I've got an Alfresco install setup (on Windows) to use the LDAP-AD authentication model. When users login with just their username, it properly creates the account and allows access. However, if they login by e-mail address it logs them into a "broken" account. None of their stuff is accessible and it doesn't even show as a real account.
I'd be OK with either the e-mail address login redirecting to the plain username login, or with completely denying e-mail address logins.
It appears that if we never had to add any more users that I could do a synchronization.autoCreatePeopleOnLogin = false in the configuration to prevent these e-mail partial accounts. However, our environment has new people needing to auto-add on frequent intervals (enough so that tweaking the configs and resetting the service each time would get old real fast) and the LDAP-AD configuration requires auto creation (manual account creation options are grayed out).
Other ideas?
edit – adding config since it sounds like something I did caused this rather than lacking something…
### Active Directory Integration ###
authentication.chain=passthru1:passthru,ldap1:ldap-ad
passthru.authentication.sso.enabled=false
passthru.authentication.allowGuestLogin=false
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false
passthru.authentication.servers=domain.com
passthru.authentication.domain=DOMAIN
passthru.authentication.useLocalServer=false
passthru.authentication.defaultAdministratorUserNames=specialadminaccount
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS
ldap.authentication.active=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://domain.com:389
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal= DOMAIN\\specialadminaccount
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=nogroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupSearchBase=cn\=users,dc=domain,dc=com
ldap.synchronization.userSearchBase=cn\=users,dc=domain,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss’.0Z’
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=Nogroup
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
synchronization.synchronizeChangesOnly=false
Best Answer
Also look at the post at https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/configuration/ldap-authentication-ad-email#comment-155600 to see whats is going on.
The issue is alfresco does a dn look up and it does not search for an object and then try to login with password.
In that kind of scenario you have to be extra careful how your dn looks in ldap.
Please look at the screenshot to see that even though all the other attributes are same the identification of dn has made a difference and I could only login via hello@liferay.com but other login did not work.
the properties changes are as below