Hyland Connect

bashmaq · ‎03-17-2009

Can anybody to tell me about the difference between system person object and system user object in Alfresco.
Well, maybe more correct question - users created manually in Alfresco and users imported from Active Directory (and authenticated through ntlm) are equal (have same properties)? Or there is some differences between them?

bashmaq · ‎03-18-2009

Hmmm… Doesn`t anybody know it? Or maybe my question is not correct? Ok, I`ll try to describe the situation.
I am not a programmer, but sysadmin. The programmer work at full Alfresco 3Labs (Windows XP) installation with embedded DB and native alfresco users. When he make changes, add functionality etc., he test it on his installation. After that he give me the war package, which I deploy in testing environment (Alfresco 3Final war, CentOS 5.2, Postgresql 8.3, NTLM authentication, LDAP syncronisation of users` info from AD). And now the story begins…
I can successfully login to Alfresco Explorer with AD account, I can successfully login to Share with same username. But when I`m trying to open specific site, made by programmer some functions don`t work, errors like "no such person" display.
I did the following: Remove this user from Alfresco, and before LDAP syncronization occur, I tried to create that user manually from Alfresco UI. Error "Not implemented" displayed, but something was created - I saw this user in the System users list. After a LDAP sync this user`s profile was renfreshed, and now I can login to share and successfully browse sites, all functions working correctly.
Does anybody know what should be done in this situation? I don`t want to create a hundred accounts manually (I`m sooo lazy sysamin 😃

And another thing, by the way - users login name CaSE SEnsiTIvIty. Same logins in different case creates new users in Alfresco. Read in forum that cause of this in MySQL is a collation property. Could be the same in Postgres?

asianirish · ‎03-19-2009

if it can help you… There is cm

erson class in the basic content model (defined in contentModel.xml) inherited from sys:base that has userName,firstName etc properties but there isn't anything like "cm:user"

rogier_oudshoor · ‎03-19-2009

When you hook up Alfresco to a SSO solution (such as AD), Alfresco simply trusts the SSO provider that the user is who he says he is. This means that only the storage side of the Person (name, emailadress, etc) is stored in Alfresco, whilst his authentication side (password!) is not. Your programmer probably checked against the authentications where he should have checked against persons.

bashmaq · ‎03-19-2009

if it can help you… There is cmerson class in the basic content model (defined in contentModel.xml) inherited from sys:base that has userName,firstName etc properties but there isn't anything like "cm:user"

Hmm… Is there any way to lookup alfresco repository for object and his properties, just to find out which properties manually created and imported users has?

When you hook up Alfresco to a SSO solution (such as AD), Alfresco simply trusts the SSO provider that the user is who he says he is. This means that only the storage side of the Person (name, emailadress, etc) is stored in Alfresco, whilst his authentication side (password!) is not.

Ithink so too, but I don`t understand why everything working fine after I tried to create that user at Alfresco UI. Although this function not impement with enabled NTLM… something was created.

rogier_oudshoor · ‎03-19-2009

Hmm… Is there any way to lookup alfresco repository for object and his properties, just to find out which properties manually created and imported users has?

In the node browser, you can find the persons in the SpacesStore (store) / System / People path.

Ithink so too, but I don`t understand why everything working fine after I tried to create that user at Alfresco UI. Although this function not impement with enabled NTLM… something was created.

If you create the person using the alfresco UI, alfresco will create both the properties node ande the authentication node. The default AD tooling will overwrite the properties node, leaving the authentication node present - when you log on using SSO, the system simply ignores the authentication node. If your custom code checks the authentication node presence, he will find that presence only for those users that were creating using the Alfresco UI.

bashmaq · ‎03-20-2009

In the node browser, you can find the persons in the SpacesStore (store) / System / People path.

Silly me… How could Iforget about this tool. As I see - it`s a properties nodes there. Can I find an authentication nodes, or it`s hidden for security purposes?

If you create the person using the alfresco UI, alfresco will create both the properties node ande the authentication node. The default AD tooling will overwrite the properties node, leaving the authentication node present - when you log on using SSO, the system simply ignores the authentication node. If your custom code checks the authentication node presence, he will find that presence only for those users that were creating using the Alfresco UI.

Thanks for your explanation, it`s always good to know how these things are working

rogier_oudshoor · ‎03-20-2009

Can I find an authentication nodes, or it`s hidden for security purposes?

Authentication nodes are stored under the alfrescoUserStore (store) / system / people path. It only stores authentication details. Note that the passwords are encrypted

bashmaq · ‎03-25-2009

All right, after some investigation a cause of my trouble revealed. A user created with native alfresco`s dialog has got all of the properties in the repository (they could be empty if some of the fields weren`t specified). But if account imported from LDAP, it has system properties and those specified at ldap-syncronisation-context.xml only.
In my case the programmer uses Organization property, which didn`t create with default ldap-syncronisation-context.xml. So with adding of the corresponding key and binding in ldap-syncronisation-context.xml problem is gone.
Thanks to everyone who responded to the call

Hyland Connect

System PERSON - System USER