topic Re: Alfresco 3.2 LDAP user sync without group sync possible! in Alfresco Archive

Alfresco 3.2 LDAP user sync without group sync possible!

_sax — Mon, 13 Jul 2009 17:59:31 GMT

With the newly factored Authentication subsystems I was able to get up CIFS, NTLM and LDAP sync running in almost no time, great work!Now I'm having one issue with LDAP sync. It works for users, but then tries to import groups, which I don't want it to do.So I commented the sections in ldap-ad-authe

Re: Alfresco 3.2 LDAP user sync without group sync possible!

fo1337 — Mon, 13 Jul 2009 18:33:40 GMT

If you want to sync users and not groups, you could that:

ldap.synchronization.groupType=group.no
ldap.synchronization.groupQuery=(objectclass\=group.no)

the sync won't find that group type and no group will be imported.

Now I have another issue which is kind of the opposite. I WANT to get my groups but I can't, because whenever there's a little glitch in the LDAP, such as a missing attribute in one of the members of the group, the whole sync goes down. See my thread at http://forums.alfresco.com/en/viewtopic.php?f=9&t=20325 and my bug report at https://issues.alfresco.com/jira/browse/ETHREEOH-2484. If you're interested in a fix, make sure you "vote" on my bug report, so it will get some attention!

Re: Alfresco 3.2 LDAP user sync without group sync possible!

_sax — Tue, 14 Jul 2009 10:19:16 GMT

I voted for you.
Still, I am fuddling with the group trigger:
I replaced the options as you've told me and now it throws

[flawless user import]
11:56:01,904 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'

11:56:54,778 ERROR [org.quartz.core.JobRunShell] Job DEFAULT.ldapPeopleJobDetail threw an unhandled Exception:
org.alfresco.error.AlfrescoRuntimeException: 06140003 User and group import failed
[…]
Caused by: javax.naming.directory.InvalidSearchFilterException: Missing 'equals'; remaining name 'ou=groups,ou=_global,dc=intra',

which is my ldap.synchronization.groupSearchBase. If I leave that with the original Alfresco-provided options, it stays the same.
The above searchBase works with 2.9b.
Could you probably post your file? Thanks a lot!

Re: Alfresco 3.2 LDAP user sync without group sync possible!

dward — Tue, 14 Jul 2009 11:30:22 GMT

Please paste in exactly what you have configured for ldap.synchronization.groupQuery and ldap.synchronization.groupSearchBase in alfresco-global.properties. E.g.

ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.groupSearchBase=ou\=Groups,dc\=company,dc\=com

Please also provide the full stack trace from the error message

It's probably best to not use a dot character in the group type and group query

Re: Alfresco 3.2 LDAP user sync without group sync possible!

_sax — Tue, 14 Jul 2009 13:29:42 GMT

I'm really sorry, I left two options commented, though it couldn't work. With

ldap.synchronization.groupQuery=(objectclass\=Nogroup)
ldap.synchronization.groupType=Nogroup

in ldap-ad-authentication.properties it worked:
15:10:17,333 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Creating user 'XYZ'
15:10:18,068 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'
15:10:18,403 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.ldap1'
15:10:18,403 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 1920 user(s) and 0 group(s) processed

If I'm trying to login through IE7, I'm now mapped to guest. With Opera, logged in as admin, every user is there with its homefolder.
Via CIFS, the log states that it can't find me:
15:13:44,030 DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=8, UID=0, PID=65279
15:13:44,031 DEBUG [org.alfresco.smb.protocol.auth] Using Write transaction
15:13:44,117 DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=16, UID=0, PID=65279
15:13:44,124 DEBUG [org.alfresco.smb.protocol.auth] Using Write transaction
15:13:44,174 WARN [org.alfresco.smb.protocol.auth] User does not exist, XYZ
although I'm displayed in admin panel, with the correct upper and lowercase spelling. A manual login with my credentials too, says, I'm not there.

My authentication chain in alfresco-global.properties:
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad

My corresponding options set are:
/alfrescoNtlm
ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=true
/ldap-ad
alfresco.authentication.allowGuestLogin=true
alfresco.authentication.authenticateCIFS=true
/alfresco
alfresco.authentication.allowGuestLogin=true
alfresco.authentication.authenticateCIFS=true

I want to use LDAP sync and NTLM sign on. Is this possible?
With passthru, user's details like mail wouldn't be available, I presume?

Re: Alfresco 3.2 LDAP user sync without group sync possible!

dward — Tue, 14 Jul 2009 14:05:13 GMT

OK so we've established you are using Active Directory.

You shouldn't be copying all of ldap-ad-authentication.properties. All you need to do is include a subsystem of type ldap-ad in your authentication chain and set the properties you want to override in alfresco-global.properties.

Now it sounds like you want to use passthru for authentication and use ldap for synchronization only.

You can do this with the following in alfresco-global.properties

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad

Stop it trying to chain LDAP authentication with

ldap.authentication.active=false

Then configure the alfrescoNtlm and ldap-ad subsystems. See http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2 for a full guide

passthru.authentication.servers=DOMAINNAME\server1,DOMAINNAME\server2,server1

ldap.synchronization.java.naming.security.principal=alfresco@domain
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.groupQuery=(objectclass\=group) # Only include if you want to customize the group query
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0}))) # Only include if you want to customize the group query
ldap.synchronization.groupSearchBase=ou\=Security Groups,ou\=Alfresco,dc=domain
ldap.synchronization.userSearchBase=ou\=User Accounts,ou=\Alfresco,dc=domain

Re: Alfresco 3.2 LDAP user sync without group sync possible!

_sax — Tue, 14 Jul 2009 14:58:28 GMT

Thanks for your immediate answer!

I'm using ActiveDirectory.
The LDAP authentication was set to ldap.authentication.active=false, already.

(Should it read authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad ? Are those descriptors system-inherent?)

If I'm adding "me" before the LDAP-sync as admin in Opera in an emptied but identically configured Alfresco, I can work via CIFS and NTLM, correctly. Does that mean, that authentication works, but there's a problem while syncing (syncing taking place in an emptied one as well, of course)?

Would the first passthru server be my Alfresco one?
passthru.authentication.servers=INTRANET\alfresco-server,INTRANET\ldap-server?

Thanks again!

Re: Alfresco 3.2 LDAP user sync without group sync possible!

dward — Tue, 14 Jul 2009 15:19:15 GMT

authentication.chain is a comma separate list of name:type pairs. name can be any unique identifier of your choice. type must match a subsystem type, such as ldap or ldap-ad.

passthru.authentication.servers should be a comma separated list of Windows Domain servers. It has nothing to do with the LDAP subsystem.

The list should prefix the server by domain name, and should also include a server to use when the domain name isn't known.

So suppose your domain is DOMAIN and server is server1. Then

passthru.authentication.servers=DOMAIN\server1,server1

should work

Yes it sounds as though LDAP sync isn't configured correctly.

Re: Alfresco 3.2 LDAP user sync without group sync possible!

_sax — Tue, 14 Jul 2009 17:15:32 GMT

Thank you!

When I import users, delete my imported user and create it manually (upper- and lowercases are identical) I can instantly use CIFS and NTLM.
There seems to be something, that makes me look like another person, when being imported. Which property could that be? There are no special characters in my name or password and it's the same case for another user (in our testing environment).

The LDAP-sync configuration being used here worked with 2.9b.

By the way, what exactly is the purpose of '\' in ldap.synchronization.userSearchBase=ou\=_Departments,dc=intranet,dc=de ?
For me, leaving it out, doesn't make a difference. Is it an escaping character? In the example file, it's
ldap.synchronization.userSearchBase=ou\=User Accounts,ou=\Alfresco,dc=domain after ou=.

Re: Alfresco 3.2 LDAP user sync without group sync possible!

dward — Tue, 14 Jul 2009 17:21:23 GMT

Yes, the \ is the escape character. Because = has a special meaning in a properties file, it should usually be escaped. But normally it doesn't matter if you forget to, unless the property key has an = in it. The colon character also behaves like = and should be escaped. See

http://java.sun.com/j2se/1.5.0/docs/api/java/util/Properties.html#load(java.io.InputStream)

So is the sync working or not? If it is you would see messages about users and groups being created in your logs.

Re: Alfresco 3.2 LDAP user sync without group sync possible!

dward — Tue, 14 Jul 2009 17:23:01 GMT

Please include a dump of all your ldap.synchronization.* properties. Note that all of them have changed name since 2.9.

Re: Alfresco 3.2 LDAP user sync without group sync possible!

_sax — Tue, 14 Jul 2009 17:43:10 GMT

Thank you for your explanation.

The sync is working fine. I just thought, that the escaping character may have an effect on the user data imported (being not seen as "me").

I actually used ldap-ad-authentication.properties (will leave that alone and reinstall completely, if I proceed with this point).

# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=false

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.allowGuestLogin=true

# How to map the user id entered by the user to taht passed through to LDAP
# In Active Directory, this can either be the user principal name (UPN) or DN.
# UPNs are in the form <sAMAccountName>@domain and are held in the userPrincipalName attribute of a user
ldap.authentication.userNameFormat=%s@domain

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
#ldap.authentication.java.naming.provider.url=ldap://172.16.131.15:686 SSL-Port, not used here.
ldap.authentication.java.naming.provider.url=ldap://172.16.131.15:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

# Comma separated list of user names who should be considered administrators by default
ldap.authentication.defaultAdministratorUserNames=Administrator
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< By the way: This doesn't work for me, if I add my username. Only 'admin' gets the admin panel.

# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true

# The default principal to bind with (only used for LDAP sync). This should be a UPN or DN
ldap.synchronization.java.naming.security.principal=INTRANET\\LDAP_User

# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=ThePassword

# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=1000

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=Nogroup)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass=group)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import. userAccountControl: bit checks for disabled and non-user accounts
#ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

# The query to select objects that represent the users to import that have changed since a certain time.
#ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=ou\=Security Groups,ou\=Alfresco,dc=domain
#ldap.synchronization.groupSearchBase=ou\=Gruppen,ou=\_Global,dc=intra,dc=ads-root,dc=de

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
#ldap.synchronization.userSearchBase=ou\=User Accounts,ou=\Alfresco,dc=domain
ldap.synchronization.userSearchBase=ou=\_Departments,dc=intranet,dc=de

# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion

# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
# userHomesHomeFolderProvider personalHomeFolderProvider companyHomeFolderProvider guestHomeFolderProvider

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronization.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronization.groupType=Nogroup

# The person type in LDAP
ldap.synchronization.personType=user

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member

Re: Alfresco 3.2 LDAP user sync without group sync possible!

_sax — Wed, 15 Jul 2009 12:53:06 GMT

I'm really sorry, I misunderstood the meaning of the AlfrescoNtlm subsystem.
I thought, it would not only autosign local users on, but also those that are synced with Alfresco and - during automated login - are authenticated against an LDAP database.
So I had the wrong authentication chain:
AlfrescoNtlm, followed by LDAP sync did sync all users, but none of them was able to sign on because the first subsystem only checked the local user database, containing none of the synced entries. And the latter did not have ldap authentication enabled, only sync.

Now I use authentication.chain=Authenticationassthru,Syncing:ldap-ad and CIFS, NTLM and syncing work like a charm.
In the passthru folder I allowed SSO.

The subsystem configuration made a giant leap with 3.2!

Re: Alfresco 3.2 LDAP user sync without group sync possible!

pbkoob — Thu, 23 Jul 2009 14:59:11 GMT

Now I have another issue which is kind of the opposite. I WANT to get my groups but I can't, because whenever there's a little glitch in the LDAP, such as a missing attribute in one of the members of the group, the whole sync goes down. See my thread at http://forums.alfresco.com/en/viewtopic.php?f=9&t=20325 and my bug report at https://issues.alfresco.com/jira/browse/ETHREEOH-2484. If you're interested in a fix, make sure you "vote" on my bug report, so it will get some attention!

There appears to be a suggestion in the the issue on how to fix this. It requires overriding configurations in swing. Can anyone explain to me how to do this with clearer detail?