Permanently disabled users after disabling LDAP

RansomRonny · ‎20 Jan 2022

Hi.

I have a situation similar to that from https://hub.alfresco.com/t5/alfresco-content-services-forum/switch-from-ad-ldap-authentication-to-lo... thread. Unfortunately I don't see a solution there.

I "inherited" some 5.2 installation which was, honestly speaking, unmaintained and kept only as an archive of sorts.

The configuration was as far as I remember and understand the contents to authenticate users using Kerberos against AD and use LDAP to query/synchronize users' group membership.

I needed to migrate the server into another site because the whole domain is being decommisioned so I had to disable Kerberos and LDAP in ACS config. It seems to have gone well.

The problem is that all accounts that were created before and used Kerberos/LDAP still exist but are shown as disabled and the user edit dialog doesn't let me to re-enable the user (the checkbox "disable user" is ticked and greyed out) or set the password for user.

If I create a new test user, he's getting properly created locally and I can freely edit his properties.

I trimmed my authentication.chain so it contains only "alfrescoNtlm1:alfrescoNtlm" now.

I already disabled Kerberos completely in share-config-custom.xml because otherwise the tomcat app would not start properly without KDC access. I disabled all LDAP mentions in tomcat/shared/classes/alfresco/extension...

What else can I do?

I'd like to avoid having to remove users and recreate them by hand.

angelborroy · ‎21 Jan 2022

Users are associated to a Zone in Alfresco. If you want to move to default Authentication (NTLM), you need to re-create every user (you can use the REST API for that). If you want to use a new LDAP, you may try synchronizing them again.

Hyland Developer Evangelist

RansomRonny · ‎21 Jan 2022

If I delete/recreate each user I'll obviously lose all access rights assignment, right?

Is there no way around it? To be honest, I thought about directly updating the database if needed but unfortunately, the database structure is a bit over-complicated for quick understanding without additional docs.

Also, will it not lose user action history?

fedorow · ‎23 Jan 2022

@RansomRonny wrote:
If I delete/recreate each user I'll obviously lose all access rights assignment, right?

Yes, new user is new user.

@RansomRonny wrote:
Also, will it not lose user action history?

Yes, you'll have got new users.

@RansomRonny wrote:
What else can I do?

Connect system to LDAP with same users ID's. It can use any LDAP autentication technology, not necessarily Kerberos.

4535992 · ‎4 Jul 2023

Did you find some solution about it ?

Like update the database or something similar ?

4535992 · ‎27 Jul 2023

Hi @angelborroy i have a question.

I noticed that the old LDAP users stay in their own AUTH.ZONE_2 while the LOCAL users stay in their AUTH.ZONE_1.

If I remove the AUTH.ZONE_2 from the users coming from the LDAP and add them to the AUTH.ZONE_1 they become local users ?

If yes is there any way to do this with java code ?