Alfresco Community Latest version / LDAP (Limiting to Group Membership)

[de...@pabstatencio.com]

I have installed the latest version of Alfresco Community edition, and I have configured it to have multiple LDAP servers. I am successfully able to authenticate into Alfresco if a user exists in either LDAP however the problem and what I am trying to accomplish is that we need to limit access to Alfresco based upon the user being in a particular LDAP group. I can't seem to get the right configuration for this type of functionality to work, it seems like this should be very straightforward.  We are using FreeIPA 4.2 for our LDAP server. I am really only concerned as of right now with getting the 1st LDAP server to limit by groups.

In my configuration file: /opt/alfresco-community/tomcat/shared/classes/alfresco-global.properties

# LDAP Enabled Alfresco
authentication.chain=ldap2:ldap,ldap1:ldap,alfinst:alfrescoNtlm
ldap.synchronization.active=true

# Then for LDAP 2 configuration
/opt/alfresco-community/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap2/ldap-authentication.properties
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=uid\=%s,cn\=users,cn\=accounts,dc\=domain,dc\=lan
ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.xx:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco,admin
ldap.synchronization.java.naming.security.principal=uid\=admin,cn\=users,cn\=accounts,dc\=domain,dc\=lan
ldap.synchronization.java.naming.security.credentials=secure123
ldap.synchronization.groupSearchBase=cn=\alfresco-demo,cn\=groups,cn=\accounts,dc\=domain,dc\=lan
ldap.synchronization.userSearchBase=cn\=users,cn\=accounts,dc\=domain,dc\=lan
ldap.synchronization.groupQuery=(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(memberOf\=CN\=alfresco-demo,CN\=groups,CN\=accounts,DC\=domain,DC\=lan)
ldap.synchronization.personDifferentialQuery=(&(memberof\=CN\=alfresco-demo,CN\=groups,CN\=accounts,DC\=domain,DC\=lan)(objectclass\=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.groupType=groupofnames
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=member



The logs of alfresco booting up look like:
2016-12-20 16:06:27,611  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, ldap2]
 2016-12-20 16:06:27,744  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap2] complete
 2016-12-20 16:06:27,744  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, ldap1]
 2016-12-20 16:06:28,803  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap1] complete
 2016-12-20 16:06:28,803  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Authentication' subsystem, ID: [Authentication, managed, alfinst]
 2016-12-20 16:06:29,034  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, alfinst] complete
 2016-12-20 16:06:30,429  INFO  [repo.tenant.MultiTAdminServiceImpl] [localhost-startStop-1] Alfresco Multi-Tenant startup - 1 enabled tenants, 0 disabled tenants
 2016-12-20 16:06:30,430  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'thirdparty' subsystem, ID: [thirdparty, default]
 2016-12-20 16:06:30,648  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'thirdparty' subsystem, ID: [thirdparty, default] complete
 2016-12-20 16:06:30,648  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'OOoDirect' subsystem, ID: [OOoDirect, default]
 2016-12-20 16:06:30,917  WARN  [alfresco.util.OpenOfficeConnectionTester] [localhost-startStop-1] An initial OpenOffice connection could not be established.
 2016-12-20 16:06:30,919  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'OOoDirect' subsystem, ID: [OOoDirect, default] complete
 2016-12-20 16:06:30,935  INFO  [repo.admin.ConfigurationChecker] [localhost-startStop-1] The Alfresco root data directory ('dir.root') is: /opt/alfresco-community/alf_data
 2016-12-20 16:06:30,935  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Search' subsystem, ID: [Search, managed, solr4]
 2016-12-20 16:06:31,286  INFO  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Search' subsystem, ID: [Search, managed, solr4] complete
 2016-12-20 16:06:31,325  INFO  [admin.patch.PatchExecuter] [localhost-startStop-1] Checking for patches to apply ...
 2016-12-20 16:06:32,300  INFO  [admin.patch.PatchExecuter] [localhost-startStop-1] No patches were required.
 2016-12-20 16:06:32,332  INFO  [repo.module.ModuleServiceImpl] [localhost-startStop-1] Found 4 module package(s).


Any help would be appreciated, I'm just down to needing to limit access by a group and i'm finished with this project for now :) Please help!!

Devin Acosta