topic Selective synchronization of users according to groups (LDAP-AD) in Alfresco Archive

Selective synchronization of users according to groups (LDAP-AD)

fux — Wed, 09 Nov 2016 23:09:18 GMT

Hi all!I'm greenhorn in the Alfresco. At the moment I am trying to resolve connection to AD, but for some reason I have not succeeded with the synchronization.Groups is synchronized correctly, users is associated into a correct groups, but during synchronization is created a lot of other accounts (a

Re: Selective synchronization of users according to groups (LDAP-AD)

cesarista — Thu, 10 Nov 2016 06:53:37 GMT

Hi Vladimir:

One aprox. is to use extension attributes in LDAP to flag or distinguish Alfresco users. Then, you only have to configure the default user LDAP sync queries according to this attribute. If you flag extensionAttribute3=alf to Adam and John, you should sync only the corresponding users with:

ldap.synchronization.personQuery=(&(objectclass\=user)(extensionAttribute3\=alf)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(extensionAttribute3\=alf)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))

Take into consideration that you should disable authentication for not synced users, and "clean" already synced users.

Hope this helps.

--C.

Re: Selective synchronization of users according to groups (LDAP-AD)

cesarista — Thu, 10 Nov 2016 07:10:54 GMT

Hi again:

Another aprox is related to define a big group in your AD, under (OU) Others > (OU) Alfresco :

ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN=Alfresco_Users,OU=Alfresco,OU=Others,DN=domain,DN=tld)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN=Alfresco_Users,OU=Alfresco,OU=Others,DN=domain,DN=tld)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<={0})))

This is simpler for LDAP admins.

Regards.

--C.

Re: Selective synchronization of users according to groups (LDAP-AD)

fux — Thu, 10 Nov 2016 08:54:47 GMT

Hi Cesar,

thank You for response.

I also thought of this solution (Your message from 10.11.2016 7:53) and tried out it. It works. It brings only a little extra work for the AD administrator.

I believed that alfresco it should be possible to configure such way to synchronize only those users, who are registered in groups, which is obtained from the AD.

Something like: ldap.synchronization.magicSwitchForVladimir=true

The second method, which You suggest in message from 10.11.2016 8:10 is unacceptable for me, because the group membership in my case have a crucial meaning for correct function of workflows.

Thank You for Your effort and assistance.

Vladimir