cancel
Showing results for 
Search instead for 
Did you mean: 

[LDAP] User sync at connection

piski
Champ on-the-rise
Champ on-the-rise
Hi everybody,

I've installed a test environment (WebClient+Share) with these features :
- Authentification passthru, SSO
- CIFS, FTP, Webdav

SSO authentification don't give me automatically fields of my Active Directory (lastname, firstname, mail …), I've installed LDAP-AD sync (not authentification). All works fine.

After several tests, sync launches itself at Alfresco startup. So, I find and parameter :
synchronization.syncOnStartup=false

As I want a new user (unknown from Alfresco) will created automatically, with informations from AD, I also parameter :

# Should we trigger a differential sync when missing people log in?
synchronization.syncWhenMissingPeopleLogIn=false

# Should we auto create a missing person on log in?
synchronization.autoCreatePeopleOnLogin=true


My problem ; when an unknown user tries to connect, sync launches itself all over my AD (parametered in synchronization.groupSearchBase & synchronization.userSearchBase).

I don't want to sync all my AD users (I want only new unkown users which try to connect at minimum 1 time).
I want to create only this user and pick up his AD informations at his connection.

I've tried (unsuccessfully) :
synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(sAMAccountName\=%s))
or
synchronization.userSearchBase=DC\=my,DC\=organization,DC\=infos,DC\=com,sAMAccountName\=%s

If is it possible, how ?

Any help would be welcomed
6 REPLIES 6

dward
Champ on-the-rise
Champ on-the-rise
I would recommend these settings.

synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=false

The sync triggered on startup is a 'differential sync'. This means that it runs a query that queries for all users changed since the last differential sync. That will mean that the first startup will be slow if you have thousands of users, but after that, it will be very fast and only pull over those users changed since the last sync.

The sync triggered on login again is differential and is only triggered when someone is successfully authenticated but still unknown to Alfresco. So again, that should only pull in only those users added since the last sync.

If you set

synchronization.autoCreatePeopleOnLogin=true

you will get the auto-creation of people who were successfully authenticated but weren't brought in by the sync query, which I don't think is what you want. Users auto-created in this way will not have their attributes such as last name, email, etc. pulled in from the LDAP server. If you need this setting, it probably means you haven't configured the sync correctly. It looks like your userSearchBase is wrong. It should not contain any %s placeholders and should look something like:

synchronization.userSearchBase=OU\=my,DC\=organization,DC\=infos,DC\=com

To work out what it should be, browse to a user, get their DN and use the suffix.

If you are finding the sync is bringing in more users than you want, just tighten the queries so that they don't include as many users, e.g. they only include those users in a certain group or with a certain attribute.

piski
Champ on-the-rise
Champ on-the-rise
Thanks for your reply !

I think I understand solution you recommend ; working with differential provides the single user creation because it's the only thing that is changed.

For information, the parameter like %s in my userSearchBase was only a test, not the correct configuration.

I'll try to be clearest … My users authenticate using passthru which provides me SSO feature.

By default & at "first" Alfresco launch, there is no user into the repository.
I don't want to create my AD users into Alfresco using LDAP sync (howerer I test this feature and it's working).

I only want new users (first time sign in and then unknown users in Alfresco) to be created.
LDAP sync just provides me informations from AD such as lastname, mail … which are putting in user profile in Alfresco.

To resume :
- Alfresco based on passthru auth - SSO
- No LDAP sync on first time startup
- No user defined in Alfresco
-> A user sign in -> LDAP sync only for this user -> user created in Alfresco with his AD informations

It's more clear ? It's possible ?

By the way, Many thanks for your help !

dward
Champ on-the-rise
Champ on-the-rise
No it's not currently possible. LDAP sync pulls all your users into Alfresco in advance of you using them. If you turn sync off and auto create person on, then you will get the behaviour you want, but you will not get user details pulled from LDAP.

ldap.synchronization.active=false
synchronization.autoCreatePeopleOnLogin=true

piski
Champ on-the-rise
Champ on-the-rise
My purpose, with LDAP sync activation, is to pull AD users details on Alfresco profile.

User is automatically created, if not exists, by passthru authentification, so I don't need to activate any LDAP features.

I though it was possible to cheat by using a kind of parameter such as synchronization.userSearchBase or synchronization.personQuery to indicate to Alfresco to search only the user trying to connect.

Any chance to implement in the future ?
Thanks

jasondalycan
Champ in-the-making
Champ in-the-making
I agree with this feature suggestion – I am actually facing an identical scenario.

An excellent addition would be something of the form:

ldap.synchronization.autoSyncMissingUser=<true|false>


If enabled, such a parameter would pull in the authenticated users' attributes from the central LDAP server upon each successful login – thus keeping the user's attributes consistent with the central company directory (housed with LDAP).

Note: This functionality should be tenant-aware, i.e. the user store bases should be appropriate for the authenticated user's tenant domain.  Currently LDAP sync attempts to place all user attributes in the root content store, thus causing a 'Node not found' error to be thrown.

-JASON

mjjn
Champ in-the-making
Champ in-the-making
I'd like to see this feature too, but for different reason.
The LDAP server in my organization terminates replies longer than 500 entries, and paging
doesn't trick it. So synchronizing in "full" or "differential with deletions" modes doesn't work.