cancel
Showing results for 
Search instead for 
Did you mean: 

Who can crate new unexpected internal users?

fedorow
Elite Collaborator
Elite Collaborator

Hi,

Alfresco Community 6.1 with AD sync and kerberos sso periodicaly generate internal users with names of <hostname>$. The client computer host name do not present in user AD information at all. It's not corelated in time with syncronization service. New users appears not for all AD users. It have some corelation with user activities in the system, but we can't catch witch activity. Deleted ghost users arise again.

5 REPLIES 5

fedorow
Elite Collaborator
Elite Collaborator

It's an interesting point, this ghosts has logged into system when their parent users (the owners of hosts) was logged on, but dose not make any activities.

Thanks for any advice.

image

Can you check this property?

LDAP authentication properties

Note:The create.missing.people property in the Alfresco global properties file is set to true by default in Alfresco. This can have the affect of creating users unexpectedly. To avoid this you can override the default setting by changing the property to be create.missing.people property=false. You can also deselect Auto Create People on Login in the Alfresco Admin Console. To do this navigate to Synchronization Settings > Auto Create People on Login.
 

fedorow
Elite Collaborator
Elite Collaborator

Thanks a lot! I'll try create.missing.people=false tonight.

What the differances betwin two properties

synchronization.autoCreatePeopleOnLogin

and

create.missing.people ?

afaust
Legendary Innovator
Legendary Innovator

create.missing.people is more general and governs the internal API of PersonService.getPerson(String) - when you ask for a person by name and that person does not exist, it will create that persion if create.missing.people is set to true

synchronization.autoCreatePeopleOnLogin is more specific and only creates non-existing people if they actually login but cannot be synchronised on-demand

Our best practices is to set both mentioned parameters to false.

Depending on your user base and sync ldap config your system may sync all the time since every time the ldap auth subsystem recognizes a failed auth in the chain a new sync will be spawned.

# Should we auto create a missing person on log in?
# Bad idea if running with a large user base
synchronization.syncWhenMissingPeopleLogIn=false
#  Should we auto create a missing person on log in?
# Never ever enable this option since Alfresco doesn't 
# sync the user and additional doesn't respect ldap filters
synchronization.autoCreatePeopleOnLogin=false