topic Re: Alfresco + Zimbra LDAP in Alfresco Archive

Alfresco + Zimbra LDAP

vasisualy — Sat, 12 Sep 2009 00:02:45 GMT

Dear all, Im trying to combine Alfresco with my existing Zimbra server.My idea is to use zimba's LDAP server as the only one authentication mechanism. It means that every Zimbra's user may login into Alfresco with the same credentials and the home folders as his/her full name.As I see for this purpo

Re: Alfresco + Zimbra LDAP

ivan_plestina — Sat, 12 Sep 2009 09:56:57 GMT

By taking a quick look at the zimbra wiki I would say that zimbraDistributionList is equivalent to a group. Create one, add some members to it and then run some LDAP queries to map correct values. BTW, if you manage to get this all together, please post your configs.

Re: Alfresco + Zimbra LDAP

vasisualy — Sat, 12 Sep 2009 18:01:11 GMT

Thank you, Ivan, for replay.

Unfortunately Zimbra's distribution list is not an equivalent of user group.
It's the same as aliases for mailing lists like info@company.com, support@company.com

I will try add custom group parameter to existing schema and make setup.

Anyway following parameters still are not clear for me.

ldap.synchronization.groupQuery=
ldap.synchronization.groupSearchBase=
ldap.synchronization.groupType=
ldap.synchronization.groupIdAttributeName=
ldap.synchronization.groupMemberAttributeName=

Could someone explain it for me.

Thank you in advance.

Re: Alfresco + Zimbra LDAP

ivan_plestina — Sat, 12 Sep 2009 19:41:33 GMT

# The query to find group objects
ldap.synchronisation.groupQuery=(objectclass=groupOfNames)

# The search base to use to find group objects
ldap.synchronisation.groupSearchBase=ou=groups,dc=company,dc=com

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronisation.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronisation.groupType=groupOfNames

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronisation.groupMemberAttributeName=member
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Sync-ing a group is pretty much the same as sync-ing a user. groupQuery is just a proper LDAP query with a proper objectclass - very similar to the personQuery. This is why I said you could use zimbraDistributionList in a way that you put all target group members into a distribution list and then use something like:

ldap.synchronisation.groupQuery=(objectclass=zimbraDistributionList)
ldap.synchronisation.groupMemberAttributeName=member
‍‍‍

where 'member' field in LDAP should contain the person's userIdAttributeName that you defined in user's sync. So to conclude, if you settle that your username in Alfresco should be for example your email vasisualy@domain.com, and that email is also member of a zimbraDistributionList then you could have both users and groups in this way.

If you post results of a LDAP query that describes zimbraDistributionList I could be more concrete…

Re: Alfresco + Zimbra LDAP

vasisualy — Sun, 13 Sep 2009 18:20:31 GMT

Here is LDIF record of Zimbra's Distribution list.
This list contain only one member.
Members are listed in zimbraMailForwardingAddress.
=============================

dn: uid=all_users,ou=people,dc=zimbra,dc=local
zimbraMailStatus: enabled
zimbraId: 88fb2bcb-bfd1-4806-8c28-a87d005831b1
displayName: All Users
mail: all_users@zimbra.local
uid: all_users
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
zimbraMailAlias: all_users@zimbra.local
cn: All Users
description: All users in Zimbra
zimbraHideInGal: TRUE
zimbraMailForwardingAddress: vasisualy@zimbra.local

Re: Alfresco + Zimbra LDAP

ivan_plestina — Sun, 13 Sep 2009 19:15:17 GMT

Ok so something like this should work if you settle with username@zombra.local form of usernames (and modify the user sync accordingly):

ldap.synchronisation.groupQuery=(objectclass=zimbraDistributionList)
ldap.synchronisation.groupSearchBase=dc=zimbra,dc=local
ldap.synchronisation.groupIdAttributeName=cn
ldap.synchronisation.groupType=zimbraDistributionList
ldap.synchronisation.groupMemberAttributeName=zimbraMailForwardingAddress
‍‍‍‍‍‍

Re: Alfresco + Zimbra LDAP

dward — Mon, 14 Sep 2009 08:30:50 GMT

Please note that vasisualy's original question was regarding the v3.2 LDAP properties which all use the letter 'z' in their name and are documented here.

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#LDAP

Re: Alfresco + Zimbra LDAP

vasisualy — Mon, 14 Sep 2009 16:56:53 GMT

Thank you everyone for help.
I got first results.
I've done following steps.
1. Downloaded from Alfresco.com "Alfresco-Community-3.2-MacOS-X-Install" and install it w/o WCM and SharePoint protocol.
2. Created fresh MySQL DB.
3. Than I added following lines to /opt/Alfresco/tomcat/shared/classes/alfresco-global.properties
===============================================================
authentication.chain=ldap1:ldap

ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=zimbra,dc=local
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://zimbra.local:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=vasisualy

ldap.synchronization.active=true

ldap.synchronization.queryBatchSize=1000
ldap.synchronization.java.naming.security.principal=uid=zimbra,cn=admins,cn=zimbra
ldap.synchronization.java.naming.security.credentials=Password

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

ldap.synchronization.userSearchBase=dc=zimbra,dc=local
ldap.synchronization.userIdAttributeName=zimbraMailDeliveryAddress
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

ldap.synchronization.personQuery=(&(objectClass=organizationalPerson)(zimbraMailStatus=enabled))
ldap.synchronization.personDifferentialQuery=(&(objectClass=organizationalPerson)(zimbraMailStatus=enabled)(!(modifyTimestamp<={0})))
ldap.synchronization.personType=organizationalPerson

ldap.synchronization.groupSearchBase=dc=zimbra,dc=local
ldap.synchronization.groupQuery=(&(objectclass=zimbraDistributionList)(zimbraMailStatus=enabled))
ldap.synchronization.groupDifferentialQuery=(&(objectclass=zimbraDistributionList)(zimbraMailStatus=enabled)(!(modifyTimestamp<={0})))
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=zimbraDistributionList
ldap.synchronization.groupMemberAttributeName=zimbraMailForwardingAddress

synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=true
# every 5 minutes
#ldap.synchronization.import.cron=0 * * * * ?
============================================

4. Alfresco started and on login I see in catalina.out following:
19:45:09,697 INFO [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
19:45:09,698 INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'AUTH.EXT.ldap1'
19:45:10,265 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'admin@zimbra.local'
19:45:10,661 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'wiki@zimbra.local'
19:45:11,016 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'spam.gq9grspa@zimbra.local'
19:45:11,257 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'ham.gftvdq5ag@zimbra.local'
19:45:11,470 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'vasisualy@zimbra.local'
19:45:11,753 INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'
19:45:11,782 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating group 'All Users'
19:45:11,916 INFO [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.ldap1'
19:45:11,918 INFO [security.sync.ChainingUserRegistrySynchronizer] 5 user(s) and 1 group(s) processed

User logged in and everything seems Ok.

But users synced in tricky way. Please see attached picture.
http://tinypic.com/r/27xecf5/3
or [img]http://i27.tinypic.com/27xecf5.jpg[/img]

I need an advice is the any way to point Alfresco that I logs as vasisualy and it corresponds to "Vasily Pupkin" and do not make
2 different user records: vasisualy and "Vasily Pupkin"

Thank you in advance.

Re: Alfresco + Zimbra LDAP

dward — Mon, 14 Sep 2009 17:04:38 GMT

You need to set

ldap.synchronization.userIdAttributeName=uid

zimbraMailDeliveryAddress was the wrong attribute to use, as it contains the @zimbra.local suffix.

Re: Alfresco + Zimbra LDAP

ivan_plestina — Mon, 14 Sep 2009 19:03:36 GMT

You need to set

ldap.synchronization.userIdAttributeName=uid

zimbraMailDeliveryAddress was the wrong attribute to use, as it contains the @zimbra.local suffix.

Wiki states:
ldap.synchronization.groupMemberAttributeName
The name of the multi-valued attribute on an LDAP group object that lists its members. If the value of this attribute parses as a Distinguished Name (DN) then the exporter will resolve the member name and type by looking up that DN, determining its object class (user or group) and getting the appropriate name attribute. This strategy will work with the groupOfNames class, for example. Otherwise, the attribute value is assumed to contain a user ID. This strategy will work with the posixGroup class, for example.

So, in order to use zimbraDistributionList as a "virtual group" (if I understood vasisualy correctly there are no real groups in zimbra LDAP scheme), he must also use email addresses as UIDs in Alfresco to map users to groups correctly. I would have put the same config as vasisualy.

I understand this is some black magic we're trying here but it would be great if Alfresco and Zimbra could integrate this way and we are very close to the solution.

Re: Alfresco + Zimbra LDAP

ivan_plestina — Mon, 14 Sep 2009 19:25:35 GMT

Oh and btw, it looks to me that LDAP sync worked perfectly but authentication messed things up by creating another user… Can you try to modify:

ldap.authentication.userNameFormat=uid=%s,ou=people,dc=zimbra,dc=local‍

ldap.authentication.userNameFormat=%s@zimbra.local‍

Not sure if you'll need to escape that '@' with a '\'. This definately works with AD LDAP i.e. you can authenticate with your email. %s is what you type into the login form, and @zimbra.local is appended in the background automatically. No idea will it work for zimbra but it should solve the double users problem.

Re: Alfresco + Zimbra LDAP

dward — Mon, 14 Sep 2009 19:42:57 GMT

Ivan, your suggeston won't work because zimbraMailDeliveryAddress is not part of the DN, and therefore it won't be able to resolve the entered user ID to a DN.

BUT, a change I am about to check in to HEAD will allow you to use any user attribute, including email address, as the user ID attribute, because we are going to support search based DN resolution when ldap.authentication.userNameFormat is empty.

So I'm afraid it's not possible now, but it will be just as soon as HEAD is open for check ins again.

Re: Alfresco + Zimbra LDAP

vasisualy — Mon, 14 Sep 2009 20:03:43 GMT

I started to write this replay 2 hour late before yours.
Anyway I will put it.
I will try your advices and report soon.

You need to set
ldap.synchronization.userIdAttributeName=uid
zimbraMailDeliveryAddress was the wrong attribute to use, as it contains the @zimbra.local suffix.

I see. But zimbra's DistributionList contains in zimbraMailForwardingAddressattribute only e-mails not UIDS.

If I set ldap.synchronization.userIdAttributeName=uid it will conflict with Groups which contain e-mail not UIDs.

Am I wrong?

Thank you.

Re: Alfresco + Zimbra LDAP

vasisualy — Mon, 14 Sep 2009 21:17:55 GMT

Dear mates,
I changed setting to ldap.synchronization.userIdAttributeName=uid

As expected duplicated users are gone.

part of Alfresco log:
23:54:40,416 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'wiki'
23:54:40,613 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'spam.gq9grspa'
23:54:40,854 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'ham.gftvdq5ag'
23:54:41,080 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'vasisualy'
23:54:41,278 INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'
23:54:41,300 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating group 'All Users'
23:54:41,352 INFO [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.ldap1'
23:54:41,353 INFO [security.sync.ChainingUserRegistrySynchronizer] 5 user(s) and 1 group(s) processed

Group 'All Users' was created as empty.
[img]http://i27.tinypic.com/dwxs9u.png[/img]

I think I need some manipulations on Zimbra side to achieve really good group integration.

Only few parameters are stii not clear for me.
ldap.synchronization.groupType=
ldap.synchronization.personType=
What does it really mean?

And is the any additional parameters in Alfresco configs to import persons attributes from LDAP?
like Organization: Job Title: Location: Presence Provider: , etc.

Thank you.

Re: Alfresco + Zimbra LDAP

ivan_plestina — Tue, 15 Sep 2009 06:33:31 GMT

I think I need some manipulations on Zimbra side to achieve really good group integration.

Only few parameters are stii not clear for me.
ldap.synchronization.groupType=
ldap.synchronization.personType=
What does it really mean?

And is the any additional parameters in Alfresco configs to import persons attributes from LDAP?
like Organization: Job Title: Location: Presence Provider: , etc.

Thank you.

I believe dward's changes once in HEAD will fix things for you.

groupType and personType are mappings to the objectclass name in LDAP for groups and users. For example in AD groupType=group, in OpenLDAP it's groupOfNames and similar.

Re: Alfresco + Zimbra LDAP

vasisualy — Tue, 13 Apr 2010 16:32:23 GMT

Hello all,

I've done myself a little tricky script.
This script based on script written by Carlos Vidal <cvidal@whitehatmail.fr> and found on Zimbra support forum
It modifies Zimbra's LDAP.

Example:
Zimbra distribution list alfresco_users@hansa.com.ua:
group1@company.com
user5@company.com

Run script as zimbra user
zimbra$ python /opt/bin/dl2groups.py -a -d -p `zmlocalconfig -s -m nokey zimbra_ldap_password`
Removing all existing group CNs from LDAP
Expanding and Processing DistributionLists and it's members
Done.

It makes LDAP records like

cn=alfresco_users,ou=groups,dc=company,dc=com
objectClass: groupOfNames (structural)
objectClass: top (abstract)
cn: alfresco_users
member: uid=user1,ou=people,dc=company,dc=com
member: uid=user1,ou=people,dc=company,dc=com
member: uid=user1,ou=people,dc=company,dc=com
description: desc
o: Alfresco users

Script parameters:
Parameters:
-a, –add :add group CN records according DistributionLists
-d, –del :remove all existing group CN records
-p, –print : print proposed changes

-u=name, –user=name :LDAP login as uid=name,cn=admins,cn=zimbra
                     :defaulf login is uid=zimbra,cn=admins,cn=zimbra
-p=, –pass=, –passwd=, password= :LDAP password
-b=, –base= :LDAP search base
-h, –help   : this help screen message
-l, –list    :list possible changes (for tesing)

This script accepts nested distribution lists and duplicated uses.

To add it to the Zimbra's crontab to run it hourly run (for detals see https://help.ubuntu.com/community/CronHowto )
zimbra@:~$ crontab -e

and add lines to the end of file
# ZIMBRAEND – DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART

# Zimbra LDAP groups mirroring
*/15 * * * * /usr/bin/python /opt/bin/dl2groups.py -a -d -p `/opt/zimbra/bin/zmlocalconfig -s -m nokey zimbra_ldap_password` > /dev/null 2>&1

Update: I just updates last line. Now it works.

I know that this script is not perfect. Hope someone improve and contribute it.
Warning: this script tested only on my own zimbra instance. Please do proper backups procedures before running it first time.

I pasted dl2groups.py on   http://pastebin.com/RgJsn6PD

I will be glad for your response.

Re: Alfresco + Zimbra LDAP

jimmykirk — Wed, 14 Apr 2010 15:40:36 GMT

Wow, that looks promising for us Zimbra users.

Does this change existing groups? Are you also using Zimbra for posix/samba authentication as well?

I'd love to have an "alfresco users" group to prevent my dummy accounts like "serveralerts@domain.com" from populating in Alfresco.

Re: Alfresco + Zimbra LDAP

vasisualy — Mon, 19 Apr 2010 20:10:03 GMT

As you probably know Zimbra does not use traditional ou=group structure.
It uses distribution lists as uid=distribution_list

This script makes groups according distribution lists.

Re: Alfresco + Zimbra LDAP

scyonix — Thu, 10 Jun 2010 19:07:15 GMT

Hi i'm getting the below error when itried to run the script on my zimbra server, pls help me to find out a solution…

zimbra@localhost$; python /tmp/dl2groups.py -a -d -p `zmlocalconfig -s -m nokey zimbra_ldap_password`
Removing all existing group CNs from LDAP
Expanding and Processing DistributionLists and it's members
createCnGroup: error for cn=test,ou=groups,dc=testmail,dc=example,dc=com
Traceback (most recent call last):
File "dl2groups.py", line 367, in ?
createCnGroup(l,grp,realmembs)
File "dl2groups.py", line 234, in createCnGroup
if type(e.message) == dict and e.message.has_key('desc'):
AttributeError: NAMING_VIOLATION instance has no attribute 'message'

Re: Alfresco + Zimbra LDAP

vasisualy — Mon, 05 Jul 2010 17:19:25 GMT

Sorry for late response.
As I see script can not create ou=groups.

I use more than one mail domain in my Zimbra configuration.
How many mail domains do you use?

Try to change in script
LDAP_BASE = 'dc=local'

Try to run
zimbra> python dl2groups.py -l -p `zmlocalconfig -s -m nokey zimbra_ldap_password`

Does it print correct changes?