topic Re: Active directory user import in Alfresco Archive

Active directory user import

ruera — Thu, 14 Aug 2008 13:07:32 GMT

Hi,I'm new with Alfresco.After a correct installation, now I' would like to understand: "how to: import and synchronize users from Active directory-LDAP".I red may post but i didn't find a sort of procedue "Step by Step".Question: can someone explain to me the complete process to get users and group

Re: Active directory user import

meansartin14 — Fri, 31 Oct 2008 13:54:13 GMT

I am interested in this topic also.

Anyone?

Re: Active directory user import

ofrxnz — Wed, 12 Nov 2008 15:34:02 GMT

So the process is two step Hopefully this should get you on track

First configure LDAP authentication after this step is done, AD user accounts will work in alfresco

This requires you rename ldap-authentication-context.xml.sample to ldap-authentication-context.xml
and then configure ldap-authentication.properties to match your environment

There are a couple of tricks. Here are some of the key lines

ldap.authentication.java.naming.provider.url=ldap://yourADserverDomainNameOrIPAddress:389

ldap.authentication.java.naming.security.authentication=SIMPLE

This next one is tricky because AD does not follow standards so you will need to create an "alfresco" user in AD. Because AD is not standards compliant, the Windows user name is not an LDAP user name. so you need to look at the folder name(and path). The below example is for a user with the first name "alfresco" and last name "ldap" and a user name of "alfresco.ldap". I used the Apache directory studio http://directory.apache.org/studio/ to find this value. When you navigate to the user this string will be at the top of the user attribute frame

ldap.authentication.java.naming.security.principal=CN=alfresco ldap,CN=Users,dc=COMPANY,dc=com

ldap.authentication.java.naming.security.credentials=TheAboveUsersPasswordInPlainText

The second part is to rename ldap-synchronization-context.xml.sample to ldap-synchronization-context.xml you will have to play with this some but the directory suite helps

then configure the following to sync users

ldap.synchronisation.personQuery=(objectclass=inetOrgPerson)

In the previous one "objectclass=inetOrgPerson" is an attribute the only exists in user accounts and when alfresco sees it and it knows it is a user.

set the base folder in AD for users
ldap.synchronisation.personSearchBase=dc=company,dc=com

windows usernames attribute
ldap.synchronisation.userIdAttributeName=sAMAccountName

configure the following for groups

ldap.synchronisation.groupQuery=(objectclass=group)
again that is one that alfresco knows to look at as groups

ldap.synchronisation.groupSearchBase=BaseGroupFolder

Re: Active directory user import

marctsg — Wed, 12 Nov 2008 16:01:25 GMT

I was going to make a new topic about this but it seems to make more sense in here. I noticed that the LDAP sync should be configured not to destroy groups before doing a group sync or users will lose all their site roles and the sites become orphaned. The sites create their own groups when you set them up and those are gone for good when you do the clear, unfortunately.

So in spite of what the note says in ldap-synchronization.properties, it's probably not safe to set clearGRoups=true if you plan on using Share.