¿How can I sync LDAP user accounts in Alfresco 3.4?

cancel
Showing results for 
Search instead for 
Did you mean: 
angelmartinboni
Active Member

¿How can I sync LDAP user accounts in Alfresco 3.4?

I need to sync LDAP users accounts on alfresco.

On LDAP you can see "userAccountControl" = Account disabled... but in Alfresco appears with the account active...

Any idea?

Sorry for my english.

4 Replies
cesarista
Customer

Re: ¿How can I sync LDAP user accounts in Alfresco 3.4?

Hi Angel:

Ldap synchronization user queries (configured in ldap.synchronization.personQuery and ldap.synchronization.personDifferentialQuery parameters) should not include disabled users. Check the corresponding queries with Apache Directory Studio tool. Anyway, if users are ** really ** disabled in your LDAP, you won't be able to login in Alfresco.

Regards.

--C.

afaust
Master

Re: ¿How can I sync LDAP user accounts in Alfresco 3.4?

Cesar Capillas‌: The default settings do not exclude disabled users. The default LDAP/AD query

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

only specifies that the account must be a "regular user account". In order to exclude a disabled user you need to explicitly disallow synchronisation of any user with that flag.:

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(userAccountControl\:1.2.840.113556.1.4.803\:\=2)))

(a similar change needs to be made to the personDifferentialQuery)

The regular LDAP subsystem does not even have a notion of disabled users in its default queries and thus will not filter anything out.

The default is sensible in the way that it does not immediately delete a user (and their preferences, site memberships etc.) just because they may have been disabled temporarily (i.e. maternity leave, sabbatical, extended medical leave). Changes to the queries need to be based on the corporate user management principles and reflect the best approach for the specific processes in use for the organisation...

angelmartinboni
Active Member

Re: ¿How can I sync LDAP user accounts in Alfresco 3.4?

Creo que no os he entendido. He probado con estas sentencias en el

alfresco-global.properties:

ldap.synchronization.userAccountControl=true

ldap.synchronization.userAccountStatusProperty=userAccountControl

#ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled

#ldap.synchronization.disabledAccountPropertyValue=true

#ldap.synchronization.externalUserControl=true

#ldap.synchronization.externalUserControlSubsystemName=ldap-ad1

#ldap.synchronization.allowDeletions=true

Pero en Alfresco la cuenta de los usuarios en cuestión sigue sin salir

desactivada.

el campo de userAccountControl tiene

"[ AccountDisabled\, NoPasswordRequired\, NormalAccount ]"

Qué sentencia en el alfresco-global.properties debería poner para que

aparezca desactivada?

Gracias.

2017-08-01 11:54 GMT+02:00 afaust <kristen.gastaldo@alfresco.com>:

Alfresco Community

<https://community.alfresco.com/?et=watches.email.thread>

Re: ¿How can I sync LDAP user accounts in Alfresco 3.4?

reply from Axel Faust

<https://community.alfresco.com/people/afaust?et=watches.email.thread> in *Alfresco

Content Services (ECM)* - View the full discussion

<https://community.alfresco.com/message/819076-re-how-can-i-sync-ldap-user-accounts-in-alfresco-34?commentID=819076&et=watches.email.thread#comment-819076>

angelmartinboni
Active Member

Re: ¿How can I sync LDAP user accounts in Alfresco 3.4?

I think I don´t understand you. I tried with these sentences in the

alfresco-global.properties:

Ldap.synchronization.userAccountControl = true

Ldap.synchronization.userAccountStatusProperty = userAccountControl

  1. Ldap.synchronization.userAccountStatusProperty = ds-pwp-account-disabled

  2. Ldap.synchronization.disabledAccountPropertyValue = true

  3. Ldap.synchronization.externalUserControl = true

  4. Ldap.synchronization.externalUserControlSubsystemName = ldap-ad1

  5. Ldap.synchronization.allowDeletions = true

But in Alfresco the account of the users in question is still not enabled.

TheAccountControl user field has

"[AccountDisabled \, NoPasswordRequired \, NormalAccount]" from LDAP

records...

What sentence in the alfresco-global.properties should you put to appear

disabled?

Thank you.

2017-08-01 11:54 GMT+02:00 afaust <kristen.gastaldo@alfresco.com>:

Alfresco Community

<https://community.alfresco.com/?et=watches.email.thread>

Re: ¿How can I sync LDAP user accounts in Alfresco 3.4?

reply from Axel Faust

<https://community.alfresco.com/people/afaust?et=watches.email.thread> in *Alfresco

Content Services (ECM)* - View the full discussion

<https://community.alfresco.com/message/819076-re-how-can-i-sync-ldap-user-accounts-in-alfresco-34?commentID=819076&et=watches.email.thread#comment-819076>