Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-18209

AD ldap.authentication.active-directory.* configuration properties cause auth failure

    Details

    • Bug Priority:
      Category 2
    • ACT Numbers:

      00565824

    • Sprint:
      Sprint1, Docs Sprint 18, Sprint2, Sprint3, Sprint 24 Apr - 28 Apr, Sprint 1 May - 5 May, Sprint 8 May - 12 May
    • Work Funnel End:
      2017-03

      Description

      Summary

      The documentation indicates you need to use additional parameters for AD authentication.

      ...need to be set:
      ldap.authentication.active-directory.enabled=true
      ldap.authentication.active-directory.domain=alfresco.com
      
      The first property enables Active Directory support. The second one is the domain that needs to be added to the user ID (i.e. userId@domain) to sign in using Active Directory.
      
      In case the domain does not match with the rootDn, it is possible to set is explicitly:
      
      ldap.authentication.active-directory.rootDn=DC=somethingElse,DC=com
      
      And also the filter that is used(which defaults to a userPrincipalName comparison) can be changed:
      
      ldap.authentication.active-directory.searchFilter=(&(objectClass=user)(userPrincipalName={0}))
      

      I could never figure out how to get any of these properties to work, instead I stripped it down to basics and removed all activiti-directory properties and it works. It was never the synchronization that was of issue but authentication did not work otherwise.

      Can we clear up this in the documentation or make sure it is properly vetted if those parameters are needed and for what case scenarios in enterprise AD environments?

      I could only get a generic vanilla AD with users all defined under "CN=Users, DC=mydomain, DC=foo" to work. If users were else were defined it failed to authenticate them and in some case synchronize them in.

      Steps to Replicate

      • Install AD 2012
      • create domain ex. jps-ad.foo
      • create users under the default "CN=Users,DC=jps-ad,DC=foo"
        ex.sn=JailBird,givenName=Inmate1,sAMAccountName=inmate1,userPrincipalName=inmate1.jailbird@jps-ad.foo
      • create group under the default "CN=ActUsers,CN=Users,DC=jps-ad,DC=foo" (also a "CN=ActAdmin, CN=Users,DC=jps-ad,DC=foo")
      • add users as members to ActUsers and ActAdmin groups (note i created inmates1-20 inmate1,inmate2 are admins)
      • configuration AD properties to synchronize in users and administrator

      For the login to be the sAMAccountName, I set the:

      • ldap.synchronization.userIdAttributeName=sAMAccountName

      see config here:

      # --------------------------
      # LDAP AUTHENTICATION CONFIG
      # --------------------------
      ldap.authentication.enabled=true
      ldap.authentication.casesensitive=false
      
      # ----------------------------
      # LDAP SYNCHRONIZATION CONFIG
      # ----------------------------
      ldap.synchronization.full.enabled=true
      ldap.synchronization.full.cronExpression=0 0 0 * * ?
      ldap.synchronization.differential.enabled=true
      ldap.synchronization.differential.cronExpression=0 0 */4 * * ?
      
      # ----------------------
      # LDAP CONNECTION CONFIG
      # ----------------------
      ldap.authentication.java.naming.provider.url=ldap://172.16.190.173:389
      ldap.synchronization.java.naming.security.principal=CN=AlfAdmin,CN=Users,DC=jps-ad,DC=foo
      ldap.synchronization.java.naming.security.credentials=p@ssw0rd
      ldap.synchronization.java.naming.security.authentication=simple
      ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
      
      # -----------
      # USER CONFIG
      # -----------
      
      ldap.synchronization.userSearchBase=DC=jps-ad,DC=foo
      #or use ldap.synchronization.userSearchBase=CN=Users,DC=jps-ad,DC=foo
      
      # The query to select all objects that represent the users to import.
      ldap.synchronization.personQuery=(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf=CN=ActAdmin,CN=Users,DC=jps-ad,DC=foo)(memberOf=CN=ActUsers,CN=Users,DC=jps-ad,DC=foo)))
      
      # The query to select objects that represent the users to import that have changed since a certain time.
      ldap.synchronization.personDifferentialQuery=(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberOf=CN=ActAdmin,CN=Users,DC=jps-ad,DC=foo)(memberOf=CN=ActUsers,CN=Users,DC=jps-ad,DC=foo))(whenChanged<={0}))
      
      ldap.synchronization.userIdAttributeName=sAMAccountName
      ldap.synchronization.userFirstNameAttributeName=givenName
      ldap.synchronization.userLastNameAttributeName=sn
      ldap.synchronization.userEmailAttributeName=mail
      ldap.synchronization.userType=user
      
      # Set the dn of the people that need to be admin
      ldap.synchronization.tenantAdminDn=CN=Inmate1 JailBird,CN=Users,DC=jps-ad,DC=foo;CN=Inmate2 JailBird,CN=Users,DC=jps-ad,DC=foo;CN=Inmate3 JailBird,OU=Alfresco Users,OU=Alfresco Foo,DC=jps-ad,DC=foo
      
      # ------------
      # GROUP CONFIG
      # ------------
      ldap.synchronization.groupSearchBase=DC=jps-ad,DC=foo
      ldap.synchronization.groupQuery=(&(objectClass=group)(|(CN=ActUsers)(CN=ActAdmin)))
      ldap.synchronization.groupDifferentialQuery=(&(objectClass=group)(|(CN=ActUsers)(CN=ActAdmin))(!(whenChanged<={0})))
      ldap.synchronization.groupIdAttributeName=cn
      ldap.synchronization.groupMemberAttributeName=member
      ldap.synchronization.groupType=group
      
      # ------------------------
      # GENERIC ATTRIBUTE CONFIG
      # ------------------------
      ldap.synchronization.distinguishedNameAttributeName=dn
      ldap.synchronization.modifyTimestampAttributeName=whenChanged
      ldap.synchronization.createTimestampAttributeName=whenCreated
      ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
      ldap.synchronization.timestampFormat.locale.language=en
      ldap.synchronization.timestampFormat.locale.country=US
      ldap.synchronization.timestampFormat.timezone=GMT
      
      

      If Users were anywhere created elsewhere in the domain besides the "CN=Users" it would never authenticate. This can be problematic as enterprise AD will not always have all the users created under "CN=Users, DC=...,DC=..." they may exists else where in the domain.

      Regardless if the requisite is to have all users created under "Users" cn then we need to explicitly indicate so. Also not sure what the active-directory properties do if anything? if I set them it broke, even if I just set these 'needed' properties:

      • ldap.authentication.active-directory.enabled=true
      • ldap.authentication.active-directory.domain=alfresco.com

      Additional Ref

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedissues Closed Issues
                Reporter:
                jsoria Jennie Soria
              • Votes:
                2 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: