Hello everyone,
I have alfresco community 6.2 with docker already working with Active Directory authentication.
But I'm facing the issue that everybody inside the AD is able to login to Alfresco also like service accounts which is not the best situatin. I thought I had reduced it to LDAP path inside the AD for configured alfresco OU which I created for this. In this OU there is only two groups configured where are the users which need to login to alfresco. But this did not work.
My goal is to allow only users which are inside the alfresco group inside the AD, is there any possibility to bring this to work?
Here is my config:
alfresco.authentication.allowGuestLogin=false ntlm.authentication.mapUnknownUserToGuest=false create.missing.people=false ### LDAP authentication ### authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad ldap.authentication.active=true ldap.authentication.allowGuestLogin=false ldap.authentication.userNameFormat=%s@domain.tld ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory ldap.authentication.java.naming.provider.url=ldap://domain.tld:389 ldap.authentication.java.naming.security.authentication=simple ldap.authentication.escapeCommasInBind=false ldap.authentication.escapeCommasInUid=false ldap.authentication.defaultAdministratorUserNames=Administrator ldap.synchronization.active=true ldap.synchronization.java.naming.security.principal=service_acc@domain.tld ldap.synchronization.java.naming.security.credentials=secret ldap.synchronization.queryBatchSize=1000 ldap.synchronization.attributeBatchSize=1000 \n\ synchronization.autoCreatePeopleOnLogin=false synchronization.syncWhenMissingPeopleLogIn=false synchronization.synchronizeChangesOnly=false synchronization.allowDeletions=true synchronization.syncWhenMissingPeopleLogIn=true ldap.synchronization.groupQuery=objectclass\=group ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0}))) ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(&(memberOf=cn\=alfresco-admin,ou=alfresco,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld)(memberOf=cn\=alfresco-user,ou=USEDOU,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld))) ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(&(memberOf=cn\=alfresco-admin,ou=alfresco,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld)(memberOf=cn\=alfresco-user,ou=USEDOU,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld))(!(modifyTimestamp<\={0}))) ldap.synchronization.groupSearchBase=ou\=alfresco,ou\=USEDOU,ou\=USEDOU,dc\=domain,dc\=tld ldap.synchronization.userSearchBase=ou\=alfresco,ou\=USEDOU,ou\=USEDOU,dc\=domain,dc\=tld ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z' ldap.synchronization.userIdAttributeName=sAMAccountName ldap.synchronization.userFirstNameAttributeName=givenName ldap.synchronization.userLastNameAttributeName=sn ldap.synchronization.userEmailAttributeName=mail ldap.synchronization.userOrganizationalIdAttributeName=company ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider ldap.synchronization.groupIdAttributeName=cn ldap.synchronization.groupDisplayNameAttributeName=displayName ldap.synchronization.groupType=group ldap.synchronization.personType=user ldap.synchronization.groupMemberAttributeName=member ldap.synchronization.enableProgressEstimation=true
I also tried a change on the person and group query with:
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=alfresco-admin,ou=alfresco,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld)(memberOf=cn\=alfresco-user,ou=USEDOU,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld))) ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(|(memberOf=cn\=alfresco-admin,ou=alfresco,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld)(memberOf=cn\=alfresco-user,ou=USEDOU,ou=USEDOU,ou=USEDOU,dc=domain,dc=tld))(!(modifyTimestamp<\={0})))
Also the same.
I already tried to add the following:
create.missing.people=false synchronization.autoCreatePeopleOnLogin=false synchronization.syncWhenMissingPeopleLogIn=false
But with this config, no new user is able to login, because the user will not be created inside alfresco - so also not a real soloution to provide new users access to alfresco.
So is there any chance to get ldap authentication for users inside a group get to work without allowing anybody to login?
Many thanks in advance for your help.
Best regards
Unless you expand your person query to cover any (child) group in which a user is a member who should be allowed to log in, it will be impossible to achieve this hard distinction between "being allowed to log in" and "not synchronise every user". What I generally recommend my customers do in this situation is to create a new group in AD specifically to collect all the users who should be allowed to log into Alfresco, and not rely on any (transient) member of (sub-)group shenanigans.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.