AnsweredAssumed Answered

OpenLDAP authentication, if username already existed, both authentications are valid after sync

Question asked by skushnerenko on Feb 13, 2019

We have to provide authentication with OpenLDAP so, that after synchronization with OpenLDAP usernames from OpenLDAP, which already existed for  alfrescoNtlm authentication, would keep all the access to owned documents.

That is, we had user John with alfrescoNtlm authentication, which had long working background in repository with owned documents. The same user John is in OpenLDAP, but with different password.

After synchronization with OpenLDAP, I have found that both user types with same username are valid. So that user John can login with both passwords, alfrescoNtlm and OpenLDAP. 

It could be even fine, but what discourages is that in admin tools only one old user John is displayed.

If we disable it, the OpenLDAP user still can login.

Lucene search

TYPE:"{http://www.alfresco.org/model/content/1.0}person"

also display only one user John, not two of them.

Is it normal situation, or we should have deleted old user John before synchronization with OpenLDAP? And how about access to documents of user John in this case?

Below is alfresco-global.properties

 

authentication.protection.enabled=false
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false

ldap.authentication.active=true
ldap.synchronization.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=Users,dc=some,dc=ua
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://10.0.1.15:389
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple
ldap.authentication.defaultAdministratorUserNames=Admin

#
ldap.synchronization.java.naming.security.principal=uid\=someUser,ou\=users,dc\=some,dc\=ua
ldap.synchronization.java.naming.security.credentials=12356


ldap.synchronization.groupSearchBase=ou\=Users,dc\=some,dc\=ua
ldap.synchronization.userSearchBase=ou\=Users,dc\=some,dc\=ua


ldap.synchronization.groupQuery=(&(objectclass\=posixGroup)(CN\=someGroup))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(CN\=someGoup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))


ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=inetOrgPerson
ldap.authentication.java.naming.read.timeout=0
ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled
ldap.synchronization.disabledAccountPropertyValue=true
ldap.synchronization.userFirstNameAttributeName=givenName

ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupMemberAttributeName=member

ldap.synchronization.enableProgressEstimation=true

ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=fine

synchronization.autoCreatePeopleOnLogin=true
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true

synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1

# sync every 15 minutes
#synchronization.import.cron=0 0/15 * * * ?

Another question, is it possible not to provide parameters ldap.synchronization.java.naming.security.principal and ldap.synchronization.java.naming.security.credentials, as OpenLDAP is accessible without them?

If I simply turn them off, there is error while synchronization with OpenLDAP:

2019-02-13 10:33:24,550 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Failed initial synchronize with user registries org.alfresco.repo.security.authentication.AuthenticationException: 01130001 Failed to authenticate, username or password is wrong. User name:cn=Manager,dc=company,dc=com Reason [LDAP: error code 49 - Invalid Credentials]

Alfresco Community (Build: 201612)

Outcomes