Hyland Connect

fux · ‎11-09-2016

Hi all!

I'm greenhorn in the Alfresco. At the moment I am trying to resolve connection to AD, but for some reason I have not succeeded with the synchronization.
Groups is synchronized correctly, users is associated into a correct groups, but during synchronization is created a lot of other accounts (all users which is registered in this domain).

I have approximately similar structure in Active Directory:

(OU)Others
(OU)Alfresco

(Group)Management

(Group)Personnel

.... and more other groups, which can be changed in future ...

(OU)Company

(Group)Users

(User)Adam

(User)John

(User)Betty

Adam is member of: cn=users,ou=Company,dn=domain,dn=tld

cn=Management,ou=Alfresco,ou=Others,dn=domain,dn=tld

John is member of: cn=users,ou=Company,dn=domain,dn=tld

cn=Personell,ou=Alfresco,ou=Others,dn=domain,dn=tld

Betty is member of: cn=users,ou=Company,dn=domain,dn=tld

My group search filter is

ldap.synchronization.groupSearchBase=OU\=Alfresco,OU\=others,DC\=domain,DC\=tld

I would like to synchronize (and automatically add) only this users, which is member of whichever group in branch Others->Alfresco->...

(Adam and Jon, but NOT Betty)

How I can do it?

How i can synchronize only users from groups under OU Alfresco?

expression (memberOf=*OU\=Alfresco,OU\=others,DC\=domain,DC\=tld) not works, because wildcard * can't be used for attribute memberOf.

Thank You for Your time

Vladimir

cesarista · ‎11-10-2016

Hi Vladimir:

One aprox. is to use extension attributes in LDAP to flag or distinguish Alfresco users. Then, you only have to configure the default user LDAP sync queries according to this attribute. If you flag extensionAttribute3=alf to Adam and John, you should sync only the corresponding users with:

ldap.synchronization.personQuery=(&(objectclass\=user)(extensionAttribute3\=alf)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(extensionAttribute3\=alf)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))

Take into consideration that you should disable authentication for not synced users, and "clean" already synced users.

Hope this helps.

--C.

cesarista · ‎11-10-2016

Hi again:

Another aprox is related to define a big group in your AD, under (OU) Others > (OU) Alfresco :

ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN=Alfresco_Users,OU=Alfresco,OU=Others,DN=domain,DN=tld)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN=Alfresco_Users,OU=Alfresco,OU=Others,DN=domain,DN=tld)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<={0})))

This is simpler for LDAP admins.

Regards.

--C.

fux · ‎11-10-2016

Hi Cesar,

thank You for response.

I also thought of this solution (Your message from 10.11.2016 7:53) and tried out it. It works. It brings only a little extra work for the AD administrator.

I believed that alfresco it should be possible to configure such way to synchronize only those users, who are registered in groups, which is obtained from the AD.

Something like: ldap.synchronization.magicSwitchForVladimir=true

The second method, which You suggest in message from 10.11.2016 8:10 is unacceptable for me, because the group membership in my case have a crucial meaning for correct function of workflows.

Thank You for Your effort and assistance.

Vladimir

Hyland Connect

Selective synchronization of users according to groups (LDAP-AD)