Uploaded image for project: 'Alfresco One Platform'
  1. Alfresco One Platform
  2. ACE-4960

allow mapping of authenticated username to repository username (example: maiden name to married name changes)

    Details

    • Type: Feature
    • Status: Open (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 4.2, 5.0
    • Fix Version/s: None
    • Component/s: Repository
    • Labels:
    • Environment:
      any with lpap or ldap-ad
    • ACT Numbers:

      00130235, 00119749 Premier, 00262595, 00303085, 00502054 Premier, 00511848 Premier,00584610, 00588049 Premier

      Description

      It is a long standing enhancement request to have the possibility to change username in alfresco, see ENH-1144 ENH-1074 ENH-1155 ALF-5016 ALF-5887

      The latest Jira is interesting especially comment

      https://issues.alfresco.com/jira/browse/ALF-5887?focusedCommentId=95497&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-95497

      where Andy mentions three possible solutions. Could we please implement at least one of those solutions as many customer want this?

      How to reproduce and use case?
      ==============================
      1) install a ldap-ad system with ldap sync.

      ldap.synchronization.userIdAttributeName=sAMAccountName

      2) try to login with NTLM SSO with a user:
      NTLM passthru (sso.enabled=true)

      DOMAIN1\username1

      With the default parameters, this will create a user in Alfresco with username "username1"

      (same thing with kerberos with the option to have username1@domain1 as username see ALF-13687)

      3) now the user gets married and as "username1" was a user name based on her maiden name, admins in AD change her sAMAccountName from "username1" to "marriedusername1"

      Result:
      =======
      When that user logs into alfresco, a new user is created
      This results in the user loosing its rights on all folders and ownship of documents she created

      Expected result/Enhancement request:
      ====================================
      Could we please implement Andy's suggestion assuming that the Directory contains an attribute that never changes.

      Example:

      sAMAccountName=username1
      EmployeeId=1234

      is changed into:

      sAMAccountName=marriedusername1
      EmployeeId=1234

      that is the EmployeeId attribute is an invariant.

      Notes:
      ======
      It sems to me that for the configuration point of view that mapping could be achived with just one extra parameter (call it ldap.synchronization.authUserIdAttributeName for instance)
      and then setting the for key paramters to:

      synchronization.autoCreatePeopleOnLogin=false
      synchronization.syncWhenMissingPeopleLogIn=true
      ldap.synchronization.userIdAttributeName=EmployeeId
      ldap.synchronization.authUserIdAttributeName=sAMAccountName

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  repositoryteam Repository Team
                  Reporter:
                  amadon Alex Madon [X] (Inactive)
                • Votes:
                  9 Vote for this issue
                  Watchers:
                  22 Start watching this issue

                  Dates

                  • Created:
                    Updated:

                    Time Tracking

                    Estimated:
                    Original Estimate - 0 minutes
                    0m
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 30 minutes
                    30m

                      Structure Helper Panel