Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD-LDAP Sync behaviour

t16
Champ in-the-making
Champ in-the-making

‎03-04-2015 04:49 PM

We have an odd issue with AD LDAP sync.

I have setup differential sync, a person query to pull users from a specific user group, and all is working well.

Users already pulled in get updated etc etc.

HOWEVER, adding a new users to the user group in AD, they are not pulled in, and removing a user as a member of the AD user group, they are not then removed from Alfresco.

Is this because differential sync only syncs the differences in user objects that it already has?

If we say wanted to add a user into the AD user group and then have them appear a short time later, do we need to have a FULL sync happening on a regular basis?

These are my settings:-

Global Properties
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=false
synchronization.synchronizeChangesOnly=true
synchronization.import.cron=0 0/60 * * * ?
synchronization.allowDeletions=true
synchronization.autoCreatePeopleOnLogin=false


ldap-ad-authentication.properties file in correct extension location:-

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=alfresco
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.groupSearchBase=OU\=ourdomain
ldap.synchronization.userSearchBase=OU\=ourdoman
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf\=cn\=alfresco_users,OU\=ourdomain,DC\=ad,DC\=ourdomain))

ldap.synchronization.userJobTitleAttributeName=title
ldap.synchronization.userTelephoneNumberAttributeName=telephoneNumber
ldap.synchronization.userLocationAttributeName=physicalDeliveryOfficeName
ldap.synchronization.userOrganizationalIdAttributeName=department

Certain information removed from the above of course!

If anyone can tell me whats going on I my blood pressure would decrease significantly.

Basically when we remove people from the Ad users group, we want them removed from Alfresco, and vice versa, so when an existing user is added to the AD user group, they are then populated in Alfresco.

This only seems to work with FULL syncronisations, is this correct behaviour?

Thanks/Danke/Merci!!


EDIT:- Could it be because by default Alfresco is using the ldap.synchronization.modifyTimestampAttributeName=whenChanged property?

Ive read this link:-

http://social.technet.microsoft.com/wiki/contents/articles/28222.active-directory-generalized-time-a...

And it appears the whenChanged attribute can vary wildly between domain controllers, and is not a replicated property…

Would I be better off using :- ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp instead?!

Basically I want a differential sync to happen every hour, and pick up users added or deleted to/from the AD group reliably.


Labels:
0 Kudos
1 REPLY 1

t16
Champ in-the-making
Champ in-the-making

‎03-05-2015 01:11 PM

OK this is getting frustrating!

I amended the Differential Person Query to match the normal person query… Removing the person from the ecms_users group results in them being removed from Alfresco. Great… BUT, when re-adding that user back into the ecms_users group in AD, on the next differential sync, I get

Ignoring non-existent member 'xxxx' in groups {'ecms_users'}

Why is it not re-adding this user back into Alfresco? It knows its part of the correct group, but wont create the user again?

Can anyone tell me whats going on and how we can successfully control user creation and deletion from an AD security group properly?



0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2026 Khoros, LLC