Goal:
Understand, how DocuWare interacts with AD attributes
Answer:
During synchronization, we read Active Directory attributes to address the following tasks:
- Get Details (Name, Email, Groupname…)
- Find the Object in the AD
- Apply Rights to Users (by Group membership)
- For SSO (incl. NTLM)
- To read the status of the AD User (Active, Deactive)
- Match Users (Link manual created users to DocuWare, change Details during synchronization)
Get Details:
Attributes to get Details for Groups:
Description Class Group (external Link)
Understand, how DocuWare interacts with AD attributes
Answer:
During synchronization, we read Active Directory attributes to address the following tasks:
- Get Details (Name, Email, Groupname…)
- Find the Object in the AD
- Apply Rights to Users (by Group membership)
- For SSO (incl. NTLM)
- To read the status of the AD User (Active, Deactive)
- Match Users (Link manual created users to DocuWare, change Details during synchronization)
Get Details:
Attributes to get Details for Groups:
Description Class Group (external Link)
| Name | Usage | V1 | V2 Local | V2 Azure |
| Distinguished name | External group name when assigning to existing DocuWare Group | checkbox activated | -no- | For Azure Groups, Attributes are not selectable |
| Name | CN | sAMAccountName | ^ | Press 3 Dots | Offers all Groups found in Node Unwanted can be skipped | For Azure Groups, Attributes are not selectable |
| All other available Attributes of Object | ^ | Press 3 Dots | -no- | For Azure Groups, Attributes are not selectable |
Attributes to get Details for Users:
Description Class Users (external Link)
| Name | Usage | V1 | V2 Local | V2 Azure |
| userPrincipalNamePrefix | Loginname | -no- | -yes- | Full attribute used as E-Mail |
| EmailPrefix | Loginname | -no- | -no- | 7.6 | Full attribute used as E-Mail |
| sAMAccountName | Loginname | |||
| userPrincipalName | Loginname | -yes- | -yes- | -no- |
| CN (non unique attribute) | Loginname | -yes- | 7.5 | -no- |
| DisplayName (non unique attribute) | Loginname | -yes- | 7.5 | -no- |
| Name (non unique attribute) | Loginname | -yes- | 7.5 | -no- |
| All other available Attributes of Object | Loginname | Press 3 Dots | -no- | -no- |
| E-Mail Adress | Administration > External User Directories: Email address attribute | Always used Needs to be filled: KBA-36843 | UPN or Email Depends on selected Loginname attribute |
Attributes to find the Object:
Description CN (external Link)
| Class | Name | Usage | V1 | V2 Local | V2 Azure |
| Group | CN | Full Path to Group | Adds all Groups in Dropdown | All Groups found in node are preselected. Unwanted can be skipped | No Nodes. Directly select Groups |
| User | CN | Full Path to User | All Users must be inside selected node: Outsiders will be ignored | All Users in node are created Can be extended by checkbox | No Nodes. Azure provides Users in Groupmemberships only |
Attributes to apply Rights (Add a User to a Group)
Description Member (external Link)
| Class | Name | Usage | V1 | V2 Local | V2 Azure |
| Group | Member | Defines Membership of Group, | Only Members are added to Group, Non-members are ignored | Users in Node without membership are added to public group only. Non-members get created | Only Members of selected Group get created. Select Groups in Usersection |
Attributes for SSO
| Class | Name | Usage | On Premises | Cloud | |
| User | sAMAccountName | Part of NTLM Stored in DWUser.winuser in combination with DWUser.windomain the NetworkID is defined | Part of NetworkID For NTLM | No NTLM = No NetworkID | |
| UPN | Microsoft Account | ADFS UPN = Microsoft Account | AAD UPN = Microsoft Account |
Attributes for Matching
- Match: Find an existing DocuWare User in the (Azure) Active Directory
- Purpose of matching: Keep the details, rights and User Status synchronized (Does not apply for NetworkID)
- Automatically link existing users at login has the purpose, to match the manual created user.
- Users that were created with User Synchronization are always linked to the AD.
| Class | Name | Usage | V1 | V2 | Systemtype |
| User | Loginname + E-Mail | Non synchronized users do not have an ObjectGUID, find users with this two attributes when externalid is not set | Match Mode Until 7.5 | Match Attributes for manually created user | On-premises |
| ObjectGuid | Once, User was found by loginname + e-mail, User is searched by ObjectGUID ObjectGUID is stored in DWUser.externalid | Since 7.5 Technical Release Notes DocuWare Version 7.5 | Match Attribute for synchronized Users | Both | |
| UPNPrefix | UPNPrefix = Username UPN = E-Mail Adress | -no- | Match Attributes for manually created Users for SSO with AAD and ADFS | Both | |
| Email Prefix | EmailPrefix = Username Email = E-Mail Adress | Can not be used to link manually created users. If users must have this Attribute, they must be synchronized before in order to use: Automatically link existing users at login | Both |
Difference between V1 and V2
| Topic | Version 1 | Version 2 Local AD | Version 2 Azure AD |
| Password | Random or Fixed | Random only | Random only |
| Usernode | Reads the member attribute of a group to determine the user to create | Searches the configured Usernode for objects of types User | Indirect: Group Membership has to be selected in which the user is a member. If user is member of subgroup, subgroup needs to be selected, too |