Authorities Synchronization
Synchronization of Users or Groups with Citeck.
Synchronization is performed on the ecos-model microservice side.
Configuration is done through the Model -> Synchronization journal or by deploying the corresponding authorities-sync artifact.
Attention
When synchronizing from Active Directory (or another LDAP directory), the following restrictions must be observed:
Group names must not contain Cyrillic characters, for example
Группа_ТЕСТ_ЕИС_СОБ.Account names must not contain spaces.
Common Attributes
{
"id": "emodel-ldap-person-sync",
"name": {
"ru": "Пользователи из LDAP",
"en": "Persons from LDAP"
},
"type": "emodel-ldap",
"repeatDelayDuration": "PT10S",
"enabled": true,
"config": {},
"version": 1,
"authorityType": "PERSON",
"manageNewAuthorities": true
}
Attribute |
Description |
|---|---|
id |
Synchronization identifier |
name |
Synchronization name |
type |
Synchronization type. See Synchronization types |
repeatDelayDuration |
Synchronization frequency (PT10S - every 10 seconds) |
enabled |
Whether synchronization is enabled |
config |
Synchronization configuration specific to each synchronization type |
version |
Synchronization version. When changing synchronization configuration, the version must be incremented |
authorityType |
Type of synchronized objects, possible values - PERSON, GROUP |
manageNewAuthorities |
Controls the creation of new authority records through the API. When set to |
Synchronization Types
Synchronizing users from Alfresco
Type: alfresco
Configuration example:
{
"id": "alfresco-persons-sync",
"name": {
"ru": "Пользователи из Alfresco",
"en": "Persons from Alfresco"
},
"type": "alfresco",
"repeatDelayDuration": "PT10S",
"enabled": true,
"config": {
"batchSize": 30,
"attributes": {
"firstName": "cm:firstName",
"middleName": "cm:middleName",
"personDisabled": "ecos:isPersonDisabled",
"photoCacheKey": "ecos:photo.contentUrl|presuf(\"v2-\")",
"workingCalendar": "org:workingCalendar?id"
}
},
"version": 1,
"authorityType": "PERSON",
"manageNewAuthorities": true
}
Attribute |
Description |
|---|---|
batchSize |
Batch size for synchronization |
attributes |
List of attributes to synchronize. Key - attribute name in Citeck, value - attribute in Alfresco |
Synchronizing groups from Alfresco
Type: alfresco
Configuration example:
{
"id": "alfresco-groups-sync",
"name": {
"ru": "Группы из Alfresco",
"en": "Groups from Alfresco"
},
"type": "alfresco",
"repeatDelayDuration": "PT10S",
"enabled": true,
"config": {
"batchSize": 30,
"attributes": {
"name": "cm:authorityDisplayName",
"roleType": "org:roleType",
"branchType": "org:branchType",
"roleSubType": "org:roleTypeAssoc.cm:name",
"branchSubType": "org:branchTypeAssoc.cm:name",
"roleIsManager": "org:roleTypeAssoc.org:roleIsManager?bool",
"authorityGroups": "assoc_src_cm:member[].cm:authorityName|rxg(\"GROUP_(.+)\")|presuf(\"emodel/authority-group@\")"
}
},
"version": 3,
"authorityType": "GROUP",
"manageNewAuthorities": true
}
Attribute |
Description |
|---|---|
batchSize |
Batch size for synchronization |
attributes |
List of attributes to synchronize. Key - attribute name in Citeck, value - attribute in Alfresco |
Synchronizing users from LDAP
Type: emodel-ldap
Note
Available only in enterprise version
Connection to LDAP is done through Spring LDAP.
You can create multiple synchronization configurations by specifying different settings - for example, servers, domains, filters, etc.
Configuration example:
{
"id": "emodel-ldap-person-sync",
"name": {
"ru": "Пользователи из LDAP",
"en": "Persons from LDAP"
},
"type": "emodel-ldap",
"repeatDelayDuration": "PT5M",
"enabled": true,
"config": {
"batchSize": 100,
"usernameAttributeName": "uid",
"modifyTimestampAttName": "modifyTimestamp",
"modifyTimestampFormat": "yyyyMMddHHmmss'Z'",
"attributes": {
"email": "mail",
"lastName": "sn",
"firstName": "givenname"
},
"ldapSearch": {
"filter": "(objectClass=person)"
},
"differential": true,
"ldapConnection": {
"base": "dc=example,dc=org",
"urls": [
"ldap://localhost:389"
],
"credentials": "ldap-cred"
}
},
"version": 1,
"authorityType": "PERSON",
"manageNewAuthorities": true
}
Attribute |
Description |
|---|---|
batchSize |
Batch size for synchronization |
usernameAttributeName |
LDAP attribute containing the username, must be unique in the system. Default - |
modifyTimestampAttName |
LDAP attribute containing the time of the last user modification, required for differential synchronization. Default - |
modifyTimestampFormat |
Format of the last user modification time in LDAP (values of the |
attributes |
List of attributes to synchronize. Key - attribute name in Citeck, value - attribute in LDAP |
differential |
Flag indicating whether to synchronize only modified users |
ldapSearch |
Search parameters
|
ldapConnection |
LDAP server connection parameters
|
Note
If differential synchronization is enabled and the configuration has been changed with a version increase, then the first synchronization after the change will be full.
User deletion
For the new user synchronization logic from LDAP, additional functionality has been added to delete a user from Citeck if they were deleted in LDAP.
A new parameter config.allowDeletions (true/false) has been added to the LDAP configuration.
Full configuration example:
{
"id": "emodel-ldap-person-sync-with-delete",
"name": {
"ru": "Пользователи из LDAP c удалением",
"en": "Persons from LDAP with allowed deletion"
},
"type": "emodel-ldap",
"repeatDelayDuration": "PT5M",
"enabled": true,
"config": {
"batchSize": 100,
"usernameAttributeName": "uid",
"modifyTimestampAttName": "modifyTimestamp",
"modifyTimestampFormat": "yyyyMMddHHmmss'Z'",
"attributes": {
"email": "mail",
"lastName": "sn",
"firstName": "givenname"
},
"ldapSearch": {
"filter": "(objectClass=person)"
},
"differential": false,
"allowDeletions": true,
"ldapConnection": {
"base": "dc=example,dc=org",
"urls": [
"ldap://localhost:389"
],
"credentials": "ldap-cred"
}
},
"version": 1,
"authorityType": "PERSON",
"manageNewAuthorities": true
}
Logic:
When synchronizing users from LDAP, two additional attributes are added to the user:
ldap-sync:lastLdapSyncDate - date of the last synchronization of the current user with LDAP;
ldap-sync:ldapSyncId - id of the configuration with LDAP synchronization (for understanding which specific synchronization added or last updated the user), for example, in the example above this property would be equal to emodel-ldap-person-sync-with-delete
During re-synchronization, we update all users whose data came from LDAP, and if we have users who were not updated (i.e., were deleted from LDAP and no data was received for them), then with the allowDeletions = true flag, such users are deleted from Citeck.
If the allowDeletions = false flag is set, the logic does not change, users remain in ECOS even if they were deleted from LDAP.
Important notes:
The allowDeletions and differential flags cannot both be true simultaneously; we can only correctly identify users for deletion if a full synchronization is performed (differential = false).
If the allowDeletions = true flag is set, it is highly not recommended to change the search query (ldapSearch) when there are already synchronized users, otherwise data may be lost (if it is necessary to change the query, you must ensure that the new query includes all users from the old one or set allowDeletions = false if you don’t want to lose users synchronized from LDAP).