https://connect.hyland.com/t5/alfresco-archive/ldap-ad-account-inheritance-question/m-p/258694#M211824 <HTML><HEAD></HEAD><BODY><SPAN>Ok we found a way to avoid creating everything, but we still struggle with the queries in order to try to get info from groups.</SPAN><BR /><BR /><SPAN>The idea is to have a group called Applications-&gt;Alfresco-&gt;DNP</SPAN><BR /><SPAN>In this one we have three groups: DNP-Admin, DNP-Manager, DNP-Read</SPAN><BR /><SPAN>We have set persons in each group.</SPAN><BR /><SPAN>When Alfresco syncs, it sees the three groups but says that the users don't have the right distinguished names.</SPAN><BR /><SPAN>It has the correct name, so this means that it correctly sees who is in which group, but still it doesn't use it.</SPAN><BR /><SPAN>Here is the error</SPAN><BR /><SPAN>Failed to resolve member of group 'GG-DNP-Admin' with distinguished name: CN=Jordi,OU=DSIC,OU=VILLE-GE,DC=activedir,DC=ville-geneve,DC=ch </SPAN><BR /><BR /><SPAN>Our queries are as follows:</SPAN><BR /><SPAN>ldap.synchronization.groupQuery=(objectclass\=group)</SPAN><BR /><SPAN>ldap.synchronization.groupDifferentialQuery=(&amp;(objectclass\=group)(!(modifyTimeStamp&lt;\={0})))</SPAN><BR /><SPAN>ldap.synchronization.personQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))</SPAN><BR /><SPAN>ldap.synchronization.personDifferentialQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimeStamp&lt;\={0})))</SPAN><BR /><SPAN>ldap.synchronization.groupSearchBase=ou\=Alfresco,ou\=Applications,dc\=activedir,dc\=ville-geneve,dc\=ch</SPAN><BR /><SPAN>ldap.synchronization.userSearchBase=ou\=Alfresco,ou\=Applications,dc\=activedir,dc\=ville-geneve,dc\=ch</SPAN><BR /><SPAN>ldap.synchronization.modifyTimestampAttributeName=modifyTimeStamp</SPAN><BR /><BR /><BR /><SPAN>Any idea? </SPAN><BR /><SPAN>Thanks for your help.</SPAN><BR /><SPAN>Steve</SPAN></BODY></HTML> Mon, 13 Aug 2012 12:27:08 GMT sjordi 2012-08-13T12:27:08Z https://connect.hyland.com/t5/alfresco-archive/ldap-ad-account-inheritance-question/m-p/258692#M211822 HI,We're currently integrating our Alfresco with LDAP through an active directory.The problem we face is that once synchronized, it actually creates the 4,000+ account at once.Then everybody can connect.Is there a way to avoid this?We'd like to allow only specific persons, defined in groups, to conn Mon, 25 Jun 2012 08:30:22 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-ad-account-inheritance-question/m-p/258692#M211822 sjordi 2012-06-25T08:30:22Z https://connect.hyland.com/t5/alfresco-archive/ldap-ad-account-inheritance-question/m-p/258693#M211823 <HTML><HEAD></HEAD><BODY><SPAN>Hello,</SPAN><BR /><BR /><SPAN>depending on your layout within the LDAP (AD) and your ability to express the conditions in an LDAP query, you can select the people that are being synchronized by configuring the ldap.synchronization.personQuery and ldap.synchronization.personDifferentialQuery (</SPAN><A href="http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2" rel="nofollow noopener noreferrer">http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2</A><SPAN>).</SPAN><BR /><BR /><SPAN>Regards</SPAN><BR /><SPAN>Axel</SPAN></BODY></HTML> Fri, 10 Aug 2012 20:36:00 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-ad-account-inheritance-question/m-p/258693#M211823 afaust 2012-08-10T20:36:00Z https://connect.hyland.com/t5/alfresco-archive/ldap-ad-account-inheritance-question/m-p/258694#M211824 <HTML><HEAD></HEAD><BODY><SPAN>Ok we found a way to avoid creating everything, but we still struggle with the queries in order to try to get info from groups.</SPAN><BR /><BR /><SPAN>The idea is to have a group called Applications-&gt;Alfresco-&gt;DNP</SPAN><BR /><SPAN>In this one we have three groups: DNP-Admin, DNP-Manager, DNP-Read</SPAN><BR /><SPAN>We have set persons in each group.</SPAN><BR /><SPAN>When Alfresco syncs, it sees the three groups but says that the users don't have the right distinguished names.</SPAN><BR /><SPAN>It has the correct name, so this means that it correctly sees who is in which group, but still it doesn't use it.</SPAN><BR /><SPAN>Here is the error</SPAN><BR /><SPAN>Failed to resolve member of group 'GG-DNP-Admin' with distinguished name: CN=Jordi,OU=DSIC,OU=VILLE-GE,DC=activedir,DC=ville-geneve,DC=ch </SPAN><BR /><BR /><SPAN>Our queries are as follows:</SPAN><BR /><SPAN>ldap.synchronization.groupQuery=(objectclass\=group)</SPAN><BR /><SPAN>ldap.synchronization.groupDifferentialQuery=(&amp;(objectclass\=group)(!(modifyTimeStamp&lt;\={0})))</SPAN><BR /><SPAN>ldap.synchronization.personQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))</SPAN><BR /><SPAN>ldap.synchronization.personDifferentialQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimeStamp&lt;\={0})))</SPAN><BR /><SPAN>ldap.synchronization.groupSearchBase=ou\=Alfresco,ou\=Applications,dc\=activedir,dc\=ville-geneve,dc\=ch</SPAN><BR /><SPAN>ldap.synchronization.userSearchBase=ou\=Alfresco,ou\=Applications,dc\=activedir,dc\=ville-geneve,dc\=ch</SPAN><BR /><SPAN>ldap.synchronization.modifyTimestampAttributeName=modifyTimeStamp</SPAN><BR /><BR /><BR /><SPAN>Any idea? </SPAN><BR /><SPAN>Thanks for your help.</SPAN><BR /><SPAN>Steve</SPAN></BODY></HTML> Mon, 13 Aug 2012 12:27:08 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-ad-account-inheritance-question/m-p/258694#M211824 sjordi 2012-08-13T12:27:08Z