Local User / AD user sync deletion.

cancel
Showing results for 
Search instead for 
Did you mean: 
muthu_domain
Active Member

Local User / AD user sync deletion.

Hi,

we have few users in alfresco local database and we have migrated some of the users to AD. my question is:

1. if we do full sync with AD and enabling synchronization.allowDeletions will affect local users in alfresco ?. because our existing user query in ldap-ad chain brought up all the computer and service accounts into alfresco. existing person query in ldap-ad chain is (&(objectclass=user)).

2. if i modify the user query to (&(objectclass=user)(userAccountControl=512)), it will bring only active users from AD. does all junk users will gets cleanup if i only modified the query alone or do i need to do a full with AD anyways.  

2 Replies
cesarista
Customer

Re: Local User / AD user sync deletion.

Hi:

1. if we do full sync with AD and enabling synchronization.allowDeletions will affect local users in alfresco ?.

> Do you mean if some username collides ? I would say that it affects in terms on chain authentication only (you may login with two passwords in general) , but the user in Alfresco belongs to two authentication zones, so I think it won't be deleted.

because our existing user query in ldap-ad chain brought up all the computer and service accounts into alfresco. existing person query in ldap-ad chain is (&(objectclass=user)).

> For avoiding this you should define a more precise query or to make an aproximation like this:

Technical Tips & Tricks: Best Practices for Managing User Import into Alfresco from Active Directory 

 

2. if i modify the user query to (&(objectclass=user)(userAccountControl=512)), it will bring only active users from AD. does all junk users will gets cleanup if i only modified the query alone or do i need to do a full with AD anyways.  

> For cleaning your computer and service accounts, you will need a full sync with deletions on a newer user query that exclude all those computer and service accounts. The above link probably do the right sync. Another simple trick for starting from zero point (without ldap users) is to change to a virtual userSearchBase so the resulting query gives zero users and do full sync. And later just put the correct user query. You can check the querys with Apache Directory Studio for example.

Regards.

--C.

muthu_domain
Active Member

Re: Local User / AD user sync deletion.

  Thanks for the clarification. It is helpful!