AD user status Sync

muthu_domain · ‎2 Aug 2018

Hi,

we have alfresco 5.2 in our environment. we have a couple of active directory domain and which is mapped in alfresco. previously we have all the users (including disabled and active users) in the alfresco.

issue 1:

we have modified the person query and enabled "synchronization.allowDeletions" in ldap-ad-authentication.properties to perform a full sync with the AD.

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true

After we restarted the service with the above configuration, we still can see the users in alfresco which are already got deleted in AD.

issue 2:

we also configured the user status to be reflected in the alfresco, hence we modified the alfresco-global.properties with the below parameters.

authentication.chain=alfinst:alfrescoNtlm,passthru1assthru,ad1:ldap-ad,ad2:ldap-ad,ad3:ldap-ad,ad4:ldap-ad
### user account status syncronization ###
synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ad1,ad2,ad3,ad4
ldap.synchronization.userAccountStatusProperty=userAccountControl
ldap.synchronization.disabledAccountPropertyValue=514

after we restarted the alfresco service, we still see that user status (enabled/disabled) is not reflected in alfresco. users which are disabled in AD is still active in alfresco.

let me know what could be the issue here. our final goal is to do a full sync with active users in alfresco. if the user is disabled, the same should be reflected in alfresco as well.

Appreciate your help!

hardik1512 · ‎2 Aug 2018

Changing synchronization.synchronizeChangesOnly to false means the scheduled job for synchronization runs in Full Mode. Not sure that full mode is triggered in server startup as well.

You can try running the job by either changing the cron or using jconsole.

cesarista · ‎2 Aug 2018

In fact, it is not. Full mode is not triggered in startup. A trick for doing this in the startup is doing ldap.synchronization.personQuery the same as ldap.synchronization.personDifferentialQuery

Regards.

--C.

muthu_domain · ‎7 Aug 2018

Hi Cesar,

still the issue is not resolved. even i have made changes in alfresco-global.properties and ldap-ad subsystem properties with below values:

on both alfresco-global.properties and ldap-ad.properties:

synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true

On alfresco-global.properties:

synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=false
#synchronization.import.cron=* * * * * ?
synchronization.import.cron=* 0/10 * * * ?
ldap.synchronization.enableProgressEstimation=true

ldap.synchronization.userAccountStatusInterpreter=ldapadUserAccountStatusInterpreter

### user account status syncronization ###
synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ad2,ad4
ldap.synchronization.userAccountStatusProperty=userAccountControl
ldap.synchronization.disabledAccountPropertyValue=514

after i restarted alfresco service, still i can see old users in alfresco and their user status also NOT synced. let me know is this functionality will work with alfresco with AD configuration or is there something which i'm missing.

cesarista · ‎9 Aug 2018

Try with this aprox:

Technical Tips & Tricks: Best Practices for Managing User Import into Alfresco from Active Directory

Regards.

--C.