Multiple non-chained ADs - local group merge possible ?

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
spam
Member II

Multiple non-chained ADs - local group merge possible ?

Hi,

I want to ask if it is possible to configure multiple subsystems (ADs) not chained together in a way that groups from ADs will be merged in alfresco to respective groups.

Example :

AD01 - domain.com (ldap.synchronization.groupSearchBase=OU=Afresco,OU=Security groups,DC=domain,DC=com)

AD02 - domain2.com (ldap.synchronization.groupSearchBase=OU=Afresco,OU=Security groups,DC=domain2,DC=com)

- Groups in the OUs will have same name i.e. CN=group1 , CN=group2 in both ADs

  • AD01 :
    • CN=group1,OU=Afresco,OU=Security groups,DC=domain,DC=com
    • CN=group2,OU=Afresco,OU=Security groups,DC=domain,DC=com
  • AD02 :
    • CN=group1,OU=Afresco,OU=Security groups,DC=domain2,DC=com
    • CN=group2,OU=Afresco,OU=Security groups,DC=domain2,DC=com

There is synchronization.allowDeletions option which has only true/false value, I need to join users from these groups to same group in Alfresco. This way I will be able to add users from both ADs to same local group synced in Alfresco and folders will have only one group as permission and it this group will contain users from both ADs.

When I set allowDeletions to true, users are overidden according to AD configuration order/priority.

When I set allowDeletions to false, users relations to groups from AD02 ignored / not synced to respective local groups from AD01.

Is this setup possible? Can someone advice ?

Thanks,
BR,

Martin

2 Replies
afaust
Master

Re: Multiple non-chained ADs - local group merge possible ?

The Alfresco synchronisation does not allow merging users of identically named groups from different user directories. This would disrupt the correct operation of the synchronisation components which always inspect individual user directories in isolation, without some significant re-implementation / customisation of the core synchronisation code of Alfresco. It could technically/logically be done with proper source tracking / differentiation logic, but not without any changes to Alfresco core code.

alxgomz
Established Member

Re: Multiple non-chained ADs - local group merge possible ?

As Axel mentionned that's not something Alfresco can do as it is basically LDAP manipulation.

If you don't feel like implementing it at the Alfresco level, you can use either an LDAP proxy (see openLDAP back-ldap or back-meta: OpenLDAP Software 2.4 Administrator's Guide: Backends ) Or you can create a aggregating LDAP directory using tools like LDAP Synchronization Connector [LSC] 

There are probably others but those are the one I know are working quite nicely.

You would then have to configure Alfresco to sync the proxy/aggregated directory