Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Keeps disappearing

hsturner
Champ on-the-rise
Champ on-the-rise

‎05-01-2014 10:34 AM

Hi,

I have a combination Alfresco /Active Directory problem that is affect only 1 user currently.  This is the issue.  The user has multiple AD accounts on different domains. Up until last week he had no problem logging into alfresco and getting authenticated, but starting this week he was unable to log into alfresco.  After 3 days of investigation we have not been able to determine why this is happening, as no changes were made to our AD system or to the LDAP Authentication within alfresco. Our AD logs do show the failed login attempts, but return no domain so we don't know which domain is causing the fail. We have alfresco pointed at the base AD Authentication Server, the one AD Domain to rule them all type of thing. 

We were able to get the user logged on using a fully qualified user (username@subdomain.domain), but that created another set of problems.:
1. If creates a new user with the fully qualified username. The user has to take ownership of all his previous documents with the new user.
2. The new user is not automatically added to the active directory groups we have created to control access to sites. We have to Manually add the user to the groups.
3. Whenever Alfresco re-syncs with AD the fully qualified user gets dropped from the groups and we have to re-add him again.  Alfresco currently re-syncs with Active Directory ever 15 minutes

Here is our LDAP and Authentication from alfresco-global.properties

<blockquote>
### NTLM Passthru ###

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1Smiley Tongueassthru,ldap-ad1:ldap-ad

passthru.authentication.useLocalServer=false

passthru.authentication.servers=DOMAIN\\##.##.##.##,DOMAIN\\##.##.##.##


ntlm.authentication.sso.enabled=false

alfresco.authentication.allowGuestLogin=false

ntlm.authentication.mapUnknownUserToGuest=false

passthru.authentication.authenticateCIFS=true

passthru.authentication.authenticateFTP=false

passthru.authentication.guestAccess=false

passthru.authentication.defaultAdministratorUserNames=#####,######,########,########

passthru.authentication.offlineCheckInterval=300



### LDAP-AD ###

#

# LDAP Sync

#

# This flag enables use of this LDAP subsystem for authentication. It may be

# that this subsytem should only be used for synchronization, in which case

# this flag should be set to false.

ldap.authentication.active=false

ldap.authentication.java.naming.security.authentication=simple



# This flag enables use of this LDAP subsystem for user and group

# synchronization. It may be that this subsytem should only be used for

# authentication, in which case this flag should be set to false.

ldap.synchronization.active=true

ldap.authentication.userNameFormat=%s

ldap.authentication.allowGuestLogin=false

ldap.authentication.java.naming.provider.url=ldap://10.1.1.2:3268



#

synchronization.import.cron=0 0/10 * ? * *



# The default principal to bind with (only used for LDAP sync). This should be a UPN or DN

ldap.synchronization.java.naming.security.principal=CN\=LDAPQuery,CN\=Users,DC\=XXXX,DC\=XX



# The password for the default principal (only used for LDAP sync)

ldap.synchronization.java.naming.security.credentials=9\@NnI\#cuDE\!6



# If positive, this property indicates that RFC 2696 paged results should be

# used to split query results into batches of the specified size. This

# overcomes any size limits imposed by the LDAP server.

ldap.synchronization.queryBatchSize=1000



# The query to select all objects that represent the groups to import.



ldap.synchronization.groupQuery=(&(objectclass\=group)(memberOf=cn\=ERP_Alfresco,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX))



# The query to select objects that represent the groups to import that have changed since a certain time.

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(memberOf=cn\=ERP_Alfresco,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX))



# The query to select all objects that represent the users to import.

ldap.synchronization.personQuery=(&(objectclass\=user)(|(memberOf=cn\=Alfresco_ITI,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_ITS,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_TAD,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_Lab_Managers,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_Lab_Supervisors,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_Lab_Techs,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_ERP_Project_Admin,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_ERP_Project_User,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_ERP_Project_Collaborator,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_MSG,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX))(userAccountControl\:1.2.840.113556.1.4.803\:\=512))



# The query to select objects that represent the users to import that have changed since a certain time.

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(|(memberOf=cn\=Alfresco_ITI,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_ITS,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_TAD,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_Lab_Managers,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_Lab_Supervisors,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_Lab_Techs,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_ERP_Project_Admin,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_ERP_Project_User,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_ERP_Project_Collaborator,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX)(memberOf=cn\=Alfresco_MSG,ou\=Alfresco Groups,ou\=Security Groups,dc\=XXXX,dc\=XX))(userAccountControl\:1.2.840.113556.1.4.803\:\=512))



# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.

ldap.synchronization.groupSearchBase=dc\=XXXX,dc\=XXa



# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.

ldap.synchronization.userSearchBase=dc\=XXXX,dc\=XX



# The name of the operational attribute recording the last update time for a group or user.

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp



# The timestamp format. Unfortunately, this varies between directory servers.

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'



# The attribute name on people objects found in LDAP to use as the uid in Alfresco

ldap.synchronization.userIdAttributeName=sAMAccountName



# The attribute on person objects in LDAP to map to the first name property in Alfresco

ldap.synchronization.userFirstNameAttributeName=givenName



# The attribute on person objects in LDAP to map to the last name property in Alfresco

ldap.synchronization.userLastNameAttributeName=sn



# The attribute on person objects in LDAP to map to the email property in Alfresco

ldap.synchronization.userEmailAttributeName=mail



# The default home folder provider to use for people created via LDAP import

ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider



# The attribute on LDAP group objects to map to the gid property in Alfrecso

ldap.synchronization.groupIdAttributeName=cn



# The group type in LDAP

ldap.synchronization.groupType=group



# The person type in LDAP

ldap.synchronization.personType=user



# The attribute in LDAP on group objects that defines the DN for its members

ldap.synchronization.groupMemberAttributeName=member



ldap.synchronization.synchronizeChangesOnly=false



# enable user access auditing

audit.enabled=true

audit.alfresco-access.enables=true


</blockquote>
Labels:
0 Kudos
2 REPLIES 2

eswbitto
Confirmed Champ
Confirmed Champ

‎05-01-2014 11:55 AM

A couple of things that you might consider.

Have you disabled alfresco's create missing person functionality?

/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/<b>authentication-services-context.xml</b>

Where you change the following:

<value>${server.transaction.allow-writes}</value>

to

<value>false</value>



Also….Could you do a process of elimination and maybe disable 2 out of the 3 accounts at a time to test after they have synced? You know your setup better than anyone so this maybe out of the question, but I thought I would ask.
0 Kudos

hsturner
Champ on-the-rise
Champ on-the-rise
In response to eswbitto

‎05-12-2014 04:16 PM

We tried the disabling the accounts and still cannot get that one single user to appear in alfresco.  If we have them log in using <em>username@domain</em> they can log in with their credentials, but alfresco creates a new user for them and does not retrieve the user details.  If we add them to the AD group in alfresco, they get dropped out of the group when alfresco re-syncs with AD, so we had to create a local alfresco group with the same permissions as the AD group that is synched to Alfresco.

I have not tried to disable Alfresco's create missing person functionality yet as I can find any documentation on how that will affect us adding new users to an AD group and have it sync with Alfresco.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC