topic Re: [LDAP] User sync at connection in Alfresco Archive

[LDAP] User sync at connection

piski — Wed, 13 Jan 2010 14:33:22 GMT

Hi everybody,I've installed a test environment (WebClient+Share) with these features :- Authentification passthru, SSO- CIFS, FTP, WebdavSSO authentification don't give me automatically fields of my Active Directory (lastname, firstname, mail …), I've installed LDAP-AD sync (not authentification). A

Re: [LDAP] User sync at connection

dward — Wed, 13 Jan 2010 15:00:00 GMT

I would recommend these settings.

synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=false

The sync triggered on startup is a 'differential sync'. This means that it runs a query that queries for all users changed since the last differential sync. That will mean that the first startup will be slow if you have thousands of users, but after that, it will be very fast and only pull over those users changed since the last sync.

The sync triggered on login again is differential and is only triggered when someone is successfully authenticated but still unknown to Alfresco. So again, that should only pull in only those users added since the last sync.

If you set

synchronization.autoCreatePeopleOnLogin=true

you will get the auto-creation of people who were successfully authenticated but weren't brought in by the sync query, which I don't think is what you want. Users auto-created in this way will not have their attributes such as last name, email, etc. pulled in from the LDAP server. If you need this setting, it probably means you haven't configured the sync correctly. It looks like your userSearchBase is wrong. It should not contain any %s placeholders and should look something like:

synchronization.userSearchBase=OU\=my,DC\=organization,DC\=infos,DC\=com

To work out what it should be, browse to a user, get their DN and use the suffix.

If you are finding the sync is bringing in more users than you want, just tighten the queries so that they don't include as many users, e.g. they only include those users in a certain group or with a certain attribute.

Re: [LDAP] User sync at connection

piski — Wed, 13 Jan 2010 15:44:14 GMT

Thanks for your reply !

I think I understand solution you recommend ; working with differential provides the single user creation because it's the only thing that is changed.

For information, the parameter like %s in my userSearchBase was only a test, not the correct configuration.

I'll try to be clearest … My users authenticate using passthru which provides me SSO feature.

By default & at "first" Alfresco launch, there is no user into the repository.
I don't want to create my AD users into Alfresco using LDAP sync (howerer I test this feature and it's working).

I only want new users (first time sign in and then unknown users in Alfresco) to be created.
LDAP sync just provides me informations from AD such as lastname, mail … which are putting in user profile in Alfresco.

To resume :
- Alfresco based on passthru auth - SSO
- No LDAP sync on first time startup
- No user defined in Alfresco
-> A user sign in -> LDAP sync only for this user -> user created in Alfresco with his AD informations

It's more clear ? It's possible ?

By the way, Many thanks for your help !

Re: [LDAP] User sync at connection

dward — Wed, 13 Jan 2010 17:21:58 GMT

No it's not currently possible. LDAP sync pulls all your users into Alfresco in advance of you using them. If you turn sync off and auto create person on, then you will get the behaviour you want, but you will not get user details pulled from LDAP.

ldap.synchronization.active=false
synchronization.autoCreatePeopleOnLogin=true

Re: [LDAP] User sync at connection

piski — Thu, 14 Jan 2010 09:26:39 GMT

My purpose, with LDAP sync activation, is to pull AD users details on Alfresco profile.

User is automatically created, if not exists, by passthru authentification, so I don't need to activate any LDAP features.

I though it was possible to cheat by using a kind of parameter such as synchronization.userSearchBase or synchronization.personQuery to indicate to Alfresco to search only the user trying to connect.

Any chance to implement in the future ?
Thanks

Re: [LDAP] User sync at connection

jasondalycan — Sun, 18 Apr 2010 19:04:55 GMT

I agree with this feature suggestion – I am actually facing an identical scenario.

An excellent addition would be something of the form:

ldap.synchronization.autoSyncMissingUser=<true|false>‍

If enabled, such a parameter would pull in the authenticated users' attributes from the central LDAP server upon each successful login – thus keeping the user's attributes consistent with the central company directory (housed with LDAP).

Note: This functionality should be tenant-aware, i.e. the user store bases should be appropriate for the authenticated user's tenant domain. Currently LDAP sync attempts to place all user attributes in the root content store, thus causing a 'Node not found' error to be thrown.

-JASON

Re: [LDAP] User sync at connection

mjjn — Mon, 07 Feb 2011 13:48:57 GMT

I'd like to see this feature too, but for different reason.
The LDAP server in my organization terminates replies longer than 500 entries, and paging
doesn't trick it. So synchronizing in "full" or "differential with deletions" modes doesn't work.