Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Bug Kerberos or Bug congiguration?

paulweb
Champ in-the-making
Champ in-the-making

‎08-31-2009 09:15 PM

os:centos52
alfresco last version
authentication with kerberos(automatic)
we have lead the following test
i have  account in MY-DOMAIN.RU and have account in NKH.MY-DOMAIN.RU (p.web@MY-DOMAIN.RU and p.web@NKH.MY-DOMAIN.RU).
when i try to enter in alfresco in MY-DOMAIN.RU: alfresco create user p.web and folder p.web. when i   enter in my folder(CIFS) over windows explorer, alfresco create user p.web@ MY-DOMAIN.RU and folder  p.web@ MY-DOMAIN.RU, but open folder p.web.
then we for testing change password in my account in   NKH.MY-DOMAIN.RU and try to enter in alfresco in NKH.MY-DOMAIN.RU, alfresco open folder p.web.
  when i   enter in my folder(CIFS) over windows explorer in NKH.MY-DOMAIN.RU, alfresco create user p.web@ NKH.MY-DOMAIN.RU and folder  p.web@ NKH.MY-DOMAIN.RU, but open folder p.web.

conclusion:

if i create user in NKH.MY-DOMAIN.RU with account name as well as in MY-DOMAIN.RU, then i have got access by  folder user (who have account in MY-DOMAIN.RU)
Labels:
0 Kudos
7 REPLIES 7

paulweb
Champ in-the-making
Champ in-the-making

‎09-01-2009 02:38 AM

I have rewritten BaseKerberosAuthenticationFilter.java and all earn normall, but
i have understated because you cut userNames in browser following anchor file://…/p.web@my-domain.ru not open, but in windows explorer open normall
look this code in BaseKerberosAuthenticationFilter.java line 547

SessionUser user = createUserEnvironment( httpSess, krbDetails.getUserName());
KrbDetails.java

 public final String getUserName() {

    String userName = m_krbSource;

    if (m_krbSource != null) {
      int pos = m_krbSource.indexOf('@');
      if (pos != -1) {
        userName = m_krbSource.substring(0, pos);
      }
    }

    return userName;
  }
 
and alfresco create user p.web
if change in BaseKerberosAuthenticationFilter.java

SessionUser user = createUserEnvironment( httpSess, krbDetails.getSourceName());
alfresco create user and folder p.web@my-domain.ru
Also there are no collisions with the affiliated domain because when i enter in alfresco in NKH.MY-DOMAIN.RU alfresco create user and folder p.web@NKH.MY-DOMAIN.RU

😎
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-01-2009 08:37 PM

One more solution: for each domain to create a root folder of type "User homes" for users.
The way how to correct it and without the aid of corrections in a program code can and is.

https://issues.alfresco.com/jira/browse/ALFCOM-3363
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-02-2009 01:55 AM

How to?
in web-client-config.xml we have following
  <default-home-space-path>/app:company_home/app:user_homes</default-home-space-path>
How to lead to its following format?
<default-home-space-path>/{MY-DOMAIN.RU}/app:user_homes</default-home-space-path>
and maybe if affiliate domain for example NKH.MY-DOMAIN.RU
<default-home-space-path>/{MY-DOMAIN.RU}/{NKH}/app:user_homes</default-home-space-path>
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-03-2009 08:57 PM

https://issues.alfresco.com/jira/browse/ALFCOM-3363
David Ward added a comment - 03-Sep-09 07:33 PM
It looks like there has been inconsistent use made of KerberosDetails.getSourceName() (includes the @ symbol) and KerberosDetails.getUserName().
Note we don't support multiple Kerberos domains at the same time, but we should at least resolve the username consistently on CIFS and Web log in.

And not only with kerberos! Or at the organisation of other chain of authentification all will work?
I will realise all the same support multiple domains.
The circuit as should be:
We have following the organisation of domains with users
FOREST
  MY-DOMAIN.RU
         p.web
         a.shum
  NKH.MY-DOMAIN.RU
         a.shum
         k.nett
Authentification: automaitic with the help kerberos and with synchronisation with AD with filtering of users (for example if auditors for check access to Alfresco is not necessary to them have come)

Users should be with a complete name that is
p.web@my-domain.ru
a.shum@nkh.my-domain.ru
Or here still the variant can be saved and in the truncated variant but it is necessary then to add hash (name+pass), for sharing of users with an identical name, but different passwords

In ALFRESCO there will be a following structure of folders (or at the first visiting of the user or is possible at instructions of customisations)
ROOTFOLDER (COMPANY NAME)
    MY-DOMAIN.RU
            p.web
            a.shum
    NKH.MY-DOMAIN.RU
            a.shum
            k.nett
That is at an enter  user in ALFRESCO, on its suffix its personal folder will be defined where to be

Here such circuit

If who has a sentence on supports multiple domains in ALFRESCO write and if there is an implementation, share with community
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-09-2009 06:18 AM

I have made it (now we test)
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-11-2009 04:44 AM

alfresco  support multiple Kerberos domains with my patch 😎
0 Kudos

lutz_horn
Champ in-the-making
Champ in-the-making
In response to paulweb

‎10-01-2015 10:40 AM

Hi Paul, can you please share your patch? What did you change to allow login with subdomains?
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC