After referring so many forums, I am able to authenticate and sync active directory users to alfresco. The problem is we have more than 25,000 users and rite now we are planning to open alfresco only for selected users. Whenever someone search people they will be finding all the 25,000 users who are not even using alfresco. My It team is not willing to create seperate group for these selected members. Is it possible to sync only users who are logged in.
I am using alfresco 4.2e Binary Installation. Windows 7 64 bit.
The most easiest way would be to distinct users to sync via LDAP query.
You could find this link useful.
This scenario should do it:
enable ldap authentication
configure the authenication chain to include Alfresco and LDAP. This will ensure to try to authenticat against both systems. e.g.
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
disable sync
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=false
If you start Alfresco the very first time there is no user in Alfresco. Depending on your strategy how to control the user creatioin you could ether:
create user manual
If you're running on linux the easiest way would be to use the alfresco-shell-tools otherwise you could use the csv-import feature in the user admin. The trick is to use the same username so Alfresco will try to authenticat against both systems before it fails.
create user on first login
Another way is to enable implicit user creation on first login. This isn't my recommendation since you will get trouble later because the user has no email address configured / no user info is synced. (This way is not tested - if this doesn't work you may define a sync query which doesn't return users to enable sync)
synchronization.autoCreatePeopleOnLogin=true
you will get the auto-creation of people who were successfully authenticated but weren't brought in by the sync
you need to add/change this line also on ldap-authentication.properties :
ldap.authentication.active=true
ldap.synchronization.active=false
ldap.synchronization.autoCreatePeopleOnLogin=false
synchronization.syncOnStartup=false
synchronization.syncWhenMissingPeopleLogIn=false
and add on alfresco-global.properties :
create.missing.people=false
Related
Is there a way to make admin not able to delete user from Active Directory? I need to disable this feature some how in global properies or else. I want admin only to create users,edit them and disable them, but not delete. The version of Alfresco is Community 5.2. Thanks in advance.
I guess you mean the other way around:
Is there a way to prevent admin from deleting users which have been created by ldap sync?
or do you mean:
Is there a way to revoke permission to delete any user?
Do you understand the difference between a user which has been created by ldap sync and a user manually created in the Alfresco admin UI?
There is no (easy and supported) way I know of to restrict admin permissions or for a member of the group ALFRESCO_ADMINISTRATORS. The ROLE_ADMINISTRATOR has always any permission.
There maybe a way to achieve what you expect in a customization module implementing a new behavior which disallows user deletion in a specific zone or by creating your own permissionGroups/permissions in a customPermissionDefinitions, setting the new introduced permissions on the user zones to specific groups but that kind of customization would be hard to maintain on later updates/upgrades.
EDIT:
What is your use case for allowing (end) users to create new users inside Alfresco although you have an user directory (AD) in place?
If your aim is to support external users, managed by specific internal user groups you may add another directory like samba4 which your internal users may get permissions to create/delete users (that's what we actually do from/thru our CRM system) or if you prefer integrations with OAuth2 providers such as Google, Facebook, Github you may take a look on the Spring Cloud Gateway for the Alfresco platform project
I am newly working on openldap.
We have an application that will restrict users from deleting entities from ldap.
But if the user connects using python ldap module from console then there is no way of restricting.
Is it possible to restrict the users from executing "ldapdelete" directly?
We are using common user name(manager account) and password for all the users to connect to ldap. It is not possible to maintain different user accounts as there are 30000+ users and not possible to create separate accounts for all the users.
Please let me know how to go with this situation.
Thanks in advance.
Yes it's possible. You need to write an access control rule in the OpenLDAP comfiguration, that for example restricts deletion to admins. Building this sort of thing into an application is a waste of time while other applications and command lines exist. It must be configured at the server.
I have a requirement where, users (with company username and password) should be available in CQ. We have configured LDAP to authenticate the user on the CQ instance based on his company username and password. But, currently, what is happening is, by default, that user is not present in the list of users we see in CQ. Only after he logs in to CQ instance for the first time, his user profile is getting added to the list of users. Is there a way to create/import all the list of users that we have in the company into CQ without asking them to login??? Basically, I should be able to see all the list of users that we have in the company without asking them to login to the CQ instance. Which means, we should be able to import them.
Or, is the scenario above is invalid, since users are being added as and when we login to the CQ instance. I am a bit unclear about this scenario, so any help is appreciated
CQ provides different ways to achieve this,
Manual synchronization of users using felix console.
Using CURL
Creating JMX client that uses LDAP MBean
I am putting the first way to achieve this, you may refer to the link for the detailed answer:
Manual synchronization of users using felix console.
Open the felix jmx console and log in as admin at http://:/system/console/jmx
Click on domain com.adobe.granite.ldap and it displays list of
attributes and operations that can be performed.
Click on operations and pops up with small window to supply parameter
(if required). Ex:- syncUser operation, supply the DN of the single
user (cn=user001,ou=users,dc=day,dc=com) to be synchronized
Click Invoke to transfer appropriate details from the ldap directory
server to CRX.
is there a way to get the list of currently listed developers on a face book connect application i want to use this to validate if a user is authorized to sublmit new contenet and create events through the connect website or do i need to couple this with a forms authorization account to handle permissions
or is there a better way over all to handle this
To check if a user is a developer of some specific app you can run such FQL:
select application_id from developer where developer_id=me() and application_id=<APP_ID>
To check if a user granted your app some specific permission you can use this FQL (not sure if this would be helpful in your case though):
select uid from permissions where uid=me() and <PERMISSION_NAME>=1
where <PERMISSION_NAME> is one of these.
I am trying to find a way to handle two types of users for an intranet system. There are users who login and there are those who do not. I need to store both types of users in the membership db. Does anyone have a common solution to this problem?
This is for an event booking system. The users who are in AD will see the app. We need to store the O/S Name along with a few other attributes from AD in our membership db. The O/S Name gets captured using the Request.ServerVariables(). We need to store those "requester" details along with other details about the event that is being booked.. In addition to those users, there are users that actually log into the system. I was hoping to store both types of users in the membership db, so that when an event is retrieved, the user details will get retrieved from the membership db as wel
If you can use 'Integrated Windows Authentication' you have access to some information about the user connecting to your system.
Therefore you could use this information for the general case, without the login.
If a user then want's more access, he can logon to the site with a special username/pwd.
A membership DB would typically restrict access to a set of users for a particular application on an Intranet site. Only those who are in Active Directory as network users would even see the Intranet in the first place. And only a subset of those network users who have been granted privileges for your application in its membership system would see the link and/or be able to gain access in one role or another. Can you be a little more specific with respect to what you are trying to achieve? :-)