AnsweredAssumed Answered

Synchronizing user account status with Kerberos SSO

Question asked by fedorow on May 16, 2019
Latest reply on May 28, 2019 by fedorow

Hi!

I have a problem synchronizing user account status. It worked fine with ldap authentication before I add kerberos to authentication chain.

 

Configurations:

alfresco-global.properties

 ### The authentication chain

authentication.chain=kerberos1:kerberos,ldap1:ldap-ad,alfinst:alfrescoNtlm
ntlm.authentication.sso.enabled=false
ntlm.authentication.mapUnknownUserToGuest=false
alfresco.authentication.authenticateCIFS=false
alfresco.authentication.allowGuestLogin=false

### Kerberos
kerberos.authentication.realm=AD.DOMAIN.UA
kerberos.authentication.sso.enabled=true
kerberos.authentication.browser.ticketLogons=true
kerberos.authentication.sso.fallback.enabled=true
kerberos.authentication.authenticateCIFS=false
kerberos.authentication.user.configEntryName=Alfresco
kerberos.authentication.defaultAdministratorUserNames=admin
kerberos.authentication.cifs.configEntryName=AlfrescoCIFS
kerberos.authentication.cifs.password=password
kerberos.authentication.http.configEntryName=AlfrescoHTTP
kerberos.authentication.http.password=password
kerberos.authentication.stripUsernameSuffix=true

### LDAP Synchronization settings. Active Directory (LDAP-AD).
synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1
synchronization.syncOnStartup=true
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.allowDeletions=true
synchronization.import.cron=0 0/20 8-20 * * ?

 

ldap-ad-authentication-context.xml

...

<import resource="../../common-ldap-context.xml" />

<bean id="ldapadUserAccountStatusInterpreter" class="org.alfresco.repo.security.sync.ldap_ad.LDAPADUserAccountStatusInterpreter">
</bean>

...

ldap-ad-authentication.properties

ldap.authentication.active=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@ad.domain.ua
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ad.domain.ua:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator,admin
ldap.authentication.authenticateFTP=false
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=syncuser@ad.domain.ua
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(!(cn\=prn*)))
ldap.synchronization.groupDifferentialQuery=(&(&(objectclass\=group)(!(cn\=prn*)))(!(whenChanged<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
ldap.synchronization.groupSearchBase=ou\=OrganisationName,dc\=ad,dc\=domain,dc\=ua
ldap.synchronization.userSearchBase=ou\=OrganisationName,dc\=ad,dc\=domain,dc\=ua
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=sn
ldap.synchronization.userLastNameAttributeName=givenName
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=departmentNumber
ldap.synchronization.userJobTitleAttributeName=title
ldap.synchronization.userSizeQuota=10000
ldap.synchronization.userAvatarAttributeName=thumbnailPhoto
ldap.synchronization.userAvatarDefaultMimetype=image/jpeg
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=extensionName
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
ldap.authentication.java.naming.referral=follow
ldap.synchronization.com.sun.jndi.ldap.connect.pool=true
ldap.pooling.com.sun.jndi.ldap.connect.pool.authentication=none simple
ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=fine
ldap.pooling.com.sun.jndi.ldap.connect.pool.initsize=1
ldap.pooling.com.sun.jndi.ldap.connect.pool.maxsize=
ldap.pooling.com.sun.jndi.ldap.connect.pool.prefsize=
ldap.pooling.com.sun.jndi.ldap.connect.pool.protocol=plain
ldap.pooling.com.sun.jndi.ldap.connect.pool.timeout=
ldap.pooling.com.sun.jndi.ldap.connect.timeout=
ldap.synchronization.userAccountStatusProperty=userAccountControl
ldap.synchronization.userAccountStatusInterpreter=ldapadUserAccountStatusInterpreter

 

Plus common-ldap-context.xml contain correspondence of AD and Alfresco fields.

 

All users are synchronized. But all users are enabled.

With another AD server and ldap authorization I can change enable/disable in AD and sync it on Alfresco.

The similar configuration with kerberos sso don't react on userAccountControl parameter.

Outcomes