Hi everyone,
I'm running the newest Alfresco Community Edition using the alfresco-docker-installer. I have modified the alfresco-global.properties file to add support for LDAP synchronization and authentication. I wanted only users in the 'alfresco-users' group to be able to log in, and create other LDAP groups to limit access to sites. Right now we've managed to make Alfresco only allow users in the group to log in. However, when I go to Admin Tools -> Groups, I can see all the LDAP groups, but they're all empty - Alfresco syncs the groups but fails to populate them with users. I'm using FreeIPA LDAP and Alfresco CE 7.4. Below is my alfresco-global.properties file.
sample.site.disabled=false authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap ldap.authentication.active=true ldap.authentication.allowGuestLogin=false ldap.authentication.userNameFormat=uid=%s,cn=users,cn=accounts,dc=domain,dc=com ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory ldap.authentication.java.naming.provider.url=ldap://freeipa.domain.com:389 ldap.authentication.java.naming.security.authentication=simple ldap.authentication.escapeCommasInBind=false ldap.authentication.escapeCommasInUid=false ldap.authentication.defaultAdministratorUserNames=administrator create.missing.people=false synchronization.synchronizeChangesOnly=false ldap.synchronization.active=true ldap.synchronization.allowDeletions=true ldap.synchronization.autoCreatePeopleOnLogin=false ldap.synchronization.syncWhenMissingPeopleLogin=false ldap.synchronization.java.naming.security.authentication=simple ldap.synchronization.java.naming.security.principal=uid=read-access-user,cn=users,cn=accounts,dc=domain,dc=com ldap.synchronization.java.naming.security.credentials=<secret> ldap.synchronization.queryBatchSize=1000 ldap.synchronization.attributeBatchSize=1000 ldap.synchronization.groupQuery=(objectclass\=groupofnames) ldap.synchronization.personQuery=(&(objectclass\=inetorgperson)(memberOf\=cn=alfresco-users,cn\=groups,cn\=accounts,dc\=domain,dc\=com)) ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupofnames)(!(modifyTimestamp<\={0}))) ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetorgperson)(memberOf\=cn\=alfresco-users,cn\=groups,cn\=accounts,dc\=domain,dc\=com)(!(modifyTimestamp<\={0}))) ldap.synchronization.groupSearchBase=cn=groups,cn=accounts,dc=domain,dc=com ldap.synchronization.userSearchBase=cn=users,cn=accounts,dc=domain,dc=com ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z' ldap.synchronization.userIdAttributeName=uid ldap.synchronization.userFirstNameAttributeName=givenName ldap.synchronization.userLastNameAttributeName=sn ldap.synchronization.userEmailAttributeName=mail ldap.synchronization.groupIdAttributeName=cn ldap.synchronization.groupDisplayNameAttributeName=description ldap.synchronization.groupMemberAttributeName=memberOf synchronization.import.cron=0 * * * * ?
Thanks for the help.
You should try to change the ldap.synchronization.groupQuery in a similar way:
ldap.synchronization.groupQuery=(&(objectclass=groupOfNames)(|(CN=alfresco-users))
Consider that I think that the objectclass, if I'm not wrong, it should be case sensitive.
Hope this helps.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.