Enterprise 3.x
  1. Enterprise 3.x
  2. ETHREEOH-2101

when using NTLM non SSO, new users are created depending on the login entered - mutiple (triplicate) users

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Major Major
    • Resolution: Not a bug
    • Affects Version/s: 3.2
    • Fix Version/s: 3.3
    • Component/s: Authentication
    • Security Level: external (External user)
    • Labels:
      None
    • Environment:
      customer: 3.1+redhat+oracle+jboss
      support: 3.1+debian+mysql+tomcat

      Description

      when using NTLM non SSO, new users are created depending on the login entered


      How to reproduce this?
      ==================
      1) configure a 3.1 NTLM system
      You do not need to modify the web.xml file to use the NTM filter as this has been reproduced with or without the filter
      2) assume you have a Active directory with a user "user1"
      which DN (Distingusihed Name) is:
      CN=user1,CN=Users,DC=example,DC=foo
      and its UPN (User Principal Name) is
      user1@example.foo

      then log into alfresco web ui (explorer) using the three different strings:
      a) user1
      b) user1@example
      c) user1@example.foo

      Result:
      ======
      The three authentications above creates three different users (see attached screen shot 'user_multi.png')

      Expected result:
      ==============
      As the three strings correspond to one unique user in AD (Active Directory) one would expect that this maps into just one unique user in Alfresco.


      As no easy solution/workaround was found by support, raising this as bug.
      1. auth_config.txt
        1 kB
        Alfresco QA Team
      1. user_multi.png
        153 kB

        Activity

        Hide
        dward added a comment -
        We could build in @* suffix stripping to NTLMAuthenticationComponentImpl but that would rule out a multi-tenant enabled solution where the UPN suffix actually varies between tenants.

        This particular problem could be worked around by including ldap-ad in the authentication chain and then setting the following to disable LDAP-based authentication and to disable automatic creation of people who have not been resolved by the LDAP import. LDAP sync will still be triggered when a user successfully authenticates who does not have an Alfresco person, but they will be rejected if there is no corresponding person in Alfresco after the sync.

        authentication.chain=passthru1:passthru,ldap1:ldap-ad
        ldap.authentication.active=false
        synchronization.autoCreatePeopleOnLogin=true
        Show
        dward added a comment - We could build in @* suffix stripping to NTLMAuthenticationComponentImpl but that would rule out a multi-tenant enabled solution where the UPN suffix actually varies between tenants. This particular problem could be worked around by including ldap-ad in the authentication chain and then setting the following to disable LDAP-based authentication and to disable automatic creation of people who have not been resolved by the LDAP import. LDAP sync will still be triggered when a user successfully authenticates who does not have an Alfresco person, but they will be rejected if there is no corresponding person in Alfresco after the sync. authentication.chain=passthru1:passthru,ldap1:ldap-ad ldap.authentication.active=false synchronization.autoCreatePeopleOnLogin=true
        Hide
        Steve Rigby added a comment -
        for retest in b241 or later
        Show
        Steve Rigby added a comment - for retest in b241 or later
        Hide
        Alfresco QA Team added a comment -
        This doesn't help.
        Reopened in Alfresco 3.2 EE build 290 using Windows 2008 SP1 x64, Tomcat 6.0.18, Mysql 5.1.34, JDK 6u16 x64.
        We see sync running, can login, but dublicate users are created.

        Our config is attached
        Show
        Alfresco QA Team added a comment - This doesn't help. Reopened in Alfresco 3.2 EE build 290 using Windows 2008 SP1 x64, Tomcat 6.0.18, Mysql 5.1.34, JDK 6u16 x64. We see sync running, can login, but dublicate users are created. Our config is attached
        Hide
        dward added a comment -
        Sorry, that should have been

        synchronization.autoCreatePeopleOnLogin=false
        Show
        dward added a comment - Sorry, that should have been synchronization.autoCreatePeopleOnLogin=false

          People

          • Assignee:
            Closed Issues
            Reporter:
            Alex Madon
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Date of First Response: