AnsweredAssumed Answered

Alfresco and Ldap-AD: importing users

Question asked by fgrasso on Apr 29, 2016
Hi everybody,
we have configured the ldap-AD making Alfresco to import all users in the directory.

Due a not optimal AD organization based on geographical site we want only import effective users and not administrative account.

AD
– OU site1 – user1
            – user2
            – group HR
            – …
– OU site2 – user3
            – user4
            – group Administration
            – …
– OU site3 – user5
            – user6
            – group IT
            – …

To select desidered users we tried to create a group named Alfresco_Users that contain all the users we want to import.

AD
– OU alfresco – group Alfresco_Users – user1
                                       – user2
                                       – …


ldap.authentication.active=true

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

ldap.authentication.java.naming.provider.url=ldap://dc.domain.com:389

ldap.authentication.escapeCommasInBind=false

ldap.authentication.escapeCommasInUid=false

ldap.synchronization.active=true

ldap.synchronization.queryBatchSize=1000

ldap.synchronization.attributeBatchSize=1000

ldap.synchronization.groupSearchBase=dc\=domain,dc\=com

ldap.synchronization.userSearchBase=dc\=domain,dc\=com

ldap.synchronization.modifyTimestampAttributeName=whenChanged

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

ldap.synchronization.userIdAttributeName=sAMAccountName

ldap.synchronization.userFirstNameAttributeName=givenName

ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.userOrganizationalIdAttributeName=company

ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider

ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupDisplayNameAttributeName=displayName

ldap.synchronization.groupType=group

ldap.synchronization.personType=user

ldap.synchronization.groupMemberAttributeName=member

ldap.synchronization.enableProgressEstimation=true

ldap.authentication.java.naming.read.timeout=0



this the code regarrd users and group import



# look for all group with name starting with Alfresco
ldap.synchronization.groupQuery=(&(objectclass\=group)(cn\=Alfresco*))

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(cn\=Alfresco*))(!(whenChanged<\={0}))

# TRY 1 this lokk for users contained in the Alfresco_users group NOT WORKING
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf\=CN\=Alfresco*)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

# TRY 2 full FDN of group , group created not users imported
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf:1.2.840.113556.1.4.1941:\=cn\=Alfresco*,ou\=Alfresco,dc\=domain,dc\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))



tried also with the userAccountControl 1.2.840.113556.1.4.1941 parameter bu nothing.

Does someone can tell a quick way to add only desidered users in Alfresco (creating one new group, new OU or fixing the query in the confiug file) ?

Thanks for help
Fabio

Outcomes