AnsweredAssumed Answered

Sincronização de Campos adicionais no LDAP [DICA]

Question asked by danieljoppi on Mar 9, 2012
Latest reply on Mar 7, 2013 by jazz555
Bom dia,

Fiz uma customização no meu Alfresco para que além de capturar o nome e o email do usuário com o LDAP, também fosse possível que o sistema sincroniza-se outros campos, como endereço, telefone, etc…

A modificação foi bem simples, basto configurar um XML e criar novas propriedades no alfresco-global.properties, são elas:

/opt/alfresco/tomcat/shared/classes/alfresco-global.properties
# 
# LDAP
#
ldap.authentication.active=false
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://srv-domain:389
ldap.authentication.java.naming.security.authentication=DIGEST-MD5
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=DIGEST-MD5
ldap.synchronization.java.naming.security.principal=user.it
ldap.synchronization.java.naming.security.credentials=xpasswd
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectClass\=*)
ldap.synchronization.groupDifferentialQuery=(objectClass\=*)
ldap.synchronization.personQuery=(&(objectClass=top)(&(!(OU=Desligados))(!(CN=ldap sync))))
ldap.synchronization.personDifferentialQuery=(objectClass\=*)
ldap.synchronization.groupSearchBase=OU=Grupos,DC=EMPINT,DC=local
ldap.synchronization.userSearchBase=OU=Usuarios,DC=EMPINT,DC=local
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user

#extra fields sync – daniel.joppi
ldap.synchronization.userJobTitleAttributeName=title
ldap.synchronization.userPhysicalDeliveryOfficeName=physicalDeliveryOfficeName
ldap.synchronization.userStreetAddress1AttributeName=streetAddress
ldap.synchronization.userCityAttributeName=l
ldap.synchronization.userStateAttributeName=st
ldap.synchronization.userPostalCodeAttributeName=postalCode
ldap.synchronization.userTelephoneNumberAttributeName=telephoneNumber
ldap.synchronization.userFaxNumberAttributeName=facsimileTelephoneNumber

ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
synchronization.synchronizeChangesOnly=true
synchronization.import.cron=0 0 0 * * ?
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true
synchronization.autoCreatePeopleOnLogin=true
synchronization.loggingInterval=100
synchronization.workerThreads=2

/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/common-ldap-context.xml
    <!– Regularly exports user and group information from LDAP –>
   
    <bean id="userRegistry" class="org.alfresco.repo.security.sync.ldap.LDAPUserRegistry">
        <property name="active">
            <value>${ldap.synchronization.active}</value>
        </property>



        <!–
        This property defines a mapping between attributes held on LDAP user objects and
        the properties of user objects held in the repository. The key is the QName of an attribute in
        the repository, the value is the attribute name from the user/inetOrgPerson/.. object in the
        LDAP repository.    
        –>
        <property name="personAttributeMapping">
            <map>
                <entry key="cm:userName">
                    <!– Must match the same attribute as userIdAttributeName –>
                    <value>${ldap.synchronization.userIdAttributeName}</value>
                </entry>
                <entry key="cm:firstName">
                    <!– OpenLDAP: "givenName" –>
                    <!– Active Directory: "givenName" –>
                    <value>${ldap.synchronization.userFirstNameAttributeName}</value>
                </entry>
                <entry key="cm:lastName">
                    <!– OpenLDAP: "sn" –>
                    <!– Active Directory: "sn" –>
                    <value>${ldap.synchronization.userLastNameAttributeName}</value>
                </entry>
                <entry key="cm:email">
                    <!– OpenLDAP: "mail" –>
                    <!– Active Directory: "???" –>
                    <value>${ldap.synchronization.userEmailAttributeName}</value>
                </entry>
                <entry key="cm:organization">
                    <!– OpenLDAP: "o" –>
                    <!– Active Directory: "???" –>
                    <value>${ldap.synchronization.userOrganizationalIdAttributeName}</value>
                </entry>
                <!– This deprecated property has been replaced by "cm:organization". We will use the same mapping –>
                <entry key="cm:organizationId">
                    <!– OpenLDAP: "o" –>
                    <!– Active Directory: "???" –>
                    <value>${ldap.synchronization.userOrganizationalIdAttributeName}</value>
                </entry>
               <entry key="cm:jobtitle">
                  <value>${ldap.synchronization.userJobTitleAttributeName}</value>
               </entry>
               <entry key="cm:location">
                  <value>${ldap.synchronization.userPhysicalDeliveryOfficeName}</value>
               </entry>
               <entry key="cm:companyaddress1">
                  <value>${ldap.synchronization.userStreetAddress1AttributeName}</value>
               </entry>
               <entry key="cm:companyaddress2">
                  <value>${ldap.synchronization.userCityAttributeName}</value>
               </entry>
               <entry key="cm:companyaddress3">
                  <value>${ldap.synchronization.userStateAttributeName}</value>
               </entry>
               <entry key="cm:companypostcode">
                  <value>${ldap.synchronization.userPostalCodeAttributeName}</value>
               </entry>
                <entry key="cm:companytelephone">
                    <value>${ldap.synchronization.userTelephoneNumberAttributeName}</value>
                </entry>
                <entry key="cm:companyfax">
                    <value>${ldap.synchronization.userFaxNumberAttributeName}</value>
                </entry>
                <!– Always use the default –>
                <entry key="cm:homeFolderProvider">
                    <null/>
                </entry>
            </map>
        </property>


    </bean>

O Alfresco reconheceu essa simples modificação, e quando um usuário tenta modificar seus dados no share fica impedido pelo sistema, pois o Alfresco já bloqueia os campos que estão sincronizados no LDAP. :D

Outcomes