Synchronize user account status - Alfresco Content Services - 23.4 - 23.4 - Ready - Alfresco - external

Alfresco Content Services

Platform
Alfresco
Product
Alfresco Content Services
Release
23.4
License

Use this information to synchronize the enabled or disabled directory user status after an LDAP sync.

Different LDAP directories store data in different formats. For example, Active Directory has an attribute called userAccountControl where the second bit (0x2) is an ACCOUNTDISABLE flag, Oracle Directory Server has an attribute called pwdAccountLockedTime, and LDAP systems derived from Netscape Directory Server (NDS) have a nsAccountLock attribute.

The values of these attributes need to be mapped onto a boolean property on the cm:person node. To do this, configure the attributes as follows:

  1. Download the default-synchronization.properties file.
  2. Open the <classpathRoot>/alfresco-global.properties file.
  3. Add one of these entries to your configuration, depending on the directory server used. For example:
    1. For LDAP-AD, add the following properties to the alfresco-global.properties file:
      synchronization.externalUserControl=true
      synchronization.externalUserControlSubsystemName=ldap1
      
    2. For OpenLDAP, add the following properties to the alfresco-global.properties file:
        synchronization.externalUserControl=true
        synchronization.externalUserControlSubsystemName=ldap1
        ldap.synchronization.userAccountStatusProperty=pwdAccountLockedTime
        ldap.synchronization.disabledAccountPropertyValue=000001010000Z
      							
    3. For Netscape Directory Server systems (Oracle, Red Had, 389 DS), add the following properties to the alfresco-global.properties file:
        synchronization.externalUserControl=true
        synchronization.externalUserControlSubsystemName=ldap1
        ldap.synchronization.userAccountStatusProperty=nsAccountLock
        ldap.synchronization.disabledAccountPropertyValue=true
      							
  4. Copy this file into the <extension> directory.
  5. Read the above mentioned property from LDAP and set it in ldap.synchronization.userAccountStatusProperty. For example:
     ldap.synchronization.userAccountStatusProperty=nsAccountLock
    					
  6. The next configuration is how to process the value of that property into a boolean true/false value. To do that there is an adapter bean userAccountStatusInterpreter that is plugged into the userRegistry bean via spring.

    This configuration parameter ldap.synchronization.userAccountStatusInterpreter can either be ldapadUserAccountStatusInterpreter or ldapUserAccountStatusInterpreter. This setting instructs the system how to process the value for ldap.synchronization.userAccountStatusProperty.

    1. For LDAP-AD:
        ldap.synchronization.userAccountStatusInterpreter=ldapadUserAccountStatusInterpreter
      							
    2. For non-AD LDAP:
      								ldap.synchronization.userAccountStatusInterpreter=ldapUserAccountStatusInterpreter