AnsweredAssumed Answered

Sync-ing users in multiple AD directory trees

Question asked by jbecker-amplify on Jun 28, 2013
Latest reply on Jun 28, 2013 by mrogers
Hello,

I have been able to sync Active Directory Users and Groups to Alfresco, but there is a sub tree of test user accounts outside of the main directory tree that we would like to use for development and testing that I cannot sync. I could expand the search to an even greater scope, but this would sync way too much data.

Is it possible to sync users, groups from different Base OU's in Active Directory?

For Example…

The Real Users live here.

DN: CN=Users,OU=Corporate,DC=myco,DC=net

The Test Users live here.

DN: OU=Service Accounts,OU=Corporate,DC=myco,DC=net

My naive assumption is that in order to sync from 2 different sub trees, the userSearchBase in the ldap-ad-authentication.properties file would look like this.

ldap.synchronization.userSearchBase=OU\=Service Accounts,OU\=Users,OU\=Corporate,DC\=wgenhq,DC\=net

But the Service Accounts don't come across the wire.

The only subtle difference is that the Real Users have a userAccountControl Number = 512, which is the AD Default.

… while the Service Accounts have a userAccountControl Number = 66048

and when I changed the following parameters to the Service Account userAccountControl Number…

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=66048))

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=66408)(!(whenChanged<\={0})))

Nothing happened.

So, is it possible to have Alfresco read from different parts of AD, and if so, how would I configure this?

Thanks in advance for any assistance you can give me.

~jj

Outcomes