-1

How to synchronize alfresco users with active-directory. When i am creating user in AD, everything is working fine, i can login in alfresco share, but alfresco users doesnt sync with AD (the one that are already exist). Do i have to manualy import them in AD? I have already tried to set full synchronization on , but it didnt help

this is my properties

#AD settings
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.1.20:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.defaultAdministratorUserNames=Alf
ldap.authentication.java.naming.read.timeout=5000

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=lpа\\ixis_dc
ldap.synchronization.java.naming.security.credentials=wlY9lXgliQDPJp8XbtZ1
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))

#user AD
ldap.synchronization.userSearchBase=DC\=main,DC\=lpa
ldap.synchronization.personQuery=(&(objectClass\=user)(memberOf\=CN\=Пользователи СЭД,OU\=Users,OU\=ЛПИ,DC\=main,DC\=lpi)(!(cn\=Guest))(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf\=CN\=Пользователи СЭД,OU\=Users,OU\=ЛПА,DC\=main,DC\=lpa)(!(cn\=Guest))(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProviderr
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.personType=user
ldap.synchronization.userAccountStatusProperty=userAccountControl

#group AD
ldap.synchronization.groupSearchBase=CN\=Пользователи СЭД,OU\=Users,OU\=ЛПА,DC\=main,DC\=lpa
ldap.synchronization.groupType=group
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.groupIdAttributeName=cn
#sync
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=false
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true
synchronization.import.cron=0 0 0 ? * *
#synchronization.import.cron=0 */30 * * * ?
ldap.synchronization.enableProgressEstimation=true

Edit: You misunderstood me , what i am trying to do is to create an AD user from alfresco user. For example, i have a user in alfresco and i want to sync this user to AD so that there is a sync version of alfresco user in AD. I am really bad at english, so i will provide a very simple example:

Before sync:
    alfresco users:
       john121 
       bob121
    AD users:
       Helen5
       Maria1
After sync:
    alfresco users:
       john121 
       bob121
       Helen5
       Maria1
    AD users:
       john121 
       bob121
       Helen5
       Maria1

Is there a way to sync in both directions? If not, what can i do to solve this problem ? Thanks in advance.

john2994
  • 393
  • 1
  • 3
  • 15
  • Does full synchronization complete successfully? Please, see `alfresco.log`. Is there information about sync (errors and etc)? – ERemarque Feb 18 '21 at 14:54
  • If this information is not enough, it make sense to enable debugging for detailed logging. – ERemarque Feb 18 '21 at 15:20

2 Answers2

2

There is no supported way of synchronizing created local Alfresco users to AD-server.
Using above settings you can sync users in Alfresco from AD-server, but not conversely.

Regarding this case.
AD is a centralized system of administration, authorization and a single place for storaging objects such as users, groups, OU (LDAP-server). Therefore, the good practice is to create, manage objects in one place and have the ability to request the data via the LDAP (like Alfresco API). Otherwise, you can get confusion, sync conflicts and security breaches. In your case Alfresco admin gets the ability to create users in the domain, which should not be.

ERemarque
  • 497
  • 3
  • 16
1

These are the different ways to sync LDAP users in alfresco.

For Alfresco Community Edition:

  1. The basic way, via configuration properties: By default, a differential sync is done on synchronization subsystem startup (on Alfresco startup) and also via the corresponding cronjob:

synchronzation.syncOnStartup=true

synchronization.import.cron=0 0 0 * * ?

http://docs.alfresco.com/5.0/concepts/sync-props.html

  1. Via OOTB Support Tools: Go to OOTB Support Tools > Scheduled Jobs and execute ldapPeopleJobDetail job

https://github.com/OrderOfTheBee/ootbee-support-tools/wiki/Scheduled-Jobs

  1. Via Javascript Console: This is a nice tip for Javascript Console. You can run code for triggering a quartz job (ldapPeopleJobDetail job) for example, or executing the user syncronizer.

https://gist.github.com/AFaust/beaa309837397abf961f#file-triggerusersynchintxn-js

Follow the link for the best practices of LDAP integration.

Arjun
  • 624
  • 2
  • 6