https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29462#M12559 <HTML><HEAD></HEAD><BODY><P>Hi Angel:</P><P></P><P>Ldap synchronization user queries (configured in&nbsp;ldap.synchronization.personQuery and ldap.synchronization.personDifferentialQuery parameters)&nbsp;should not include disabled users. Check the corresponding queries with Apache Directory Studio tool. Anyway, if users are ** really ** disabled in your LDAP, you won't be able to login in Alfresco.</P><P></P><P>Regards.</P><P>--C.</P></BODY></HTML> Tue, 01 Aug 2017 08:30:12 GMT cesarista 2017-08-01T08:30:12Z https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29461#M12558 I need to sync LDAP users accounts on alfresco.On LDAP you can see "userAccountControl" = Account disabled... but in Alfresco appears with the account active...Any idea?Sorry for my english. Mon, 31 Jul 2017 11:52:55 GMT https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29461#M12558 angelmartinboni 2017-07-31T11:52:55Z https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29462#M12559 <HTML><HEAD></HEAD><BODY><P>Hi Angel:</P><P></P><P>Ldap synchronization user queries (configured in&nbsp;ldap.synchronization.personQuery and ldap.synchronization.personDifferentialQuery parameters)&nbsp;should not include disabled users. Check the corresponding queries with Apache Directory Studio tool. Anyway, if users are ** really ** disabled in your LDAP, you won't be able to login in Alfresco.</P><P></P><P>Regards.</P><P>--C.</P></BODY></HTML> Tue, 01 Aug 2017 08:30:12 GMT https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29462#M12559 cesarista 2017-08-01T08:30:12Z https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29463#M12560 <HTML><HEAD></HEAD><BODY><P><B>Cesar Capillas</B>‌: The default settings do not exclude&nbsp;disabled users. The default LDAP/AD query</P><PRE class="language-none line-numbers"><CODE>ldap.synchronization.personQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))<SPAN class="line-numbers-rows"><SPAN>‍</SPAN></SPAN></CODE></PRE><P>only specifies that the account must be a "regular user account". In order to exclude a disabled user you need to explicitly disallow synchronisation of any user with that flag.:</P><PRE class="language-none line-numbers"><CODE>ldap.synchronization.personQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(userAccountControl\:1.2.840.113556.1.4.803\:\=2)))<SPAN class="line-numbers-rows"><SPAN>‍</SPAN></SPAN></CODE></PRE><P>(a similar change needs to be made to the personDifferentialQuery)</P><P></P><P>The regular LDAP subsystem does not even have a notion of disabled users in its default queries and thus will not filter anything out.</P><P></P><P>The default is sensible in the way that it does not immediately delete a user (and their preferences, site memberships etc.) just because they may have been disabled temporarily (i.e. maternity leave, sabbatical, extended medical leave).&nbsp;Changes to the queries need to be based on the corporate user management principles and reflect the best approach for the specific processes in use for the organisation...</P></BODY></HTML> Tue, 01 Aug 2017 09:53:56 GMT https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29463#M12560 afaust 2017-08-01T09:53:56Z https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29464#M12561 <HTML><HEAD></HEAD><BODY><P>Creo que no os he entendido. He probado con estas sentencias en el</P><P>alfresco-global.properties:</P><P></P><P>ldap.synchronization.userAccountControl=true</P><P>ldap.synchronization.userAccountStatusProperty=userAccountControl</P><P>#ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled</P><P>#ldap.synchronization.disabledAccountPropertyValue=true</P><P>#ldap.synchronization.externalUserControl=true</P><P>#ldap.synchronization.externalUserControlSubsystemName=ldap-ad1</P><P>#ldap.synchronization.allowDeletions=true</P><P></P><P>Pero en Alfresco la cuenta de los usuarios en cuestión sigue sin salir</P><P>desactivada.</P><P></P><P>el campo de userAccountControl tiene</P><P>"[ AccountDisabled\, NoPasswordRequired\, NormalAccount ]"</P><P>Qué sentencia en el alfresco-global.properties debería poner para que</P><P>aparezca desactivada?</P><P></P><P>Gracias.</P><P></P><P>2017-08-01 11:54 GMT+02:00 afaust &lt;kristen.gastaldo@alfresco.com&gt;:</P><P></P><BLOCKQUOTE level="1"><P>Alfresco Community</P><P>&lt;https://community.alfresco.com/?et=watches.email.thread&gt;</P><P>Re: ¿How can I sync LDAP user accounts in Alfresco 3.4?</P><P></P><P>reply from Axel Faust</P><P>&lt;https://community.alfresco.com/people/afaust?et=watches.email.thread&gt; in *Alfresco</P><P>Content Services (ECM)* - View the full discussion</P><P>&lt;https://community.alfresco.com/message/819076-re-how-can-i-sync-ldap-user-accounts-in-alfresco-34?commentID=819076&amp;et=watches.email.thread#comment-819076&gt;</P></BLOCKQUOTE><P></P></BODY></HTML> Mon, 07 Aug 2017 08:31:25 GMT https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29464#M12561 angelmartinboni 2017-08-07T08:31:25Z https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29465#M12562 <HTML><HEAD></HEAD><BODY><P>I think I don´t understand you. I tried with these sentences in the</P><P>alfresco-global.properties:</P><P></P><P>Ldap.synchronization.userAccountControl = true</P><P>Ldap.synchronization.userAccountStatusProperty = userAccountControl</P><OL><LI level="1" type="ol"><P>Ldap.synchronization.userAccountStatusProperty = ds-pwp-account-disabled</P></LI><LI level="1" type="ol"><P>Ldap.synchronization.disabledAccountPropertyValue = true</P></LI><LI level="1" type="ol"><P>Ldap.synchronization.externalUserControl = true</P></LI><LI level="1" type="ol"><P>Ldap.synchronization.externalUserControlSubsystemName = ldap-ad1</P></LI><LI level="1" type="ol"><P>Ldap.synchronization.allowDeletions = true</P></LI></OL><P></P><P>But in Alfresco the account of the users in question is still not enabled.</P><P></P><P>TheAccountControl user field has</P><P>"[AccountDisabled \, NoPasswordRequired \, NormalAccount]" from LDAP</P><P>records...</P><P></P><P>What sentence in the alfresco-global.properties should you put to appear</P><P>disabled?</P><P></P><P>Thank you.</P><P></P><P>2017-08-01 11:54 GMT+02:00 afaust &lt;kristen.gastaldo@alfresco.com&gt;:</P><P></P><BLOCKQUOTE level="1"><P>Alfresco Community</P><P>&lt;https://community.alfresco.com/?et=watches.email.thread&gt;</P><P>Re: ¿How can I sync LDAP user accounts in Alfresco 3.4?</P><P></P><P>reply from Axel Faust</P><P>&lt;https://community.alfresco.com/people/afaust?et=watches.email.thread&gt; in *Alfresco</P><P>Content Services (ECM)* - View the full discussion</P><P>&lt;https://community.alfresco.com/message/819076-re-how-can-i-sync-ldap-user-accounts-in-alfresco-34?commentID=819076&amp;et=watches.email.thread#comment-819076&gt;</P></BLOCKQUOTE><P></P></BODY></HTML> Tue, 08 Aug 2017 11:19:45 GMT https://connect.hyland.com/t5/alfresco-forum/how-can-i-sync-ldap-user-accounts-in-alfresco-3-4/m-p/29465#M12562 angelmartinboni 2017-08-08T11:19:45Z