Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]

jcgrayjr — Thu, 17 Jul 2014 14:42:34 GMT

Hello everyone!I am sorry if this subject has been touched in the past. I have been working on it for about a week now and searching the forums, as well as the internet. But I have not found anything that addresses my specific requirement.Here is what I am trying to do:I have successfully integrat

Re: Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]

jcgrayjr — Thu, 17 Jul 2014 20:37:07 GMT

Ok, after some more research and a few AH HA! moments, I finally figured out how to do this.

I was correct in my thinking that I could not limit the OU sync in the ldap.synchronization.personQuery configuration. The correct place to do it is in the ldap.synchronization.userSearchBase configuration, but I was incorrectly trying to do it in one line by combining the the OUs. Instead, I saw a post where someone mentioned configuring Alfresco to use multiple subsystems (Alfresco Authentication Subsystems).

So this is how I did it. What I had to do was treat each Sub-OU as its own subsystem. In my alfresco-global.properites file, I added the following lines of code:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad,,ldap2:ldap-ad,ldap3:ldap-ad
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
passthru.authentication.authenticateCIFS=true
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=<DOMAIN1>\\<host-IP> <—IP of my Domain Controller‍‍‍‍‍‍‍

I then made three new folders on my desktop called ldap1, ldap2, and ldap3. These three folder names have to match the names I put in the authentication.chain configuration. Here are the folder names highlighted in my configuration, authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1assthru,ldap1:ldap-ad,,ldap2:ldap-ad,ldap3:ldap-ad.

I then copied the ldap-ad-authentication.properties file located at ..\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap-ad\ and put a copy into each of the ldap1, ldap2, and ldap3 folders.

In each of the files in the three folders, you need to change the code to match your AD configuration. The guide Alfresco Documentation suggests the following be the most common things you need to change:

ldap.authentication.userNameFormat=%s@domain.com
ldap.authentication.java.naming.provider.url=ldap://domaincontroller.domain.com:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.synchronization.java.naming.security.principal=alfresco@domain.com
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.groupSearchBase=ou\=ad1,ou\=Alfresco,dc\=domain,dc\=com
ldap.synchronization.userSearchBase=ou\=ad1,ou\=Alfresco,dc\=domain,dc\=com‍‍‍‍‍‍‍

Every file in the three folders should be configured the same (or at least they are on my setup), except for the very last line. The ldap.synchronization.userSearchBase configuration will be different for each properties file in each of the folders. It is where we will be calling in each of the sub-OUs we want.

So, in the ldap-ad-authentication.properties file in the ldap1 folder, I change the ldap.synchronization.userSearchBase configuration to the following:

ldap.synchronization.userSearchBase=ou\=Business,ou\=Division1,dc\=DOMAIN,dc\=LOCAL‍

In the ldap-ad-authentication.properties file in the ldap2 folder, I change the ldap.synchronization.userSearchBase configuration to the following:

ldap.synchronization.userSearchBase=ou\=HR,ou\=Division1,dc\=DOMAIN,dc\=LOCAL‍

In the ldap-ad-authentication.properties file in the ldap3 folder, I change the ldap.synchronization.userSearchBase configuration to the following:

ldap.synchronization.userSearchBase=ou\=Finance,ou\=Division1,dc\=DOMAIN,dc\=LOCAL‍

I think created the following folders in my Alfresco installation:

C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad‍

I had to do this because they did not already exist in my installation. Some installations will already have them depending on their configuration and modification.

Finally, I copied all three folders (ldap1, ldap2, and ldap3) in the ldap-ad folder I created in the above step.

I started up my Alfresco Tomcat server and saw only the users I wanted in the system.

I hope this helps others.

Re: Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]

whowlett — Fri, 08 Aug 2014 13:09:49 GMT

jcgrayjr,

I would be interested in knowing your original SearchBase, since you say you were able to pull ALL of your users. Were you able to start from the "root" domain of your AD tree? That is exactly what I an "trying" to do, but I can't get the correct format for the SearchBase to start at the main domain level.

Regards,
Wayne

Re: Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]

rken — Fri, 09 Feb 2018 09:56:44 GMT

Hi,

I have run through your how to and I am having an issue finding ldap-ad-authentication.properties

I am using the latest version of alfresco, I can into ..tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\

But from there, theres nothing

‌ Did you ever resolve your issue? I am wanting to be able to search users in multiple sub OUs

Eg. I have an OU containing an OU per department, like accounts and 1st line and 2nd line, which all contain users which I want to sync into alfresco

Re: Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]

abbask01 — Tue, 18 Dec 2018 08:49:53 GMT

what about the groups? does synchronization with different OU also creates a separate group for each OU in alfresco?

topic Re: Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED] in Alfresco Archive

Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]

Re: Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]

Re: Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]

Re: Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]

Re: Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]