Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP (AD) Account inheritance question

sjordi
Champ in-the-making
Champ in-the-making

‎06-25-2012 04:30 AM

HI,
We're currently integrating our Alfresco with LDAP through an active directory.
The problem we face is that once synchronized, it actually creates the 4,000+ account at once.
Then everybody can connect.

Is there a way to avoid this?
We'd like to allow only specific persons, defined in groups, to connect to Alfresco.
Mainly two sets of persons, defined in two groups.

Any way to have only those persons synchronized and related accounts created in Alfresco?
If yes, how can we do this?
Thanks for any help.
Labels:
0 Kudos
2 REPLIES 2

afaust
Legendary Innovator
Legendary Innovator

‎08-10-2012 04:36 PM

Hello,

depending on your layout within the LDAP (AD) and your ability to express the conditions in an LDAP query, you can select the people that are being synchronized by configuring the ldap.synchronization.personQuery and ldap.synchronization.personDifferentialQuery (http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2).

Regards
Axel
0 Kudos

sjordi
Champ in-the-making
Champ in-the-making

‎08-13-2012 08:27 AM

Ok we found a way to avoid creating everything, but we still struggle with the queries in order to try to get info from groups.

The idea is to have a group called Applications->Alfresco->DNP
In this one we have three groups: DNP-Admin, DNP-Manager, DNP-Read
We have set persons in each group.
When Alfresco syncs, it sees the three groups but says that the users don't have the right distinguished names.
It has the correct name, so this means that it correctly sees who is in which group, but still it doesn't use it.
Here is the error
Failed to resolve member of group 'GG-DNP-Admin' with distinguished name: CN=Jordi,OU=DSIC,OU=VILLE-GE,DC=activedir,DC=ville-geneve,DC=ch

Our queries are as follows:
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimeStamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimeStamp<\={0})))
ldap.synchronization.groupSearchBase=ou\=Alfresco,ou\=Applications,dc\=activedir,dc\=ville-geneve,dc\=ch
ldap.synchronization.userSearchBase=ou\=Alfresco,ou\=Applications,dc\=activedir,dc\=ville-geneve,dc\=ch
ldap.synchronization.modifyTimestampAttributeName=modifyTimeStamp


Any idea?
Thanks for your help.
Steve
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC