https://connect.hyland.com/t5/alfresco-archive/ad-authentication-user-properties-reset/m-p/225551#M178681 <HTML><HEAD></HEAD><BODY><SPAN>Hello all,</SPAN><BR /><BR /><SPAN>We’re running Alfresco CE 3.2. This installation has been configured to use our Microsoft AD as userbackend. This “kind of” works.</SPAN><BR /><BR /><SPAN>Our problem is that the ldap synchronization resets user properties. For example, once a LDAP user is known in Alfresco, we may change the user’s home directory in Alfresco. This works until the next synchronization, which defaults the home directory.</SPAN><BR /><BR /><SPAN>We’re wondering what is going on here. I’ve found some clues suggesting that all AD users are automatically recreated every sync run, which of course should not be. Also, upon updating a user I would not suspect non-AD values to be defaulted.</SPAN><BR /><BR /><SPAN>The relevant configuration:</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE><BR />ldap.authentication.active=true<BR />ldap.authentication.allowGuestLogin=false<BR />ldap.authentication.userNameFormat=%s@domain.Local<BR />ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory<BR />ldap.authentication.java.naming.provider.url=ldap://adserver:389<BR />ldap.authentication.java.naming.security.authentication=simple<BR />ldap.authentication.escapeCommasInBind=false<BR />ldap.authentication.defaultAdministratorUserNames=Administrator<BR />ldap.synchronization.active=true<BR />ldap.synchronization.java.naming.security.principal=cn\=alfrescoadm,ou\=_Users,ou\=ourcompany,dc\=domain,dc\=Local<BR />ldap.synchronization.queryBatchSize=10000<BR />ldap.synchronization.groupQuery=(objectclass\=Nogroup)<BR />ldap.synchronization.groupDifferentialQuery=(&amp;(objectclass\=group)(!(modifyTimestamp&lt;\={0})))<BR />ldap.synchronization.personQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf\=CN\=Alfresco,CN\=Users,DC\=domain,DC\=Local))<BR />ldap.synchronization.personDifferentialQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp&lt;\={0}))(memberOf\=CN\=Alfresco,CN\=Users,DC\=domain,DC\=Local))<BR />ldap.synchronization.groupSearchBase=OU\=ourcomapny,DC\=domain,DC\=Local<BR />ldap.synchronization.userSearchBase=OU\=ourcompany,DC\=domain,DC\=Local<BR />ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp<BR />ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'<BR />ldap.synchronization.userFirstNameAttributeName=givenName<BR />ldap.synchronization.userLastNameAttributeName=sn<BR />ldap.synchronization.userEmailAttributeName=mail<BR />ldap.synchronization.userOrganizationalIdAttributeName=company<BR />ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider<BR />ldap.synchronization.groupType=NoGroup<BR />ldap.synchronization.personType=user<BR />ldap.synchronization.groupMemberAttributeName=member<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>From the Logs:</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE><BR />10:08:03,346 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '748'<BR />10:08:03,376 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 112<BR />10:08:03,376 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '747'<BR />10:08:03,395 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 401<BR />10:08:03,395 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '112'<BR />10:08:03,431 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '401'<BR />10:08:03,481 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'<BR />10:08:03,542 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Found 0<BR />10:08:03,578 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.ldap1'<BR />10:08:03,578 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 144 user(s) and 0 group(s) processed<BR />10:12:00,056 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'<BR />10:12:00,056 WARN&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Forced synchronization with user registry 'ldap1'; some users and groups previously created by synchronization with this user registry may be removed.<BR />10:12:00,056 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'AUTH.EXT.ldap1'<BR />10:12:00,260 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 400<BR />10:12:00,275 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 029<BR />10:12:00,276 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '400'<BR />10:12:00,290 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 012<BR />10:12:00,290 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '029'<BR />10:12:00,304 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 013<BR />10:12:00,304 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '012'<BR />10:12:00,321 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 015<BR />10:12:00,321 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '013'<BR />10:12:00,335 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 017<BR />10:12:00,335 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '015'<BR />10:12:00,349 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 019<BR />10:12:00,349 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '017'<BR />10:12:00,378 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 020<BR />10:12:00,378 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '019'<BR />10:12:00,394 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 022<BR />10:12:00,394 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '020'<BR />10:12:00,408 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 023<BR />10:12:00,409 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '022'<BR />10:12:00,423 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 025<BR />10:12:00,423 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '023'<BR />10:12:00,438 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 028<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>I’m quite confused about what’s happening here. The log suggests that all AD users are recreated (and consecutively updated) every sync. That shouldn’t be, should it? Is our configuration to authenticate against AD wrong?</SPAN><BR /><BR /><SPAN>Best, Raj</SPAN></BODY></HTML> Wed, 28 Oct 2009 10:14:35 GMT rajd 2009-10-28T10:14:35Z https://connect.hyland.com/t5/alfresco-archive/ad-authentication-user-properties-reset/m-p/225551#M178681 Hello all,We’re running Alfresco CE 3.2. This installation has been configured to use our Microsoft AD as userbackend. This “kind of” works.Our problem is that the ldap synchronization resets user properties. For example, once a LDAP user is known in Alfresco, we may change the user’s home directory Wed, 28 Oct 2009 10:14:35 GMT https://connect.hyland.com/t5/alfresco-archive/ad-authentication-user-properties-reset/m-p/225551#M178681 rajd 2009-10-28T10:14:35Z https://connect.hyland.com/t5/alfresco-archive/ad-authentication-user-properties-reset/m-p/225552#M178682 <HTML><HEAD></HEAD><BODY><A href="http://wiki.alfresco.com/wiki/The_Synchronization_Subsystem" rel="nofollow noopener noreferrer">http://wiki.alfresco.com/wiki/The_Synchronization_Subsystem</A></BODY></HTML> Sat, 31 Oct 2009 11:48:00 GMT https://connect.hyland.com/t5/alfresco-archive/ad-authentication-user-properties-reset/m-p/225552#M178682 ivan_plestina 2009-10-31T11:48:00Z https://connect.hyland.com/t5/alfresco-archive/ad-authentication-user-properties-reset/m-p/225553#M178683 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE class="jive-quote"><A href="http://wiki.alfresco.com/wiki/The_Synchronization_Subsystem" rel="nofollow noopener noreferrer">http://wiki.alfresco.com/wiki/The_Synchronization_Subsystem</A></BLOCKQUOTE><BR /><SPAN>Hi there Ivan,</SPAN><BR /><BR /><SPAN>I'm aware of the online manual. I even read it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></SPAN><BR /><BR /><SPAN>Is there something in here I should have a look at? For as far as I understand I don't know what should be changed.</SPAN><BR /><BR /><SPAN>Best, Robin</SPAN></BODY></HTML> Mon, 02 Nov 2009 15:31:01 GMT https://connect.hyland.com/t5/alfresco-archive/ad-authentication-user-properties-reset/m-p/225553#M178683 rajd 2009-11-02T15:31:01Z https://connect.hyland.com/t5/alfresco-archive/ad-authentication-user-properties-reset/m-p/225554#M178684 <HTML><HEAD></HEAD><BODY><SPAN>Well by wiki this:</SPAN><BR /><SPAN>synchronization.synchronizeChangesOnly</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; Should the scheduled sync job run in differential mode? The default is false, which means that the scheduled sync job is run in full mode. Regardless of this setting a differential sync may still be triggered when a user is successfully authenticated who does not yet exist in Alfresco. </SPAN><BR /><BR /><BR /><SPAN>If the change doesn't work out as expected then it looks like a bug to me…</SPAN></BODY></HTML> Tue, 03 Nov 2009 14:33:46 GMT https://connect.hyland.com/t5/alfresco-archive/ad-authentication-user-properties-reset/m-p/225554#M178684 ivan_plestina 2009-11-03T14:33:46Z