AnsweredAssumed Answered

LDAP and NTLM Chain - username clash

Question asked by bcoulson on Mar 30, 2011
All

I noticed some surprising behavior from Alfresco when chaining the default authentication subsystem, NTLM, with my LDAP subsystem. So within my LDAP configuration file (ldap-ad-authentication.properties), I specify the following:

ldap.authentication.defaultAdministratorUserNames=admin

to indicate that the user with name "admin" in my LDAP system should have administrative privileges for Alfresco.

However, the default administrator user for Alfresco is also "admin".
So everything works as documented - Alfresco walks the chain of subsystems, and uses the first match it finds. So if I have my authentication chain configured as follows:

authentication.chain=ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm

then it will use the admin user in my LDAP subsystem. Whereas if I setup a chain like this:

authentication.chain=alfrescoNtlm1:alfrescoNtlm, ldap1:ldap-ad

it will use the default Alfresco admin user.

Both admin users have administrative privileges so that works as expected. However, what is disconcerting is basically I have two users both with the name "admin" who can login to Alfresco with different passwords successfully!

Is this the expected behavior?

Outcomes