Uploaded image for project: 'Enterprise 3.x'
  1. Enterprise 3.x
  2. ETHREEOH-2101

when using NTLM non SSO, new users are created depending on the login entered - mutiple (triplicate) users

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not a bug
    • Affects Version/s: 3.2
    • Fix Version/s: 3.3
    • Component/s: Authentication
    • Security Level: external (External user)
    • Labels:
      None
    • Environment:
      customer: 3.1+redhat+oracle+jboss
      support: 3.1+debian+mysql+tomcat

      Description

      when using NTLM non SSO, new users are created depending on the login entered


      How to reproduce this?
      ==================
      1) configure a 3.1 NTLM system
      You do not need to modify the web.xml file to use the NTM filter as this has been reproduced with or without the filter
      2) assume you have a Active directory with a user "user1"
      which DN (Distingusihed Name) is:
      CN=user1,CN=Users,DC=example,DC=foo
      and its UPN (User Principal Name) is
      user1@example.foo

      then log into alfresco web ui (explorer) using the three different strings:
      a) user1
      b) user1@example
      c) user1@example.foo

      Result:
      ======
      The three authentications above creates three different users (see attached screen shot 'user_multi.png')

      Expected result:
      ==============
      As the three strings correspond to one unique user in AD (Active Directory) one would expect that this maps into just one unique user in Alfresco.


      As no easy solution/workaround was found by support, raising this as bug.

        Attachments

          Activity

          Hide
          dward Dave Ward [X] (Inactive) added a comment -
          We could build in @* suffix stripping to NTLMAuthenticationComponentImpl but that would rule out a multi-tenant enabled solution where the UPN suffix actually varies between tenants.

          This particular problem could be worked around by including ldap-ad in the authentication chain and then setting the following to disable LDAP-based authentication and to disable automatic creation of people who have not been resolved by the LDAP import. LDAP sync will still be triggered when a user successfully authenticates who does not have an Alfresco person, but they will be rejected if there is no corresponding person in Alfresco after the sync.

          authentication.chain=passthru1:passthru,ldap1:ldap-ad
          ldap.authentication.active=false
          synchronization.autoCreatePeopleOnLogin=true
          Show
          dward Dave Ward [X] (Inactive) added a comment - We could build in @* suffix stripping to NTLMAuthenticationComponentImpl but that would rule out a multi-tenant enabled solution where the UPN suffix actually varies between tenants. This particular problem could be worked around by including ldap-ad in the authentication chain and then setting the following to disable LDAP-based authentication and to disable automatic creation of people who have not been resolved by the LDAP import. LDAP sync will still be triggered when a user successfully authenticates who does not have an Alfresco person, but they will be rejected if there is no corresponding person in Alfresco after the sync. authentication.chain=passthru1:passthru,ldap1:ldap-ad ldap.authentication.active=false synchronization.autoCreatePeopleOnLogin=true
          Hide
          srigby Steve Rigby added a comment -
          for retest in b241 or later
          Show
          srigby Steve Rigby added a comment - for retest in b241 or later
          Hide
          alfrescoqa Alfresco QA Team added a comment -
          This doesn't help.
          Reopened in Alfresco 3.2 EE build 290 using Windows 2008 SP1 x64, Tomcat 6.0.18, Mysql 5.1.34, JDK 6u16 x64.
          We see sync running, can login, but dublicate users are created.

          Our config is attached
          Show
          alfrescoqa Alfresco QA Team added a comment - This doesn't help. Reopened in Alfresco 3.2 EE build 290 using Windows 2008 SP1 x64, Tomcat 6.0.18, Mysql 5.1.34, JDK 6u16 x64. We see sync running, can login, but dublicate users are created. Our config is attached
          Hide
          dward Dave Ward [X] (Inactive) added a comment -
          Sorry, that should have been

          synchronization.autoCreatePeopleOnLogin=false
          Show
          dward Dave Ward [X] (Inactive) added a comment - Sorry, that should have been synchronization.autoCreatePeopleOnLogin=false

            People

            • Assignee:
              closedissues Closed Issues
              Reporter:
              amadon Alex Madon
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: