cancel
Showing results for 
Search instead for 
Did you mean: 

Switch from AD LDAP authentication to local authentication keeping current users and history

adautofernandes
Champ on-the-rise
Champ on-the-rise

I'm going to migrate my Alfresco to the cloud and I have the task of removing authentication via AD LDAP for authentication.

I was looking for a way to do this in the database, but the Alfresco tables are quite complex. I still haven't been able to identify a way to perform this operation in the database. I saw that users and groups are in the database.

Is there a way to convert these users as if they were local users?

Is there any documentation on the tables and fields in the Alfresco database?

Thank you very much in advance!

13 REPLIES 13

afaust
Legendary Innovator
Legendary Innovator

You should rarely have to delve into the Alfresco database tables directly to do things like this. As such, there is no (public) documentation on the tables to not encourage people to try and modify these internals, and break their systems by doing so.

This this particular case, the users you have in Alfresco are already pretty much ready to go as regular users when LDAP-AD is disabled. The only thing you absolutely would have to do is assign each user a password. Theoretically, you should be able to deactivate/remove the LDAP-AD configuration (simplest way: remove it from authentication.chain property in alfresco-global.properties) and after a restart should be allowed to set new passwords for these users in the Share UI. If that does not work or you have a lot of users, you can use tools like the JavaScript Console to script the password allocation by using JavaScript-Java interoperability to access the call the createAuthentication operation on the MutableAuthenticationService interface.

I tried to use your tips, unfortunately I couldn't. Explaining everything I've done.

In this new installation I did I disabled LDAP-AD authentication. When I checked the users, all accounts were disabled.
In the Share UI the password fields and the checkbox to activate the account are disabled even using the admin user.

I have no knowledge to use the JavaScript Console or Alfresco API. I tried to research more but I didn't see any practical example of how to use it.

Could you help me with some study material? Or without abusing too much what you should do.

Thanks in advance

Hi @adautofernandes,

Was your Share instance customised as part of LDAP integration? Look in <web-extension>\share-config-custom.xml to see if there are any modifications in this file. Also check the documentation on Form Customisation.

HTH,

Digital Community Manager, Alfresco Software.
Problem solved? Click Accept as Solution!

The only thing I customized in that file:

<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
  <properties>
    <token>Alfresco-CSRFToken</token>
    <!-- Use the pipe | in the regex as OR operator: URL1|URL2|... -->
    <referer>https://alfresco.mydomain.com.br/.*</referer>
    <origin>https://alfresco.mydomain.com.br</origin>
  </properties>
</config>

I believe that it is not that.

I forgot to inform the version I am using. It's the Alfresco Community 201707 (v5.2).

Today I tried to "steal" on the user's edit form. Enabling the password fields and the user account activation checkbox by editing the generated HTML using the browser inspect element.

image

image

Just remove the Disabled="True" to enable, but Alfresco's security is good. I underestimate Alfresco's security Smiley LOL

When I try to save I get the following error message:

image

There had to be an easier way to activate these users.

Hi @afaust,

I left some extra information. Do you have any light to help me?

Hello, @adautofernandes - did you ever get this to work for you? I'm migrating an ACS 4.6.2 instance over to a new data center and would like to do so without the current LDAP authentication.

Hi @pauldavidmena,

So I couldn't migrate to the other server by disabling authentication with my Microsoft Active Directory/LDAP.
The solution I found was to install OpenLDAP + LAM (LDAP Account Manager) on Alfresco's server to manage users.

What's annoying about Alfresco is that it's difficult to maintain.
In the coming months I will have to plan the update. Hope to have a little headache.

@adautofernandesyou have your answer on @afaust' post:

Theoretically, you should be able to deactivate/remove the LDAP-AD configuration 
(simplest way: remove it from authentication.chain property in alfresco-global.properties)
and after a restart should be allowed to set new passwords for these users in the Share UI.

Don't go directly into the database. Go though alfresco-global.properties and keep only ntlm authenticator on that line.

Cheers,

Cristina.

--
VenziaIT: helping companies since 2005! Our ECM products: AQuA & Seidoc