AD ldap user syncronization when users in different containers

cancel
Showing results for 
Search instead for 
Did you mean: 
skushnerenko
Active Member II

AD ldap user syncronization when users in different containers

Jump to solution

We have to search users in AD in case users are distributed in several containers (OU) among AD tree.

But only users from base container are syncronized.

Is it possible to search users among all OU containers of AD treee?

AD settings of alfresco-global.properties is applied

authentication.protection.enabled=false
ldap.authentication.active=true
ldap.synchronization.active=true
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@somedomain.com.ua
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap.somedomain.com.ua:389
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple
ldap.authentication.defaultAdministratorUserNames=adadmin
ldap.synchronization.java.naming.security.principal=aduser@somedomain.com.ua
ldap.synchronization.java.naming.security.credentials=somepassword
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000

ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=webadmin))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(CN\=admin))(!(CN\=robot)))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0}))(!(CN\=admin))(!(CN\=robot)))
ldap.synchronization.groupSearchBase=dc\=somedomain,dc\=com,dc\=ua
ldap.synchronization.userSearchBase=dc\=somedomain,dc\=com,dc\=ua
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.authentication.java.naming.read.timeout=0
ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled
ldap.synchronization.disabledAccountPropertyValue=true

ldap.synchronization.userFirstNameAttributeName=givenName

dap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider

ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupMemberAttributeName=member

ldap.synchronization.enableProgressEstimation=true

ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=all


synchronization.autoCreatePeopleOnLogin=true
synchronization.synchronizeChangesOnly=false

synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true

synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1

synchronization.import.cron=0 0/15 * * * ?

1 Solution

Accepted Solutions
afaust
Master

Re: AD ldap user syncronization when users in different containers

Jump to solution

Of course it is possible. As long as your search base is generic enough and your queries do not exclude specific groups/users based on their path, this should already work. Alternatively, you can always create multiple LDAP/AD configurations to synchronize different substructures into Alfresco - only in that case you can / should no longer use the alfresco-global.properties file, but instead do a proper Authentication subsystem configuration via alfresco/extension/subsystems/Authentication/ldap-ad/... path.

Please note that your groupQuery and groupDifferentialQuery differ in that the differential query does not include the CN=webadmin condition.

View solution in original post

2 Replies
afaust
Master

Re: AD ldap user syncronization when users in different containers

Jump to solution

Of course it is possible. As long as your search base is generic enough and your queries do not exclude specific groups/users based on their path, this should already work. Alternatively, you can always create multiple LDAP/AD configurations to synchronize different substructures into Alfresco - only in that case you can / should no longer use the alfresco-global.properties file, but instead do a proper Authentication subsystem configuration via alfresco/extension/subsystems/Authentication/ldap-ad/... path.

Please note that your groupQuery and groupDifferentialQuery differ in that the differential query does not include the CN=webadmin condition.

skushnerenko
Active Member II

Re: AD ldap user syncronization when users in different containers

Jump to solution

Thank you, I have managed to make AD synchronization working by changing queries.

Additional thank for CN=webadmin condition.