Hello, I have a Alfresco 6.2 through Docker. I want to be able login only few groups from AD.
I created two configuration files. In the first config. was loaded all users and groups and disabled authetification.
In the second config. is enabled authetification so people mapped in groups in personQuery are able to login.
Problem is that login can everyone. Also I have this error:
org.alfresco.error.AlfrescoRuntimeException: 10240018 Error during LDAP Search. Reason:[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=sp,DC=local'
]
I think i have a bad logic with this. Can someone please provide me some correct info? To allow login only for specific group, not for everyone.
First Config
ntlm.authentication.sso.enabled=false synchronization.synchronizeChangesOnly=false synchronization.syncOnStartup=true ldap.synchronization.active=true ldap.authentication.active=false #KREDENC ldap.synchronization.java.naming.security.principal=login ldap.synchronization.java.naming.security.credentials=password ldap.authentication.userNameFormat=%s@domain ldap.authentication.java.naming.provider.url=ldap://ip:port ldap.synchronization.userEmailAttributeName=mail ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco ldap.synchronization.groupSearchBase=ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local ldap.synchronization.userSearchBase=cn\=Users,cn\=cp,dc\=kl,dc\=local ldap.synchronization.groupQuery=objectclass\=group ldap.synchronization.personQuery=objectclass\=user
Second Config
ldap.authentication.active=true ldap.synchronization.active=false ldap.synchronization.java.naming.security.principal=login ldap.synchronization.java.naming.security.credentials=password ldap.authentication.userNameFormat=%s@domain ldap.authentication.java.naming.provider.url=ldap://ip:port ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco ldap.synchronization.groupSearchBase=ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local ldap.synchronization.userSearchBase=cn\=Users,cn\=cp,dc\=kl,dc\=local ldap.synchronization.userIdAttributeName=sAMAccountName ldap.synchronization.userType=user ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=cn\=GROUP1,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(memberOf=cn\=GROUP2,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(userAccountControl:1.2.840.113556.1.4.803:=512)) ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=cn\=GROUP1,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(memberOf=cn\=GROUP2,ou\=DMS_1,ou\=DMS,ou\=Security Groups,ou\=mp,dc\=sp,dc\=local)(userAccountControl:1.2.840.113556.1.4.803:=512))
why should you need both configs? did you place your two configs in two independant subsystems? For my understanding the second one including the group memberOf filter should be fine for both (sync & login).
How does your authentication.chain look like?
Please check you have autoCreatePeopleOnLogin disabled to prevent user creating from any successfull ldap auth request ignoring your sync paths:
# Should we auto create a missing person on log in? synchronization.autoCreatePeopleOnLogin=false
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.