Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Allow CIFS access to synced users only

davidyg
Champ in-the-making
Champ in-the-making

‎01-29-2014 08:12 AM

Hello:

I have configured Alfresco authentication using Kerberos and LDAP-AD as chained subsystems. Kerberos is used to authenticate HTTP and CIFS access and LDAP-AD to sync users data (retrieved from AD).

I have disabled SSO too so if you try to login (Share) using a not synced user it is not recognized and can't be authenticated. It is just what I want (only users who belong to a specific group in AD are allowed to login).

But despite this config, I can access to Alfresco CIFS from that user workstation. I only have to use this UNC:

\\alfresco-server\alfresco

To view its contents (username and password are not required). I can do nothing because access is very restricted (like guest) but after that, and here is the problem, I can login to Share using his username and password. Even his user home is automatically created in Alfresco. Remember: this user exists in AD but he hasn't been synced yet (he is out of the group mentioned before).

So my question is: is it possible to restrict Alfresco CIFS access to AD synced users only? I would like to avoid automatic user creation.

I have tried to get it editing the file:

default-synchronization.properties

And changing these options:

synchronization.syncWhenMissingPeopleLogIn=false
synchronization.autoCreatePeopleOnLogin=false

More information here.

But it seems it is not effective with CIFS authentication.

Thanks.
Labels:
0 Kudos
2 REPLIES 2

mrogers
Star Contributor
Star Contributor

‎01-29-2014 08:33 AM

Directory sync is a separate process from authentication.   Therefore syncing user properties has no effect upon who can or can't log in.

There may be authentication settings you can use.    So the first thing to look at and understand is your authentication chain, and any other authentication settings.

I suspect you may want to turn off authentication via ldap-ad
0 Kudos

davidyg
Champ in-the-making
Champ in-the-making

‎01-29-2014 09:47 AM

Ok, thanks. I really suspected that. But I'm still looking for an option to avoid what I said.

Configured authentication chain is:

authentication.chain=kerberos1:kerberos,ldap-ad1:ldap-ad

And the relevant options are:

ldap.authentication.active=false
ldap.synchronization.active=true

kerberos.authentication.authenticateCIFS=true
kerberos.authentication.sso.enabled=false

These options are set in files under extension directory.

I think the rest of settings (domain, realm, users synced and so on) are working fine. I can login and sync user data from AD without problems.

If I understand you correctly, these options:

synchronization.syncWhenMissingPeopleLogIn=false
synchronization.autoCreatePeopleOnLogin=false

Are only important if you use LDAP-AD to authenticate and not only to synchronize.

But then all domain users (synced and not synced) could login to Share. And that's not what I get now. If I try to login directly with a not synced user, it is rejected. Anyhow, I will test it more thoroughly to check if I'm wrong.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC