Hyland Connect

borisstankov · ‎08-03-2015

Hello guys,

I have very interesting problem.

Here is the situation:
Alfresco Community 5.0.c with Active Derectory authentication located in Windows Server 2012 R2 Domain Functionality level.

All my users are synchronized from the AD to the Alfresco. They are located in this OU - ou=USERS,ou=Office,dc=domain,dc=com
But the groups that I need use according to the network admins are here in this OU: ou=Alfresco,ou=GROUPS,ou=Office,dc=domain,dc=com
Lets say that in this ou I have group called "Alfresco-Dev" and this group has as a member a generic group from different ou(ou=Originals,ou=GROUPS,ou=Inter,dc=domain,dc=com). All users are deployed in the generic group and the point is that all alfresco group (as "Alfresco-Dev") to inherit all users from the generic groups.

When I deploy the synchronization properties in the global alfresco file:


#Sync all Alfresco groups
ldap.synchronization.groupSearchBase=ou=Alfresco,ou=GROUPS,ou=Inter,dc=domain,dc=com
#Sync all users
ldap.synchronization.userSearchBase=ou=USERS,ou=Inter,dc=domain,dc=com
‍‍‍‍‍‍

I can still see all the users and all groups that I need, but the groups are not populated with all users that should be inherited from the generic groups.

What should I do so all groups can inherit the users from their member groups?

Regards!

afaust · ‎08-03-2015

Hello,

unfortunately, the synchronization logic that Alfresco supports out of the box does not support transitive group memberships when the intermediary groups are not synched. Alfresco will only process one layer of memberships at a time, i.e. from a valid group to a group in the other OU, and if the target of the membership relation (the group from the other OU) is not synched at all, Alfresco won't process it and thus not process its members.
The only thing to be done here is either synchronize all groups or implement a custom directory synchronisation logic.

Regards
Axel

borisstankov · ‎08-04-2015

Thanks for the reply. Now it makes more sense why I can't configure it like I wanted to.

I also did try to put two entries for the Alfresco and for the Generic groups, so that both can be in alfresco and hopefully I have the results I wanted, but now I do not see any groups, which could mean that Alfresco do not support such configurations in the properties file:


ldap.synchronization.groupSearchBase=ou=Alfresco,ou=GROUPS,ou=Inter,dc=domain,dc=com
ldap.synchronization.groupSearchBase=ou=Originals,ou=GROUPS,ou=Inter,dc=domain,dc=com
‍‍‍‍

Am I right or I have different problem over here?

afaust · ‎08-05-2015

Hello,

the properties files are simply key-value configuration files which do not support multiple values for the same key. The last one is the one that should win and the first one is moot. Typically in such a case you'd generalize the search base to ou=Groups (at the risk of getting more groups than you bargained for). Alternatively, you could set up two distinct LDAP synchronization configurations (Authentication subsystem allows multiple LDAP connections - may also be to the same LDAP) which use your distinct search bases. But the latter can't be done via the alfresco-global.properties file which is just a convenient way to perform simple configuration - see <a href="http://docs.alfresco.com/5.0/concepts/auth-config-examples.html">Authentication subsystem configuration</a> for more…

Regards
Axel

borisstankov · ‎08-18-2015

Hello,

Thanks for the reply. Now it's more clear about the situation.
I'll keep in mind your workaround.

Regards!

Hyland Connect

Groups over Groups synchronization