Hyland Connect

kossel · ‎10-22-2012

Hi

I'm using alfresco 4.0.e with active directory.
I have a AD structure like this:

DC

—Departments
——Management
——HR
——Engineering
—Machines
—System Users
—–ldap_admin
—–dns_admin
—Users
——Alfresco Users
‍‍‍‍‍‍‍‍‍‍‍

Since I just want ppl under ou=departments to use alfresco so I create a "security group" in AD call Alfresco Users which has member all people inside ou=departments.

my config for sync is


ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectClass\=user)(memberOf\=CN=Alfresco Users,CN\=Users,DC\=domain,DC\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectClass\=user)(memberOf\=CN\=Alfresco Users,CN\=Users,DC\=domain,DC\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=CN\=users,DC\=domain,DC\=com
ldap.synchronization.userSearchBase=ou\=Departments,DC\=domain,DC\=com‍‍‍‍‍‍‍

But I don't know what am I missing because I still can login with user: dns_admin pass: pass_of_dns_admin or ldap_admin
and if I remove someone inside ou=Departments from the group of Alfresco Users, he still can login into alfresco 😕

I also used ldap tools (ldp.exe) and the personQuery indeed returns the list of users who I wanted to have alfresco access 😕

please advice

kossel · ‎10-23-2012

Update:

I came back to office today, and everything seems oks… those users I removed from the Alfresco users groups can't not longer login, and neither those system users.. seems the schedule sync did the job.

now I m wondering if it's possible to make "remove from groups" has effect sooner and not wait to full sync at night?

Hyland Connect

allow subset users from to login