Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User changes domains help

jriker1
Champ in-the-making
Champ in-the-making

‎09-13-2011 12:56 PM

I have a bunch of users that are in Active Directory groups and being added automatically to Alfresco.  The way it works:

DomainA group with username jriker DISABLED
DomainB group with username jriker ACTIVE

Both DomainA and DomainB has the same named AD groups and they all are stored in another meta group that I directly reference.  Problem I'm having now is when people are moved to DomainB they are able to login still but none of their data is associated with them.  How do I tell Alfresco these are the same users or is the problem that the system has not resync'd yet?

Thanks.

JR
Labels:
0 Kudos
2 REPLIES 2

jriker1
Champ in-the-making
Champ in-the-making

‎10-14-2011 09:31 AM

Thought I would revive this as I can't imagine an enterprise application would not be able to accommodate someone switching domains in an organization.  Even if it was manually editing the database and updating some UUID or something.  Anyone?

Thanks.

JR
0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎10-14-2011 10:12 AM

Hello,

it all depends on how your authentication subsystem is set up with regards to the synchronization, and how you manage the identities in your LDAP/AD. We have a customer whose LDAP simply contains all trees of their domains and we have set up one authentication subsystem against this aggregated LDAP - when users change domains and their active flag is updated, the currently active account is considered for synchronisation with Alfresco. As long as the identifying property has the same value, the user is unaltered in Alfresco.

But when you have two or more subsystems configured (one for each domain) you actually cause Alfresco to delete and recreate users when they move, as two users from different subsystems are not considered to be the same individual as long as both subsystems are active.

So:
- ensure users move only between the domains covered by a single subsystem
- ensure user moves are atomic operations (if one account is deactivated and the new one will only be available two days later, you run the risk of the user being deleted in the meantime depending on your synchronisation interval / triggers)
- ensure the identifying property remains exactly the same (although case is probably irrelevant at least for 3.4 and lower)

Regards
Axel
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC