Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Use Alfresco to Manage users, AD for Authentication

Go to answer
hsturner
Champ on-the-rise
Champ on-the-rise

‎09-22-2016 11:08 AM

We are currently using Activity Directory to synchronize and authenticate users to Alfresco. We keep having random synchronization issues when adding new users, sometimes takes up to 2 weeks for them to show up, but others added afterwards show up on our 20 minute synch schedule as expected. New groups show up always but are sometimes missing some users. I think part of the problem is that the missing users were using a generic logins, and have not yet logged in with their individual profile so the domain may see them as inactive.

I have been asked if it is possible to add the users directly to alfresco, and use Active Directory to authenticate the users. Is this possible?

I realize that I will also need to add the groups and maintain them in alfresco as well. I will also likely need to write a script to update the document owners with the new user profiles. Any help with that as well would be appreciated

Labels:
0 Kudos
1 ACCEPTED ANSWER

Go to answer
afaust
Legendary Innovator
Legendary Innovator
In response to hsturner

‎09-26-2016 10:51 AM

You just disable synchronization and make sure you have alfrescoNtlm in your authentication chain after LDAP-AD. alfrescoNtlm is needed to allow you to create local users and the order in the chain guarantees that LDAP-AD has a chance to authenticate a user first before a locally stored (dummy) password is checked. Unfortunately you must assigne a password to locally created users even in your case.

View answer in original post

7 REPLIES 7

Go to answer
afaust
Legendary Innovator
Legendary Innovator

‎09-26-2016 10:33 AM

Yes, you can authenticate against Active Directory but manage the users locally in Alfresco. The only relevant constraint is on the user name which must obviously be identical.

Go to answer
hsturner
Champ on-the-rise
Champ on-the-rise
In response to afaust

‎09-26-2016 10:45 AM

How do I setup this up? Do I just need to turn off synchronization in the ldap-ad-authentication.properties files? Do I need to set up Kerberos?

0 Kudos

Go to answer
afaust
Legendary Innovator
Legendary Innovator
In response to hsturner

‎09-26-2016 10:51 AM

You just disable synchronization and make sure you have alfrescoNtlm in your authentication chain after LDAP-AD. alfrescoNtlm is needed to allow you to create local users and the order in the chain guarantees that LDAP-AD has a chance to authenticate a user first before a locally stored (dummy) password is checked. Unfortunately you must assigne a password to locally created users even in your case.

Go to answer
hsturner
Champ on-the-rise
Champ on-the-rise
In response to afaust

‎09-26-2016 11:02 AM

Thanks Alex,

That helps a lot. 

A couple of related question. 

1. Does the password for the local alfresco user have to be the same as the password that is in AD or can I use a generic password?

I am guessing that if for some reason the AD server is down, that alfresco with authenticate the user using the password in local profile.  I know this is a security issue and I will make our corporate security team aware of that so they can decide if we are going to use this authentication model.

2. Do you know if we keep the same user names for the users for the local profile that is in the ad profile that they will retain ownership of their current documents, or do I have to figure out some script to change owners of the documents to their local profile?

0 Kudos

Go to answer
afaust
Legendary Innovator
Legendary Innovator
In response to hsturner

‎09-26-2016 11:07 AM

1) Correct, if AD is down Alfresco will fall back to the local password. If it is not the same then login will oviously fail - also, if the user enters the incorrect AD password then Alfresco can still authenticate. So by setting a different password you effectively have two "valid" ones.

2) As long as user names stay the same they will retain ownership and permissions. Even if you temporarily delete users and re-create them with identical names will this be the case, as deleting ownership and permissions would be such an expensive operation that deleting a user could take hours or days on larger systems - so it isn't actually done at all until a user operation starts to edit those.

0 Kudos

Go to answer
pratu9
Champ on-the-rise
Champ on-the-rise
In response to afaust

‎10-06-2017 03:15 AM

Hello Axel,

I am facing issue with user synchronization. Before we created users in the AD and added to Alfresco group for login. But now we are facing issue related to user login. If we create a new user on the AD it will not able to log in on Alfresco. We want to create users locally on Alfresco but new user option in Admin console is disabled. Could you please help with this?

Thanks,

Pratiksha

0 Kudos

Go to answer
afaust
Legendary Innovator
Legendary Innovator
In response to pratu9

‎10-06-2017 01:40 PM

As long as you have alfrescoNtlm enabled in the authentication chain, you should be able to create any user as a local user. That button is only grayed out if alfrescoNtlm is not enabled.

0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC