I need to sync LDAP users accounts on alfresco.
On LDAP you can see "userAccountControl" = Account disabled... but in Alfresco appears with the account active...
Any idea?
Sorry for my english.
Hi Angel:
Ldap synchronization user queries (configured in ldap.synchronization.personQuery and ldap.synchronization.personDifferentialQuery parameters) should not include disabled users. Check the corresponding queries with Apache Directory Studio tool. Anyway, if users are ** really ** disabled in your LDAP, you won't be able to login in Alfresco.
Regards.
--C.
Cesar Capillas: The default settings do not exclude disabled users. The default LDAP/AD query
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
only specifies that the account must be a "regular user account". In order to exclude a disabled user you need to explicitly disallow synchronisation of any user with that flag.:
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(userAccountControl\:1.2.840.113556.1.4.803\:\=2)))
(a similar change needs to be made to the personDifferentialQuery)
The regular LDAP subsystem does not even have a notion of disabled users in its default queries and thus will not filter anything out.
The default is sensible in the way that it does not immediately delete a user (and their preferences, site memberships etc.) just because they may have been disabled temporarily (i.e. maternity leave, sabbatical, extended medical leave). Changes to the queries need to be based on the corporate user management principles and reflect the best approach for the specific processes in use for the organisation...
Creo que no os he entendido. He probado con estas sentencias en el
alfresco-global.properties:
ldap.synchronization.userAccountControl=true
ldap.synchronization.userAccountStatusProperty=userAccountControl
#ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled
#ldap.synchronization.disabledAccountPropertyValue=true
#ldap.synchronization.externalUserControl=true
#ldap.synchronization.externalUserControlSubsystemName=ldap-ad1
#ldap.synchronization.allowDeletions=true
Pero en Alfresco la cuenta de los usuarios en cuestión sigue sin salir
desactivada.
el campo de userAccountControl tiene
"[ AccountDisabled\, NoPasswordRequired\, NormalAccount ]"
Qué sentencia en el alfresco-global.properties debería poner para que
aparezca desactivada?
Gracias.
2017-08-01 11:54 GMT+02:00 afaust <kristen.gastaldo@alfresco.com>:
Alfresco Community
<https://community.alfresco.com/?et=watches.email.thread>
Re: ¿How can I sync LDAP user accounts in Alfresco 3.4?
reply from Axel Faust
<https://community.alfresco.com/people/afaust?et=watches.email.thread> in *Alfresco
Content Services (ECM)* - View the full discussion
<https://community.alfresco.com/message/819076-re-how-can-i-sync-ldap-user-accounts-in-alfresco-34?commentID=819076&et=watches.email.thread#comment-819076>
I think I don´t understand you. I tried with these sentences in the
alfresco-global.properties:
Ldap.synchronization.userAccountControl = true
Ldap.synchronization.userAccountStatusProperty = userAccountControl
Ldap.synchronization.userAccountStatusProperty = ds-pwp-account-disabled
Ldap.synchronization.disabledAccountPropertyValue = true
Ldap.synchronization.externalUserControl = true
Ldap.synchronization.externalUserControlSubsystemName = ldap-ad1
Ldap.synchronization.allowDeletions = true
But in Alfresco the account of the users in question is still not enabled.
TheAccountControl user field has
"[AccountDisabled \, NoPasswordRequired \, NormalAccount]" from LDAP
records...
What sentence in the alfresco-global.properties should you put to appear
disabled?
Thank you.
2017-08-01 11:54 GMT+02:00 afaust <kristen.gastaldo@alfresco.com>:
Alfresco Community
<https://community.alfresco.com/?et=watches.email.thread>
Re: ¿How can I sync LDAP user accounts in Alfresco 3.4?
reply from Axel Faust
<https://community.alfresco.com/people/afaust?et=watches.email.thread> in *Alfresco
Content Services (ECM)* - View the full discussion
<https://community.alfresco.com/message/819076-re-how-can-i-sync-ldap-user-accounts-in-alfresco-34?commentID=819076&et=watches.email.thread#comment-819076>
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.