Alfresco 5 / LDAP / Can't limit logins to certain group membership.

[Devin Acosta]

I have installed a fresh installation of Alfresco 5.1, even tried 5.2 this morning onto a Linux instance. I then configured Alfresco to talk to an LDAP server and then tried to limit logins into the instance based upon the user being part of a group, however it appears that it doesn't work. I have tested the filter in Apache Directory Studio and it appears to only return users in my group, however Alfresco lets anyone login whether in the group or not. I tried to add the (memberOf) to the personQuery but that filter didn't seem to limit the login in Alfresco even though I believe it should.

I put inside alfresco-global.properties

ldap.authentication.active=true

ldap.authentication.allowGuestLogin=false

ldap.authentication.java.naming.security.authentication=simple

ldap.authentication.userNameFormat=uid=%s,cn=users,cn=accounts,dc=lxi,dc=int

ldap.authentication.java.naming.provider.url=ldap://10.20.20.16:389

ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco,admin

ldap.synchronization.java.naming.security.principal=uid=admin,cn=users,cn=accounts,dc=lxi,dc=int

ldap.synchronization.java.naming.security.credentials=password123

ldap.synchronization.groupSearchBase=cn=groups,cn=accounts,dc=lxi,dc=int

ldap.synchronization.userSearchBase=ou=users,cn=accounts,dc=lxi,dc=int

# The query to select all objects that represent the groups to import.

ldap.synchronization.groupQuery=(objectclass\=groupOfNames)

# The query to select objects that represent the groups to import that have changed since a certain time.

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.

ldap.synchronization.personQuery=(&(objectclass\=inetOrgPerson)(memberOf\=cn\=alfresco-demo,cn\=groups,cn\=accounts,dc\=lxi,dc=\int))

# The query to select objects that represent the users to import that have changed since a certain time.

ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(memberOf\=cn\=alfresco-demo,cn\=groups,cn\=accounts,dc\=lxi,dc=\int)(!(modifyTimestamp<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.

ldap.synchronization.groupSearchBase=cn\=groups,cn\=accounts,dc\=lxi,dc\=int

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.

ldap.synchronization.userSearchBase=cn\=users,cn\=accounts,dc\=lxi,dc\=int

# The name of the operational attribute recording the last update time for a group or user.

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco

ldap.synchronization.userIdAttributeName=uid

# The attribute on person objects in LDAP to map to the first name property in Alfresco

ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco

ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco

#ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id property in Alfresco

ldap.synchronization.userOrganizationalIdAttributeName=o

# The default home folder provider to use for people created via LDAP import

ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The attribute on LDAP group objects to map to the gid property in Alfrecso

ldap.synchronization.groupIdAttributeName=cn

# The group type in LDAP

ldap.synchronization.groupType=groupOfNames

# The person type in LDAP

ldap.synchronization.personType=inetOrgPerson

# The attribute in LDAP on group objects that defines the DN for its members

ldap.synchronization.groupMemberAttributeName=member

Any help would be appreciated!!

[Igor Blanco]

Take a look at "synchronization.autoCreatePeopleOnLogin": http://docs.alfresco.com/community5.1/concepts/sync-props.html

Is true by default so any non existing user will be created on login. If you set it to false the user won't be able to access unless a synchronizatio process creates the account in Alfresco.

In order to test it you will have to delete the already created user in Alfresco because otherwise I suspect that it will take the already created account and allow access.

Bye and good luck.

--
You received this message because you are subscribed to the Google Groups "Alfresco Technical Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to alfresco-technical-discussion+unsub...@googlegroups.com.
To post to this group, send email to alfresco-technical-discussion@googlegroups.com.
Visit this group at https://groups.google.com/group/alfresco-technical-discussion.
For more options, visit https://groups.google.com/d/optout.

--

Igor Blanco González
Binovo IT Human Project
e-mail: ibl...@binovo.es
Telf. :   943493611
Dirección:
                         Astigarraga Bidea 2
                          Planta 6. - Ofi. 3-2 
                    20180 Oiartzun ( Gipuzkoa )