Permanently disabled users after disabling LDAP

cancel
Showing results for 
Search instead for 
Did you mean: 
RansomRonny
Member II

Permanently disabled users after disabling LDAP

Hi.

I have a situation similar to that from https://hub.alfresco.com/t5/alfresco-content-services-forum/switch-from-ad-ldap-authentication-to-lo... thread. Unfortunately I don't see a solution there.

I "inherited" some 5.2 installation which was, honestly speaking, unmaintained and kept only as an archive of sorts.

The configuration was as far as I remember and understand the contents to authenticate users using Kerberos against AD and use LDAP to query/synchronize users' group membership.

I needed to migrate the server into another site because the whole domain is being decommisioned so I had to disable Kerberos and LDAP in ACS config. It seems to have gone well.

The problem is that all accounts that were created before and used Kerberos/LDAP still exist but are shown as disabled and the user edit dialog doesn't let me to re-enable the user (the checkbox "disable user" is ticked and greyed out) or set the password for user.

If I create a new test user, he's getting properly created locally and I can freely edit his properties.

I trimmed my authentication.chain so it contains only "alfrescoNtlm1:alfrescoNtlm" now.

I already disabled Kerberos completely in share-config-custom.xml because otherwise the tomcat app would not start properly without KDC access. I disabled all LDAP mentions in tomcat/shared/classes/alfresco/extension...

What else can I do?

I'd like to avoid having to remove users and recreate them by hand.

5 Replies
angelborroy
Alfresco Employee

Re: Permanently disabled users after disabling LDAP

Users are associated to a Zone in Alfresco. If you want to move to default Authentication (NTLM), you need to re-create every user (you can use the REST API for that). If you want to use a new LDAP, you may try synchronizing them again.

Hyland Developer Evangelist
RansomRonny
Member II

Re: Permanently disabled users after disabling LDAP

If I delete/recreate each user I'll obviously lose all access rights assignment, right?

Is there no way around it? To be honest, I thought about directly updating the database if needed but unfortunately, the database structure is a bit over-complicated for quick understanding without additional docs.

Also, will it not lose user action history?

fedorow
Senior Member II

Re: Permanently disabled users after disabling LDAP


@RansomRonny wrote:

If I delete/recreate each user I'll obviously lose all access rights assignment, right?


Yes, new user is new user.

 


@RansomRonny wrote:

Also, will it not lose user action history?


Yes, you'll have got new users.

 

@RansomRonny wrote:

What else can I do?

Connect system to LDAP with same users ID's. It can use any LDAP autentication technology, not necessarily Kerberos.

 

4535992
Senior Member

Re: Permanently disabled users after disabling LDAP

Did you find some solution about it ?

Like update the database or something similar ?

4535992
Senior Member

Re: Permanently disabled users after disabling LDAP

Hi @angelborroy  i have a question.

I noticed that the old LDAP users stay in their own AUTH.ZONE_2 while the LOCAL users stay in their AUTH.ZONE_1.

If I remove the AUTH.ZONE_2 from the users coming from the LDAP and add them to the AUTH.ZONE_1 they become local users ?

If yes is there any way to do this with java code ?