Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

We can´t disable user accounts previously syncronized from LDAP

ofnavarro
Champ in-the-making
Champ in-the-making

‎10-08-2014 07:40 AM

Hi,

we have disconnected Alfresco from LDAP and the user accounts are going to be manage with another system.

Trying to disable user accounts previously syncronized with LDAP via webscript we have a "Not found user". However, enable action goes well.


http://serverName:portNumber/alfresco/service/api/people/userName

json:
{
   disableAccount: true
}


We think that it´s related with the property isMutable=false that these user accounts have.

Are there some via to change this property? How can we found this property in Alfresco database?

Thanks in advance.
Labels:
0 Kudos
6 REPLIES 6

afaust
Legendary Innovator
Legendary Innovator

‎10-13-2014 06:54 AM

Hello,

you can't disable the user account, because no user account exists in Alfresco for users synchronized from LDAP. Alfresco has two concepts - a "user account" for local users and a "person" object for all users (local and from external directories). The user account is not required for synchronized users as all data about their credentials and activation state is kept in those directories. If you disable LDAP synchronization you are left with "person" objects that will no longer be able to login if you also deactivate LDAP authentication.

In order to be able to manage those accounts in Alfresco, you'd have to do a couple of things:
1) Move the "person" objects of the affected users from "AUTH.EXT.XXXX" authority zone into "AUTH.ALF" zone (AuthorityService)
2) Create a real user account for every affected user via MutableAuthenticationService.createAuthentication() (take care to use the EXACT same user name as listed for the "person" object)

This is unfortunately not something that can be done with just configuration. You'll need at least some coding in JavaScript or Java.

Regards
Axel
0 Kudos

ofnavarro
Champ in-the-making
Champ in-the-making
In response to afaust

‎10-13-2014 11:41 AM

Hi Axel,

thank you for your clear explanation.

Really, we are migrating from LDAP authentication to SiteMinder authentication (external), via "proxyHeader".

We have developed the provisioning of user accounts from IdentityMinder and the new user accounts can be disabled/enabled without problems.

We would like to re-use the user accounts created by the LDAP sync.  We can update all user data except enable/disable account.

Can we follow your instructions to change the person authority into "AUTH.ALF" zone and create the real user account?

What is your recomendation for these cases?

Thanks in advance.

Regards,
Oscar.
0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎10-14-2014 04:39 AM

Okay, for SiteMinder authentication, using the external authentication is fine - we have done this for a customer a few years back.

<cite>We have developed the provisioning of user accounts from IdentityMinder and the new user accounts can be disabled/enabled without problems.</cite>

How do I have to think of this? Are user accounts in Alfresco created as the result of administration in IdentityMinder? E.g. is some component in IdentityMinder calling Alfresco to create these user accounts and enable/disable them? How are passwords handled? I mean, if the user accounts are created in Alfresco, then there would be (almost) no need for SiteMinder since Alfresco can authenticate locally (only reason left: SSO / meta identity authentication).

If that is the case, then moving those person objects to AUTH.ALF is the right thing to do.
0 Kudos

ofnavarro
Champ in-the-making
Champ in-the-making

‎10-14-2014 11:22 AM

We have understood your magnificent explanation.

Could you help us with the best way to moving those person objects to AUTH.ALF? (Database script, javascript/java API,…)

With this solution we think that our problem will be solved.

Thanks in advance.
0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎10-14-2014 11:52 AM

Hello,

use the Java API to do this.

1.) AuthorityService.getAllAuthoritiesInZone(String zoneName, AuthorityType type) to get all the users - use zoneName = Your LDAP zone name (lookup via NodeBrowser in /sys:system/cm:zones) and type = AuthorityType.USER to restrict to only users
2.) for each user, do AuthorityService.removeAuthorityFromZone(String userName, Set<String> zones) to remove it from the old zone - use zones = Collections.singleton(zoneName) to wrap the single zone into a set
3.) for each user, do AuthorityService.addAuthorityToZones(String userName, Set<String> zones) to add it to the new zone - use zones = Collections.singleton(AuthorityService.ZONE_AUTH_ALFRESCO) to wrap the single zone into a set
4.) for each user, do MutableAuthenticationService.createAuthentication(String userName, char[] password) to create the Alfresco user account

Afterwards, you can disable/enable the account as required.

Regards
Axel
0 Kudos

ofnavarro
Champ in-the-making
Champ in-the-making

‎02-16-2015 12:29 PM

We have followed your instructions and it works fine.

This is a very important thread for those admin users with external authentication systems in Alfresco.

Regards
Oscar
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC