Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Who can crate new unexpected internal users?

fedorow
Elite Collaborator
Elite Collaborator

‎10-30-2019 06:53 AM

Hi,

Alfresco Community 6.1 with AD sync and kerberos sso periodicaly generate internal users with names of <hostname>$. The client computer host name do not present in user AD information at all. It's not corelated in time with syncronization service. New users appears not for all AD users. It have some corelation with user activities in the system, but we can't catch witch activity. Deleted ghost users arise again.

Labels:
0 Kudos
5 REPLIES 5

fedorow
Elite Collaborator
Elite Collaborator

‎10-30-2019 11:21 AM

It's an interesting point, this ghosts has logged into system when their parent users (the owners of hosts) was logged on, but dose not make any activities.

Thanks for any advice.

image

0 Kudos

jljwoznica
Star Collaborator
Star Collaborator
In response to fedorow

‎10-30-2019 03:57 PM

Can you check this property?

LDAP authentication properties

Note:The create.missing.people property in the Alfresco global properties file is set to true by default in Alfresco. This can have the affect of creating users unexpectedly. To avoid this you can override the default setting by changing the property to be create.missing.people property=false. You can also deselect Auto Create People on Login in the Alfresco Admin Console. To do this navigate to Synchronization Settings > Auto Create People on Login.
 
Full source for this page is here: https://docs.alfresco.com/community/concepts/auth-ldap-props.html

fedorow
Elite Collaborator
Elite Collaborator
In response to jljwoznica

‎10-31-2019 03:54 AM

Thanks a lot! I'll try create.missing.people=false tonight.

What the differances betwin two properties

synchronization.autoCreatePeopleOnLogin

and

create.missing.people ?

0 Kudos

afaust
Legendary Innovator
Legendary Innovator
In response to fedorow

‎10-31-2019 03:57 AM

create.missing.people is more general and governs the internal API of PersonService.getPerson(String) - when you ask for a person by name and that person does not exist, it will create that persion if create.missing.people is set to true

synchronization.autoCreatePeopleOnLogin is more specific and only creates non-existing people if they actually login but cannot be synchronised on-demand

heiko_robert
Star Collaborator
Star Collaborator
In response to afaust

‎10-31-2019 09:55 AM

Our best practices is to set both mentioned parameters to false.

Depending on your user base and sync ldap config your system may sync all the time since every time the ldap auth subsystem recognizes a failed auth in the chain a new sync will be spawned.

# Should we auto create a missing person on log in?
# Bad idea if running with a large user base
synchronization.syncWhenMissingPeopleLogIn=false
#  Should we auto create a missing person on log in?
# Never ever enable this option since Alfresco doesn't 
# sync the user and additional doesn't respect ldap filters
synchronization.autoCreatePeopleOnLogin=false
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2024 Khoros, LLC