topic Re: Empty AD Group Membership in Alfresco Archive

Empty AD Group Membership

brostekm — Wed, 17 Mar 2010 17:26:42 GMT

I am trying to sync Alfresco 3.2r Community Edition with my AD. I am able to get all the users and group names imported, and I can log in with the imported users. It is even synchronizing the users and groups every minute. The problem is the groups have no members in Alfresco. When I change a grou

Re: Empty AD Group Membership

marcobusetto — Tue, 08 Jun 2010 12:01:18 GMT

I'm having a similar problem.

I'm trying to synchronize Alfresco 3.3. CE with CentOS Directory Server (read: Fedora / RedHat Directory Server). In Alfresco Administration Console I can see my LDAP groups, my LDAP users and I can log-on with them. But all my groups are empty.

I tryed to create users within groups and I tryed to build groups with members association only, but in both cases in alfresco I keep seeing only empty groups.

I configured ldap-authentication.properties to match (I hope) the CentOS Directory Server but I didn't get any benefit. Below there are the properties that I changed:

alfresco-global.properties

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap2:ldap
ntlm.authentication.sso.enabled=false
synchronization.import.cron=0 0/5 * * * ?
‍‍‍‍

ldap-authentication.properties

ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://alfrescolnx.mylab.loc:389
ldap.authentication.defaultAdministratorUserNames=cn\=Directory Manager
ldap.synchronization.java.naming.security.principal=cn\=Directory Manager
ldap.synchronization.java.naming.security.credentials=**********
ldap.synchronization.groupQuery=(objectclass\=groupOfUniqueNames)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfUniqueNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou\=mycompany,dc\=myldap,dc\=loc
ldap.synchronization.userSearchBase=ou\=mycompany,dc\=myldap,dc\=loc
ldap.synchronization.groupType=groupOfUniqueNames
ldap.synchronization.groupMemberAttributeName=uniqueMember
ldap.synchronization.enableProgressEstimation=true
‍‍‍‍‍‍‍‍‍‍‍‍‍

Note that for some properties there are some differences between CentOS Directory Server and the default ldap-authentication.properties file. For instance, "groupOfUniqueNames" instead of "groupOfNames", "uniqueMember" instead of "member", etc. - I used Softerra LDAP browser to catch these differences and try to configure my ldap-authentication.properties file but it still doesn't work (maybe because I'm newbie of LDAP and perhaps I missed some setting).

Can anybody help me?
Thanks in advance.

Re: Empty AD Group Membership

marcobusetto — Wed, 09 Jun 2010 13:06:41 GMT

I made some more try in my test environment and I discovered that in my LDAP I wrongly defined my users under a group and not within an Organizational Unit. I placed my users into an Organizational Unit and I redefined the membership of my groups, so now these groups are not empty anymore in Alfresco.

However there's still a quite serious problem. It seems that if a LDAP user belongs to more than one group, in Alfresco I can see him only in the first one. Example:

LDAP

Alfresco

(User_1 is missing!)

Has anyone never found a similar problem and can confirm this?

Re: Empty AD Group Membership

kilg — Fri, 12 Nov 2010 06:41:25 GMT

I made some more try in my test environment and I discovered that in my LDAP I wrongly defined my users under a group and not within an Organizational Unit. I placed my users into an Organizational Unit and I redefined the membership of my groups, so now these groups are not empty anymore in Alfresco.

However there's still a quite serious problem. It seems that if a LDAP user belongs to more than one group, in Alfresco I can see him only in the first one. Example:

LDAP
Group_A = User_1 + User_2 + User_3
Grouo_B = User_4 + User_1

Alfresco
Group_A = User_1 + User_2 + User_3
Grouo_B = User_4 + … (User_1 is missing!)

Has anyone never found a similar problem and can confirm this?

i found - what:
IF group_B is Primery Group for User_1, then in this group in alfresco user don't exist. its very bad(((
search on this forum about Primery Group in AD - did not help.