Allow CIFS access to synced users only
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2014 08:12 AM
Hello:
I have configured Alfresco authentication using Kerberos and LDAP-AD as chained subsystems. Kerberos is used to authenticate HTTP and CIFS access and LDAP-AD to sync users data (retrieved from AD).
I have disabled SSO too so if you try to login (Share) using a not synced user it is not recognized and can't be authenticated. It is just what I want (only users who belong to a specific group in AD are allowed to login).
But despite this config, I can access to Alfresco CIFS from that user workstation. I only have to use this UNC:
To view its contents (username and password are not required). I can do nothing because access is very restricted (like guest) but after that, and here is the problem, I can login to Share using his username and password. Even his user home is automatically created in Alfresco. Remember: this user exists in AD but he hasn't been synced yet (he is out of the group mentioned before).
So my question is: is it possible to restrict Alfresco CIFS access to AD synced users only? I would like to avoid automatic user creation.
I have tried to get it editing the file:
And changing these options:
More information here.
But it seems it is not effective with CIFS authentication.
Thanks.
I have configured Alfresco authentication using Kerberos and LDAP-AD as chained subsystems. Kerberos is used to authenticate HTTP and CIFS access and LDAP-AD to sync users data (retrieved from AD).
I have disabled SSO too so if you try to login (Share) using a not synced user it is not recognized and can't be authenticated. It is just what I want (only users who belong to a specific group in AD are allowed to login).
But despite this config, I can access to Alfresco CIFS from that user workstation. I only have to use this UNC:
\\alfresco-server\alfresco
To view its contents (username and password are not required). I can do nothing because access is very restricted (like guest) but after that, and here is the problem, I can login to Share using his username and password. Even his user home is automatically created in Alfresco. Remember: this user exists in AD but he hasn't been synced yet (he is out of the group mentioned before).
So my question is: is it possible to restrict Alfresco CIFS access to AD synced users only? I would like to avoid automatic user creation.
I have tried to get it editing the file:
default-synchronization.properties
And changing these options:
synchronization.syncWhenMissingPeopleLogIn=falsesynchronization.autoCreatePeopleOnLogin=false
More information here.
But it seems it is not effective with CIFS authentication.
Thanks.
Labels:
- Labels:
-
Archive
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2014 08:33 AM
Directory sync is a separate process from authentication. Therefore syncing user properties has no effect upon who can or can't log in.
There may be authentication settings you can use. So the first thing to look at and understand is your authentication chain, and any other authentication settings.
I suspect you may want to turn off authentication via ldap-ad
There may be authentication settings you can use. So the first thing to look at and understand is your authentication chain, and any other authentication settings.
I suspect you may want to turn off authentication via ldap-ad
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-29-2014 09:47 AM
Ok, thanks. I really suspected that. But I'm still looking for an option to avoid what I said.
Configured authentication chain is:
And the relevant options are:
These options are set in files under extension directory.
I think the rest of settings (domain, realm, users synced and so on) are working fine. I can login and sync user data from AD without problems.
If I understand you correctly, these options:
Are only important if you use LDAP-AD to authenticate and not only to synchronize.
But then all domain users (synced and not synced) could login to Share. And that's not what I get now. If I try to login directly with a not synced user, it is rejected. Anyhow, I will test it more thoroughly to check if I'm wrong.
Configured authentication chain is:
authentication.chain=kerberos1:kerberos,ldap-ad1:ldap-ad
And the relevant options are:
ldap.authentication.active=falseldap.synchronization.active=true
kerberos.authentication.authenticateCIFS=truekerberos.authentication.sso.enabled=false
These options are set in files under extension directory.
I think the rest of settings (domain, realm, users synced and so on) are working fine. I can login and sync user data from AD without problems.
If I understand you correctly, these options:
synchronization.syncWhenMissingPeopleLogIn=falsesynchronization.autoCreatePeopleOnLogin=false
Are only important if you use LDAP-AD to authenticate and not only to synchronize.
But then all domain users (synced and not synced) could login to Share. And that's not what I get now. If I try to login directly with a not synced user, it is rejected. Anyhow, I will test it more thoroughly to check if I'm wrong.
