cancel
Showing results for 
Search instead for 
Did you mean: 

Alfresco AD sync of Users in Multiple Sub-OUs [SOLVED]

jcgrayjr
Champ on-the-rise
Champ on-the-rise
Hello everyone!

I am sorry if this subject has been touched in the past.  I have been working on it for about a week now and searching the forums, as well as the internet.  But I have not found anything that addresses my specific requirement.

Here is what I am trying to do:
I have successfully integrated Alfresco Community with our Active Directory server and I was able to sync ALL users accounts in our domain.  I did this initially to test and make sure I can get it to connect and work.  Now, what I would like to do is only pull users from three distinct sub OUs.  Here is a generic example of what our AD hierarchy looks like (I did not design or implement our AD structure BTW):

DOMAIN.LOCAL
…..|
…..—Division1
…..|………|
…..|………—HR
…..|………|
…..|………—Business
…..|………|
…..|………—Finance
…..|………|
…..|………—Misc
…..|
…..—Division2
……………|
……………—Developers
……………|
……………—Testers

I want Alfresco to sync all of the user accounts from the HR, Business, & Finance OUs under Division1, but I do not want to pull in the users from the Misc OU or any user from Division2 or it's sub-OUs.

From what I have read, and I could be wrong, but I can't limit the OU search for users in the ldap.synchronization.personQuery.  I have to do this in the  ldap.synchronization.userSearchBase which restricts the user search base to a sub section of the tree.  What I am having problems with is how to restrict it to multiple sub-OUs.  Is this even possible?

I know I could remedy this by simply creating an AlfrescoUsers group and then importing the users through the ldap.synchronization.groupSearchBase, but I am limited to what I can do in our AD.

Thanks in advance for the help.
4 REPLIES 4

jcgrayjr
Champ on-the-rise
Champ on-the-rise
Ok, after some more research and a few AH HA! moments, I finally figured out how to do this.

I was correct in my thinking that I could not limit the OU sync in the ldap.synchronization.personQuery configuration.  The correct place to do it is in the ldap.synchronization.userSearchBase configuration, but I was incorrectly trying to do it in one line by combining the the OUs.  Instead, I saw a post where someone mentioned configuring Alfresco to use multiple subsystems (Alfresco Authentication Subsystems).

So this is how I did it.  What I had to do was treat each Sub-OU as its own subsystem.  In my alfresco-global.properites file, I added the following lines of code:
authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad,,ldap2:ldap-ad,ldap3:ldap-ad
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
passthru.authentication.authenticateCIFS=true
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=<DOMAIN1>\\<host-IP> <—IP of my Domain Controller

I then made three new folders on my desktop called ldap1, ldap2, and ldap3.  These three folder names have to match the names I put in the authentication.chain configuration.  Here are the folder names highlighted in my configuration, authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1Smiley Tongueassthru,ldap1:ldap-ad,,ldap2:ldap-ad,ldap3:ldap-ad.

I then copied the ldap-ad-authentication.properties file located at ..\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap-ad\ and put a copy into each of the ldap1, ldap2, and ldap3 folders.

In each of the files in the three folders, you need to change the code to match your AD configuration.  The guide Alfresco Documentation suggests the following be the most common things you need to change:
ldap.authentication.userNameFormat=%s@domain.com
ldap.authentication.java.naming.provider.url=ldap://domaincontroller.domain.com:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco
ldap.synchronization.java.naming.security.principal=alfresco@domain.com
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.groupSearchBase=ou\=ad1,ou\=Alfresco,dc\=domain,dc\=com
ldap.synchronization.userSearchBase=ou\=ad1,ou\=Alfresco,dc\=domain,dc\=com

Every file in the three folders should be configured the same (or at least they are on my setup), except for the very last line.  The ldap.synchronization.userSearchBase configuration will be different for each properties file in each of the folders.  It is where we will be calling in each of the sub-OUs we want.

So, in the ldap-ad-authentication.properties file in the ldap1 folder, I change the ldap.synchronization.userSearchBase configuration to the following:
ldap.synchronization.userSearchBase=ou\=Business,ou\=Division1,dc\=DOMAIN,dc\=LOCAL

In the ldap-ad-authentication.properties file in the ldap2 folder, I change the ldap.synchronization.userSearchBase configuration to the following:
ldap.synchronization.userSearchBase=ou\=HR,ou\=Division1,dc\=DOMAIN,dc\=LOCAL

In the ldap-ad-authentication.properties file in the ldap3 folder, I change the ldap.synchronization.userSearchBase configuration to the following:
ldap.synchronization.userSearchBase=ou\=Finance,ou\=Division1,dc\=DOMAIN,dc\=LOCAL

I think created the following folders in my Alfresco installation:
C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad

I had to do this because they did not already exist in my installation.  Some installations will already have them depending on their configuration and modification.

Finally, I copied all three folders (ldap1, ldap2, and ldap3) in the ldap-ad folder I created in the above step.

I started up my Alfresco Tomcat server and saw only the users I wanted in the system.

I hope this helps others.

whowlett
Champ in-the-making
Champ in-the-making
jcgrayjr,

I would be interested in knowing your original SearchBase, since you say you were able to pull ALL of your users. Were you able to start from the "root" domain of your AD tree? That is exactly what I an "trying" to do, but I can't get the correct format for the SearchBase to start at the main domain level.

Regards,
Wayne

abbask01
Star Collaborator
Star Collaborator

what about the groups? does synchronization with different OU also creates a separate group for each OU in alfresco?

Regards,
Abbas

rken
Champ in-the-making
Champ in-the-making

Hi,

I have run through your how to and I am having an issue finding ldap-ad-authentication.properties

I am using the latest version of alfresco, I can into ..tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\

But from there, theres nothing

‌ Did you ever resolve your issue? I am wanting to be able to search users in multiple sub OUs

Eg. I have an OU containing an OU per department, like accounts and 1st line and 2nd line, which all contain users which I want to sync into alfresco