I configured sso kerberos autentization and AD synchronization. The problem is that any existing user can log in to the platform and I only need to allow users from the ldap-ad configuration (according user/group synchronization query).
I tried to disable guest access, because at one point it was possible to log in to users who did not exist at all. But it didn't solve the problem, when I log in using SSO kerberos to a user who is not in alfresco (not synchronized from AD), the user is automatically created.
I'd like to allow only users who are synchronizing from AD to sign in.