Skip to main content

Adding AD attributes to Alfresco User Profile

Alfresco is an enterprise content management solution. It can synchronize its user repository with Active Directory. When users are synchronized from Active Directory, Alfresco does not allow users to edit properties that are being synchronized with Active Directory.

By default Alfresco synchronizes certain user attributes to Alfresco Person object properties. Some of these include users' first name and last name. If you want to include custom attributes you need to make sure that you set them up in the Alfresco configuration files. 

There are different ways to modify and extend Alfresco. The safest way is to never touch any Alfresco properties in the WEB-INF/classes folder. They would get overridden when Alfresco is updated. 

Alfresco recommends using Spring Beans to extend and override configuration. Here is a wiki page from Alfresco that talks about how to achieve this http://wiki.alfresco.com/wiki/Alfresco_Subsystems#Spring_Beans.

For the purposes of this article, I will assume that you have installed Alfresco in "/opt/Alfresco" folder. In this folder, you will see a tomcat folder. You will see that alfresco.war is deployed into Tomcat as a web application. To make changes and create Spring Beans to extend configurations in Alfresco, instead of making changes in the exploded war files, Alfresco recommends making the changes in the "tomcat/shared/classes/alfresco/extension".

Since we are working with Authentication Subsystems (such as ldap), to handle synchronizing custom attributes from Active Directory, go ahead and create a subdirectories under the "extension" directory that has the following structure "subsystems/Authentication/ldap-ad/ldap1". 

This structure will allow Alfresco to override Alfresco's deployed ldap-ad Authentication Subsystem configuration. The ldap1 corresponds to Authentication configuration in the alfresco-global.properties. I defined my Authentication chain in to be "authentication.chain=passthru1:passthru,ldap1:ldap-ad". In this you can see I defined my "ldap-ad" subsystem to be "ldap1". 

In the "ldap1" directory, go ahead and create a file called "common-ldap-context.xml". Exploded Alfresco war files already contains this file in the following directory "/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/common-ldap-context.xml". You can copy the contents of this file to the file you created. 

At this point if you were to start Alfresco you would see no change in your instance. 

To synchronize additional user attributes, go ahead and edit the "common-ldap-context.xml" in the "ldap1" directory. In this file you will see a section that looks like
<property name="personAttributeMapping">
<map>
<entry key="cm:userName">
<!-- Must match the same attribute as userIdAttributeName -->
<value>${ldap.synchronization.userIdAttributeName}</value>
</entry>
<entry key="cm:firstName">
<!-- OpenLDAP: "givenName" -->
<!-- Active Directory: "givenName" -->
<value>${ldap.synchronization.userFirstNameAttributeName}</value>
</entry>
<entry key="cm:lastName">
<!-- OpenLDAP: "sn" -->
<!-- Active Directory: "sn" -->
<value>${ldap.synchronization.userLastNameAttributeName}</value>
</entry>
<entry key="cm:email">
<!-- OpenLDAP: "mail" -->
<!-- Active Directory: "???" -->
<value>${ldap.synchronization.userEmailAttributeName}</value>
</entry>
<entry key="cm:organizationId">
<!-- OpenLDAP: "o" -->
<!-- Active Directory: "???" -->
<value>${ldap.synchronization.userOrganizationalIdAttributeName}</value>
</entry>
<!-- Always use the default -->
<entry key="cm:homeFolderProvider">
<null/>
</entry>
</map>
</property>

This bean definition basically tell Alfresco how to map ldap properties to Alfresco Person object properties. You can find the available list of Person properties by looking at the "contentModel.xml" file. Alfresco uses these xml files to define its dataModel. The "contentModel.xml" file is where the Person object properties are defined. The contentModel.xml file is located in "tomcat/webapps/alfresco/WEB-INF/classes/alfresco/model/contentModel.xml"

One of the things that I wanted to synchronize with my AD was the "mobile" attribute. To synchronize this with Alfresco, I went ahead and added the following entry into the above bean definition.
<entry key="cm:mobile">
<value>mobile</value>
</entry>
The value "mobile" matches the AD attribute name. As you can see I did not use a property place holder in my example as the rest of the entries in the bean definition. You are encouraged to do that. You can define this property place holders in your "alfresco-global.properties" file. 

Comments

Antonio said…
This comment has been removed by the author.