Search code examples
active-directoryalfrescoadministrationsystem-administration

How to sync alfresco users with AD

How to synchronize alfresco users with active-directory. When i am creating user in AD, everything is working fine, i can login in alfresco share, but alfresco users doesnt sync with AD (the one that are already exist). Do i have to manualy import them in AD? I have already tried to set full synchronization on , but it didnt help

this is my properties

#AD settings
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.1.20:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.defaultAdministratorUserNames=Alf
ldap.authentication.java.naming.read.timeout=5000

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=lpа\\ixis_dc
ldap.synchronization.java.naming.security.credentials=wlY9lXgliQDPJp8XbtZ1
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))

#user AD
ldap.synchronization.userSearchBase=DC\=main,DC\=lpa
ldap.synchronization.personQuery=(&(objectClass\=user)(memberOf\=CN\=Пользователи СЭД,OU\=Users,OU\=ЛПИ,DC\=main,DC\=lpi)(!(cn\=Guest))(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf\=CN\=Пользователи СЭД,OU\=Users,OU\=ЛПА,DC\=main,DC\=lpa)(!(cn\=Guest))(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProviderr
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.personType=user
ldap.synchronization.userAccountStatusProperty=userAccountControl

#group AD
ldap.synchronization.groupSearchBase=CN\=Пользователи СЭД,OU\=Users,OU\=ЛПА,DC\=main,DC\=lpa
ldap.synchronization.groupType=group
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.groupIdAttributeName=cn
#sync
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=false
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true
synchronization.import.cron=0 0 0 ? * *
#synchronization.import.cron=0 */30 * * * ?
ldap.synchronization.enableProgressEstimation=true

Edit: You misunderstood me , what i am trying to do is to create an AD user from alfresco user. For example, i have a user in alfresco and i want to sync this user to AD so that there is a sync version of alfresco user in AD. I am really bad at english, so i will provide a very simple example:

Before sync:
    alfresco users:
       john121 
       bob121
    AD users:
       Helen5
       Maria1
After sync:
    alfresco users:
       john121 
       bob121
       Helen5
       Maria1
    AD users:
       john121 
       bob121
       Helen5
       Maria1

Is there a way to sync in both directions? If not, what can i do to solve this problem ? Thanks in advance.

Solution

  • There is no supported way of synchronizing created local Alfresco users to AD-server.
    Using above settings you can sync users in Alfresco from AD-server, but not conversely.

    Regarding this case.
    AD is a centralized system of administration, authorization and a single place for storaging objects such as users, groups, OU (LDAP-server). Therefore, the good practice is to create, manage objects in one place and have the ability to request the data via the LDAP (like Alfresco API). Otherwise, you can get confusion, sync conflicts and security breaches. In your case Alfresco admin gets the ability to create users in the domain, which should not be.