AnsweredAssumed Answered

Using Active Directory OUs as User groups in Alfresco

Question asked by tiksara on Nov 17, 2014
Hello,

My company's Microsoft AD looks something like this:
[blockcode]
BASE_DN
|
|—OU_Users
|   |
|   |–OU_1
|   |  |
|   |  |–User_1
|   |  |–User_2
|   |  .
|   |  .
|   |  .
|   |  |–User_n
|   |–OU_2
|   |  |
|   |  |-User_1
|   |  |-User_2
|   |  .
|   |  .
|   |  .
|   |  |-User_n
|   |
|   .
|   .
|   .
|   |–OU_n
|      |
|      |-User_1
|      |-User_2
|      .
|      .
|      .
|      |-User_n
|
|—OU_SomeOU
     |
     |–CN_Alfresco
     |  |
     |  |–User_1
     |  |–User_2
     |  |–CN_Group_1
     |  |–CN_Group_2
     .
     .
     .
[/blockcode]


My scenario would be as following but need help in getting it to work:

I would like to import users and user information from OU OU_Users but only for those users that are in security group CN_Alfresco. Being in CN_Alfresco group grants such users access to Alfresco. I suspect proper way to do it should be writing appropriate LDAP query to filter wanted entries using OU_Users as search base. Problem is also when users are added to CN_Alfresco through existing security group already containing certain users (CN_Group_1 and CN_Group_2 in my example). In that case LDAP query doesn't return any entries because that scenario doesn't match LDAP query i used (because users are assigned to CN_Alfresco through security groups and not per user). Does anyone knows how to create proper LDAP query for that scenario?

Second question is is it possible to use OU_1 to OU_n under my OU_Users LDAP subsection to be imported and used as security groups in Alfresco or do security groups in Alfresco have to be Security groups from AD?

I'm reffering to this specific line in AD synchronization part in alfresco-global.properties
ldap.synchronization.groupType=group
to become
ldap.synchronization.groupType=organizationalUnit

Part of my alfresco-global.properties file regarding AD synchronization:
[blockcode]
ldap.synchronization.active=true

synchronization.synchronizeChangesOnly = false

synchronization.allowDeletions=true

synchronization.syncWhenMissingPeopleLogIn=true

synchronization.syncOnStartup=true

ldap.synchronization.java.naming.security.authentication=simple


ldap.synchronization.java.naming.security.principal=someuserwithproperrights@server.domain

ldap.synchronization.java.naming.security.credentials=secret

ldap.synchronization.queryBatchSize=1000

ldap.synchronization.attributeBatchSize=1000

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=organizationalUnit)(!(whenChanged<\={0})))

# How to add filter to filter only those OUs whose users are member of CN_Alfreso if possible?
ldap.synchronization.groupQuery=(objectclass\=organizationalUnit)

# I would like to fetch users from OU_Users but only those users being members of CN_Alfreso
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf\=CN\=CN_Alfresco, OU\=OU_SomeOU, DC\=server, DC\=domain)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf\=CN\=CN_Alfresco, OU\=OU_SomeOU, DC\=server, DC\=domain)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))

ldap.synchronization.groupSearchBase=OU\=OU_Users,DC\=server,DC\=domain

ldap.synchronization.userSearchbase=OU\=OU_Users,DC\=server,DC\=domain

ldap.synchronization.modifyTimestampAttributeName=whenChanged

[/blockcode]

Any help would be greatly appreciated.

Tiksara

Outcomes