Who do you want to show up in Alfresco? If the answer is "everyone in LDAP" while the answer to "Who do you want to be able to authenticate?" is "a subset of users as specified by this group" then the answer is that you have to create two LDAP configurations, one will be enabled for sync-only and will sync the entire LDAP directory. The other will be disabled for sync but enabled for authentication and it will specify the person query that points to the group you want to restrict to.

I should mention that this technique was first described to me by Axel Faust in the #alfresco IRC channel.

Yes, Martin's query will work for the users under defined user base. 

But maybe the differential query will not, because you deal everything inside the AD group, so the timestamp of the user is not touched when adding users to the AD group (whenChanged). A walkaround for this is to define user differential query equal to user query, but full sync is done everyday instead of differential.

Another way of selecting a group of users belonging to different levels in the AD, is via custom extension attributes in AD (i.e: "alf") users, so you have to include the extension attribute in the users query. This will respect whenChanged parameter, because the user is modified (changing the timestamp) when applying the extension attribute.

Regards.

--C.

Hi Jason:

All users are allowed to authenticate via LDAP-AD in principle. By default Alfresco, create and sync accounts on login when they does not exist. But if you set the properties below, you would restrict the ldap auth only to those synced users.

create.missing.people=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false

Regards.

--C.

...the query I mentioned is exact the one Jason has defined in his attached alfresco-global.properties. He just added the OR sign in the query, which should not be the case for his intentions.

He also defined the differential query in then right way (again, just the OR sign is too much)

Because the query will only import Users which are members of ou=Alfresco, only those user will be able to login (allowDeletions=true, so the user not in ou=Alfresco will be deleted - no login possible).

I would let synchronization.syncWhen... =true, so new users in ou Alfresco will be able to log in without having to wait for a scheduled LDAP Sync - what do you think Cesar?

Setting the two other values (create) to false should be fine.

Are you sure that a change in "memberOf" would not affect the whenChanged/modifiedTimestamp setting?

Thank you all for your help and suggestions. I have applied all of the changes/additions that you have suggested, and I believe it is working for me now. These are the changes/additions I've made to the alfresco-global.properties configuration file:

Added:

create.missing.people=false
synchronization.autoCreatePeopleOnLogin=false
synchronization.syncWhenMissingPeopleLogIn=false

I also changed my person queries as well:

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=Groups,dc=domain,dc=com))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(&(memberOf=cn\=AlfrescoUsers,ou=Alfresco,ou=groups,dc=domain,dc=com))(!(modifyTimestamp<\={0})))

(basically just change OR to AND).

One more question: Because I was syncing all users before, any users that were synced before I made the configuration change are still able to login. Is there a way to clear Alfresco's user/authentication cache, or (this may be an entirely different subject) is there a way to make Alfresco sync directly from AD, instead of caching users?

Thank you all again, I appreciate it!

-Jason

Hi Martin:

Regarding synchronization.syncWhen... =true, I'm not completely sure if this property depends on the other ones. By the way, with the new OOTB Support Tools addon, I think you can run the scheduled job on demand (I did not tested yet). If it is not possible it would be a nice feature for Support Tools in Beecon hackathon (Axel Faust‌). This is a nice feature of the Support Tools in EE edition.

If you only change the group object I will say no. Before, you may do a minor "tricky" user modification to change the timestamp, and it will work for this user.

Regards.

--C.

"Scheduled Jobs" tool is already included in OOTBee Support Tools. What might be of added value in the future might be to provide a tool for configuring LDAP at runtime so your test cycles can be shorter.

I don't think the users are cached but not deleted by now. You can see this in the user administration (admin console). Because your ...allowDeletions flag is true, all you need is a full-sync.

Your can force this by temporarily setting the differential query to the same value as the full query like Cesar Capillas mentioned above, and restart alfresco.

But alfresco has already created a user home for each of your users. These home directories will not be deleted (this is normally a good thing, because you don't want to have user-data deleted when you accidentally misconfigured the sync).

Make sure the value of synchronization.allowDeletions is really true, because if set to false, all your unwanted-synced users will only be untagged and converted to local users (uahhh). But this is explained in the docs http://docs.alfresco.com/5.2/concepts/sync-delete.html

I fear you'd have to write a script to delete the home-folders of the non-existing/allowed users. Maybe someone in the community has done that already.

...or you just don't care about the unused folders  - but they can behave bad, when you sync a formerly not allowed user. Then a second home folder with a number added to the username will be created.