Type: Service Pack Request
Status: Closed (View Workflow)
Resolution: Cannot Reproduce
Affects Version/s: Alfresco Activiti 1.3.3
Fix Version/s: None
Sprint:Sprint1, Docs Sprint 18, Sprint2, Sprint3, Sprint 24 Apr - 28 Apr, Sprint 1 May - 5 May, Sprint 8 May - 12 May
Work Funnel End:2017-03
The documentation indicates you need to use additional parameters for AD authentication.
I could never figure out how to get any of these properties to work, instead I stripped it down to basics and removed all activiti-directory properties and it works. It was never the synchronization that was of issue but authentication did not work otherwise.
Can we clear up this in the documentation or make sure it is properly vetted if those parameters are needed and for what case scenarios in enterprise AD environments?
I could only get a generic vanilla AD with users all defined under "CN=Users, DC=mydomain, DC=foo" to work. If users were else were defined it failed to authenticate them and in some case synchronize them in.
Steps to Replicate
- Install AD 2012
- create domain ex. jps-ad.foo
- create users under the default "CN=Users,DC=jps-ad,DC=foo"
- create group under the default "CN=ActUsers,CN=Users,DC=jps-ad,DC=foo" (also a "CN=ActAdmin, CN=Users,DC=jps-ad,DC=foo")
- add users as members to ActUsers and ActAdmin groups (note i created inmates1-20 inmate1,inmate2 are admins)
- configuration AD properties to synchronize in users and administrator
For the login to be the sAMAccountName, I set the:
see config here:
If Users were anywhere created elsewhere in the domain besides the "CN=Users" it would never authenticate. This can be problematic as enterprise AD will not always have all the users created under "CN=Users, DC=...,DC=..." they may exists else where in the domain.
Regardless if the requisite is to have all users created under "Users" cn then we need to explicitly indicate so. Also not sure what the active-directory properties do if anything? if I set them it broke, even if I just set these 'needed' properties: