap.synchronization.groupMemberAttributeName=member

ldap.synchronization.enableProgressEstimation=true

ldap.authentication.java.naming.read.timeout=0

Outcomes