https://connect.hyland.com/t5/alfresco-archive/ad-ldap-sync-behaviour/m-p/299394#M252524 <HTML><HEAD></HEAD><BODY><SPAN>We have an odd issue with AD LDAP sync.</SPAN><BR /><BR /><SPAN>I have setup differential sync, a person query to pull users from a specific user group, and all is working well.</SPAN><BR /><BR /><SPAN>Users already pulled in get updated etc etc.</SPAN><BR /><BR /><SPAN>HOWEVER, adding a new users to the user group in AD, they are not pulled in, and removing a user as a member of the AD user group, they are not then removed from Alfresco.</SPAN><BR /><BR /><SPAN>Is this because differential sync only syncs the differences in user objects that it already has?</SPAN><BR /><BR /><SPAN>If we say wanted to add a user into the AD user group and then have them appear a short time later, do we need to have a FULL sync happening on a regular basis?</SPAN><BR /><BR /><SPAN>These are my settings:-</SPAN><BR /><BR /><SPAN>Global Properties</SPAN><BR /><SPAN>synchronization.syncWhenMissingPeopleLogIn=true</SPAN><BR /><SPAN>synchronization.syncOnStartup=false</SPAN><BR /><SPAN>synchronization.synchronizeChangesOnly=true</SPAN><BR /><SPAN>synchronization.import.cron=0 0/60 * * * ?</SPAN><BR /><SPAN>synchronization.allowDeletions=true</SPAN><BR /><SPAN>synchronization.autoCreatePeopleOnLogin=false</SPAN><BR /><BR /><BR /><SPAN>ldap-ad-authentication.properties file in correct extension location:-</SPAN><BR /><BR /><SPAN>ldap.synchronization.active=true</SPAN><BR /><SPAN>ldap.synchronization.java.naming.security.principal=alfresco</SPAN><BR /><SPAN>ldap.synchronization.java.naming.security.credentials=password</SPAN><BR /><SPAN>ldap.synchronization.groupSearchBase=OU\=ourdomain</SPAN><BR /><SPAN>ldap.synchronization.userSearchBase=OU\=ourdoman</SPAN><BR /><SPAN>ldap.synchronization.personQuery=(&amp;(objectclass\=user)(memberOf\=cn\=alfresco_users,OU\=ourdomain,DC\=ad,DC\=ourdomain))</SPAN><BR /><BR /><SPAN>ldap.synchronization.userJobTitleAttributeName=title</SPAN><BR /><SPAN>ldap.synchronization.userTelephoneNumberAttributeName=telephoneNumber</SPAN><BR /><SPAN>ldap.synchronization.userLocationAttributeName=physicalDeliveryOfficeName</SPAN><BR /><SPAN>ldap.synchronization.userOrganizationalIdAttributeName=department</SPAN><BR /><BR /><SPAN>Certain information removed from the above of course!</SPAN><BR /><BR /><SPAN>If anyone can tell me whats going on I my blood pressure would decrease significantly.</SPAN><BR /><BR /><SPAN>Basically when we remove people from the Ad users group, we want them removed from Alfresco, and vice versa, so when an existing user is added to the AD user group, they are then populated in Alfresco.</SPAN><BR /><BR /><SPAN>This only seems to work with FULL syncronisations, is this correct behaviour?</SPAN><BR /><BR /><SPAN>Thanks/Danke/Merci!!</SPAN><BR /><BR /><BR /><SPAN>EDIT:- Could it be because by default Alfresco is using the ldap.synchronization.modifyTimestampAttributeName=whenChanged property?</SPAN><BR /><BR /><SPAN>Ive read this link:- </SPAN><BR /><BR /><A href="http://social.technet.microsoft.com/wiki/contents/articles/28222.active-directory-generalized-time-attributes.aspx#The_quot_TimeStamp_quot_Attributes_versus_the_quot_when_quot_Attributes" rel="nofollow noopener noreferrer">http://social.technet.microsoft.com/wiki/contents/articles/28222.active-directory-generalized-time-attributes.aspx#The_quot_TimeStamp_quot_Attributes_versus_the_quot_when_quot_Attributes</A><BR /><BR /><SPAN>And it appears the whenChanged attribute can vary wildly between domain controllers, and is not a replicated property…</SPAN><BR /><BR /><SPAN>Would I be better off using :- ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp instead?!</SPAN><BR /><BR /><SPAN>Basically I want a differential sync to happen every hour, and pick up users added or deleted to/from the AD group reliably.</SPAN><BR /><BR /><BR /></BODY></HTML> Wed, 04 Mar 2015 21:49:42 GMT t16 2015-03-04T21:49:42Z https://connect.hyland.com/t5/alfresco-archive/ad-ldap-sync-behaviour/m-p/299394#M252524 We have an odd issue with AD LDAP sync.I have setup differential sync, a person query to pull users from a specific user group, and all is working well.Users already pulled in get updated etc etc.HOWEVER, adding a new users to the user group in AD, they are not pulled in, and removing a user as a me Wed, 04 Mar 2015 21:49:42 GMT https://connect.hyland.com/t5/alfresco-archive/ad-ldap-sync-behaviour/m-p/299394#M252524 t16 2015-03-04T21:49:42Z https://connect.hyland.com/t5/alfresco-archive/ad-ldap-sync-behaviour/m-p/299395#M252525 <HTML><HEAD></HEAD><BODY><SPAN>OK this is getting frustrating!</SPAN><BR /><BR /><SPAN>I amended the Differential Person Query to match the normal person query… Removing the person from the ecms_users group results in them being removed from Alfresco. Great… BUT, when re-adding that user back into the ecms_users group in AD, on the next differential sync, I get </SPAN><BR /><BR /><SPAN>Ignoring non-existent member 'xxxx' in groups {'ecms_users'}</SPAN><BR /><BR /><SPAN>Why is it not re-adding this user back into Alfresco? It knows its part of the correct group, but wont create the user again?</SPAN><BR /><BR /><SPAN>Can anyone tell me whats going on and how we can successfully control user creation and deletion from an AD security group properly?</SPAN><BR /><BR /><BR /><BR /></BODY></HTML> Thu, 05 Mar 2015 18:11:24 GMT https://connect.hyland.com/t5/alfresco-archive/ad-ldap-sync-behaviour/m-p/299395#M252525 t16 2015-03-05T18:11:24Z