topic Re: Use Alfresco to Manage users, AD for Authentication in Alfresco Archive

Use Alfresco to Manage users, AD for Authentication

hsturner — Thu, 22 Sep 2016 15:08:27 GMT

We are currently using Activity Directory to synchronize and authenticate users to Alfresco. We keep having random synchronization issues when adding new users, sometimes takes up to 2 weeks for them to show up, but others added afterwards show up on our 20 minute synch schedule as expected. New gro

Re: Use Alfresco to Manage users, AD for Authentication

afaust — Mon, 26 Sep 2016 14:33:28 GMT

Yes, you can authenticate against Active Directory but manage the users locally in Alfresco. The only relevant constraint is on the user name which must obviously be identical.

Re: Use Alfresco to Manage users, AD for Authentication

hsturner — Mon, 26 Sep 2016 14:45:57 GMT

How do I setup this up? Do I just need to turn off synchronization in the ldap-ad-authentication.properties files? Do I need to set up Kerberos?

Re: Use Alfresco to Manage users, AD for Authentication

afaust — Mon, 26 Sep 2016 14:51:45 GMT

You just disable synchronization and make sure you have alfrescoNtlm in your authentication chain after LDAP-AD. alfrescoNtlm is needed to allow you to create local users and the order in the chain guarantees that LDAP-AD has a chance to authenticate a user first before a locally stored (dummy) password is checked. Unfortunately you must assigne a password to locally created users even in your case.

Re: Use Alfresco to Manage users, AD for Authentication

hsturner — Mon, 26 Sep 2016 15:02:03 GMT

Thanks Alex,

That helps a lot.

A couple of related question.

1. Does the password for the local alfresco user have to be the same as the password that is in AD or can I use a generic password?

I am guessing that if for some reason the AD server is down, that alfresco with authenticate the user using the password in local profile. I know this is a security issue and I will make our corporate security team aware of that so they can decide if we are going to use this authentication model.

2. Do you know if we keep the same user names for the users for the local profile that is in the ad profile that they will retain ownership of their current documents, or do I have to figure out some script to change owners of the documents to their local profile?

Re: Use Alfresco to Manage users, AD for Authentication

afaust — Mon, 26 Sep 2016 15:07:29 GMT

1) Correct, if AD is down Alfresco will fall back to the local password. If it is not the same then login will oviously fail - also, if the user enters the incorrect AD password then Alfresco can still authenticate. So by setting a different password you effectively have two "valid" ones.

2) As long as user names stay the same they will retain ownership and permissions. Even if you temporarily delete users and re-create them with identical names will this be the case, as deleting ownership and permissions would be such an expensive operation that deleting a user could take hours or days on larger systems - so it isn't actually done at all until a user operation starts to edit those.

Re: Use Alfresco to Manage users, AD for Authentication

pratu9 — Fri, 06 Oct 2017 07:15:36 GMT

Hello Axel,

I am facing issue with user synchronization. Before we created users in the AD and added to Alfresco group for login. But now we are facing issue related to user login. If we create a new user on the AD it will not able to log in on Alfresco. We want to create users locally on Alfresco but new user option in Admin console is disabled. Could you please help with this?

Thanks,

Pratiksha

Re: Use Alfresco to Manage users, AD for Authentication

afaust — Fri, 06 Oct 2017 17:40:16 GMT

As long as you have alfrescoNtlm enabled in the authentication chain, you should be able to create any user as a local user. That button is only grayed out if alfrescoNtlm is not enabled.