Alfresco Group Sync with Active Directory. Looking for a real groupID

Question

I have an Alfresco Community 4.2.e running and synchronized with Active Directory with functional level 2008. I import users and groups from Active Directory.

From ldap-ad-authentication.properties:

# The attribute on LDAP group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn

For political reasons in my organization, I need that the names of groups could be renamed without loosing any functionality. If I map the groupIDAttribute from alfresco to the 'cn' attribute from Active Directory, and someone changes the name of a group, the result is that all the associations, of the group are deleted and people leave their sites.

My Question: Is there any attribute from Active Directory, that I could use as unique identifier for my groups in Alfresco? Obviously this ID has to be 'rename consistent' as the groups are in my Active Directory Environment.

Answer 1

Unfortunately Alfresco's repository is not designed to support namechanges for users and groups (authorities). You may change the displayname by using the Alfresco API but this is not what you are looking for. By default a namechange of a group in AD will result in a delete an recreate with all consequences (any grants to these groups would be removed).

In theory your expected behavior could be extended for groups only by adding a unique id property to the authorityContainer in Alfresco (e.g. SID from AD). Additionally the sync logic needs to be extended to sync authorityContainers based on a unique ID instead of group CNs (and update authorityName and authorityDisplayName).

For renaming users in AD this aproach wouldn't work since usernames are used alfresco internaly as foreign key (!). We implemented a module for Alfresco >= 4.2(.f) to support username changes in AD by using an alternative AD attribute as alfresco username which will never be subject of change (e.g. employeeID). We injected a dynamic lookup in all authentication use cases to support a transparent login by AD username or alfresco-internal username (and SSO).

We could extend that module with the group logic as described above.