LDAP Sync

clynham — Fri, 11 Sep 2009 15:16:55 GMT

Hi,After playing with authentication chains etc over the past few days, I've finally got it working how I want it to with the exception of LDAP sync. My properties file is configured as:authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1assthru,ldap1:ldap-ad#passthru.authentication.domain=#

Re: LDAP Sync

dward — Sat, 12 Sep 2009 16:47:12 GMT

I would double check

ldap.synchronization.groupSearchBase and ldap.synchronization.userSearchBase

by using an LDAP browser such as the one from http://www.ldapbrowser.com

Re: LDAP Sync

clynham — Mon, 14 Sep 2009 14:04:23 GMT

Thanks for that - That got it sorted.

I've now got users to sync however I'm experiencing the same issue as this post where the Guest user clashes and causes the sync to fail:

http://forums.alfresco.com/en/viewtopic.php?f=9&t=20653&p=67345&hilit=could+not+delete%3A+%5Borg.alfresco.repo.domain.hibernate.DbAccessControlEntryImpl%233%5D#p67396

As suggested I've amended the queries to try and exlude the Guest user:

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(&(objectclass\=inetOrgPerson)(!(sAMAccountName=Guest)))
# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0}))(!(sAMAccountName=Guest)))‍‍‍‍

However with these two lines included I get the following error when trying to log into Alfresco. Comment them out and everything is fine again (with the exception of the Guest error):

net.sf.acegisecurity.AuthenticationServiceException: General error; nested exception is org.alfresco.error.AlfrescoRuntimeException: 08140002 User and group import failed 
Caused by: org.alfresco.error.AlfrescoRuntimeException: 08140002 User and group import failed 
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:658) 
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncGroupsWithPlugin(ChainingUserRegistrySynchronizer.java:399) 
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:219) 
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.createMissingPerson(ChainingUserRegistrySynchronizer.java:245) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:597) 
at org.alfresco.repo.management.subsystems.SubsystemProxyFactory$1.invoke(SubsystemProxyFactory.java:71) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) 
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) 
at $Proxy53.createMissingPerson(Unknown Source) 
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback$1.doWork(AbstractAuthenticationComponent.java:431) 
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback$1.doWork(AbstractAuthenticationComponent.java:429) 
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:489) 
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback.execute(AbstractAuthenticationComponent.java:427) 
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback.execute(AbstractAuthenticationComponent.java:412) 
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:326) 
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:193) 
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticatePassthru(NTLMAuthenticationComponentImpl.java:873) 
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticate(NTLMAuthenticationComponentImpl.java:560) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:597) 
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:304) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149) 
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) 
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) 
at $Proxy190.authenticate(Unknown Source) 
at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.processType3(BaseNTLMAuthenticationFilter.java:606) 
at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.doFilter(BaseNTLMAuthenticationFilter.java:338) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
at java.lang.reflect.Method.invoke(Method.java:597) 
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:109) 
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) 
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) 
at $Proxy194.doFilter(Unknown Source) 
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:88) 
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) 
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) 
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) 
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) 
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) 
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) 
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) 
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) 
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) 
at java.lang.Thread.run(Thread.java:619) 
Caused by: javax.naming.InvalidNameException: Invalid name: "ou=User accounts, dc=domain, dc=co, dc=uk" 
at javax.naming.ldap.Rfc2253Parser.parseAttrType(Rfc2253Parser.java:130) 
at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:83) 
at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:45) 
at javax.naming.ldap.LdapName.parse(LdapName.java:772) 
at javax.naming.ldap.LdapName.<init>(LdapName.java:108) 
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:488) 
… 54 more ‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Have I made any obvious errors?

Re: LDAP Sync

dward — Mon, 14 Sep 2009 14:29:59 GMT

For some reason, it thinks your ldap.synchronization.userSearchBase is invalid

I checked out the exception you were getting from the JDK.

Caused by: javax.naming.InvalidNameException: Invalid name: "ou=User accounts, dc=domain, dc=co, dc=uk"

When I go to that line of code, there are no quotes around the name. I would have expected to see

Caused by: javax.naming.InvalidNameException: Invalid name: ou=User accounts, dc=domain, dc=co, dc=uk

So have you really configured ldap.synchronization.userSearchBase with quote characters, or have you just edited the message for anonymity?

Anyway, double check that for weird characters, because there's something wrong with it.

Re: LDAP Sync

clynham — Wed, 16 Sep 2009 11:09:55 GMT

Sorry, my fault. Old programming habit of quoting strings that have spaces in them.

With those two lines added (to exclude the guest user) it seems to stop the sync from occuring. Without them when I log into Alfresco I can see it scrolling through the AD users in the console until it crashes out at the guest user and when they're added I get the message '0 users and 0 groups processed'

Is my query correct?

topic Re: LDAP Sync in Alfresco Archive

LDAP Sync

Re: LDAP Sync

Re: LDAP Sync

Re: LDAP Sync

Re: LDAP Sync