Views:
Goal:
Understand, how DocuWare interacts with AD attributes



Answer:
During synchronization, we read Active Directory attributes to address the following tasks:
- Get Details (Name, Email, Groupname…)
- Find the Object in the AD 
- Apply Rights to Users (by Group membership)
- For SSO (incl. NTLM)
- To read the status of the AD User (Active, Deactive)

- Match Users (Link manual created users to DocuWare, change Details during synchronization)


Get Details:
Attributes to get Details for Groups:
Description Class Group (external Link)
NameUsageV1V2 LocalV2 Azure
Distinguished nameExternal group name when assigning to existing DocuWare Groupcheckbox activated-no-For Azure Groups, Attributes are not selectable
Name | CN | sAMAccountName^Press 3 DotsOffers all Groups found in Node
Unwanted can be skipped
For Azure Groups, Attributes are not selectable
All other available Attributes of Object^Press 3 Dots-no-For Azure Groups, Attributes are not selectable 



Attributes to get Details for Users:
Description Class Users (external Link)

NameUsageV1V2 LocalV2 Azure
userPrincipalNamePrefixLoginname-no--yes-Full attribute used as E-Mail
EmailPrefixLoginname-no--no-7.6 |
Full attribute used as E-Mail
sAMAccountNameLoginname   
userPrincipalNameLoginname-yes--yes--no-
CN (non unique attribute)Loginname-yes-7.5-no-
DisplayName (non unique attribute)Loginname-yes-7.5-no-
Name (non unique attribute)Loginname-yes-7.5-no-
All other available Attributes of ObjectLoginnamePress 3 Dots-no--no-
mailE-Mail AdressAdministration > External User Directories: Email address attribute Always used
Needs to be filled: KBA-36843
UPN or Email
Depends on selected Loginname attribute


Attributes to find the Object:
Description CN (external Link)

ClassNameUsageV1V2 LocalV2 Azure
GroupCNFull Path to GroupAdds all Groups in DropdownAll Groups found in node are preselected.
Unwanted can be skipped
No Nodes.
Directly select Groups
UserCNFull Path to UserAll Users must be inside selected node:
Outsiders will be ignored
All Users in node are created
Can be extended by checkbox
No Nodes.
Azure provides Users in Groupmemberships only

 

 

Attributes to apply Rights (Add a User to a Group)
Description Member (external Link)

ClassNameUsageV1V2 LocalV2 Azure
GroupMemberDefines Membership of Group,Only Members are added to Group,
Non-members are ignored
Users in Node without membership are added to public group only.
Non-members get created
Only Members of selected Group get created.
Select Groups in Usersection

Attributes for SSO

ClassNameUsageOn PremisesCloud 
UsersAMAccountNamePart of NTLM
Stored in DWUser.winuser

in combination with DWUser.windomain the  NetworkID is defined
Part of NetworkID
For NTLM
No NTLM = No NetworkID 
      
 UPNMicrosoft Account ADFS UPN = Microsoft Account

AAD UPN = Microsoft Account


Attributes for Matching

  • Match: Find an existing DocuWare User in the (Azure) Active Directory
  • Purpose of matching: Keep the details, rights and User Status synchronized (Does not apply for NetworkID)
  • Automatically link existing users at login has the purpose, to match the manual created user. 
  • Users that were created with User Synchronization are always linked to the AD.
ClassNameUsageV1V2Systemtype
UserLoginname + E-MailNon synchronized users do not have an ObjectGUID, find users with this two attributes when externalid is not setMatch Mode Until 7.5 Match Attributes for manually created userOn-premises
 ObjectGuidOnce, User was found by loginname +  e-mail,
User is searched by ObjectGUID
ObjectGUID is stored in DWUser.externalid
Since 7.5
Technical Release Notes DocuWare Version 7.5

 
Match Attribute for synchronized UsersBoth
 UPNPrefixUPNPrefix = Username
UPN = E-Mail Adress
-no-Match Attributes for manually created Users for
SSO with AAD and ADFS
Both
 Email PrefixEmailPrefix = Username
Email = E-Mail Adress
 Can not be used to link manually created users.
If users must have this Attribute, they must be synchronized before in order to use:
Automatically link existing users at login
Both

Difference between V1 and V2

TopicVersion 1Version 2 Local ADVersion 2 Azure AD
PasswordRandom or FixedRandom onlyRandom only
UsernodeReads the member attribute of a group to determine the user to create
 
Searches the configured Usernode for objects of types User
 
Indirect: Group Membership has to be selected in which the user is a member.
If user is member of subgroup, subgroup needs to be selected, too