topic Re: Active Directory group sync not working in Alfresco Archive

Active Directory group sync not working

akhan — Tue, 19 Jan 2010 21:36:08 GMT

I followed the example on http://www.anotherstrangerme.com/alfresco-integration-with-active-directory/ to setup authentication and ldap/ad sync. Authentication (using NTLM) is working fine but I am not seeing any group information from AD. I am trying map some AD groups to Alfresco groups and assig

Re: Active Directory group sync not working

ivan_plestina — Thu, 21 Jan 2010 08:45:52 GMT

Can you post your config?

Re: Active Directory group sync not working

akhan — Thu, 21 Jan 2010 18:06:37 GMT

    #
    # LDAP Sync
    #
    # This flag enables use of this LDAP subsystem for authentication. It may be
    # that this subsytem should only be used for synchronization, in which case
    # this flag should be set to false.
    ldap.authentication.active=false
    ldap.authentication.java.naming.security.authentication=simple

    # This flag enables use of this LDAP subsystem for user and group
    # synchronization. It may be that this subsytem should only be used for
    # authentication, in which case this flag should be set to false.
    ldap.synchronization.active=true
    ldap.authentication.userNameFormat=%s
    ldap.authentication.allowGuestLogin=true
    ldap.authentication.java.naming.provider.url=ldap://206.x.x.x:389

    # The default principal to bind with (only used for LDAP sync). This should be a UPN or DN
    ldap.synchronization.java.naming.security.principal=CN\=Alfresco User,CN\=Users,DC\=myorg,DC\=ca,DC\=us

    # The password for the default principal (only used for LDAP sync)
    ldap.synchronization.java.naming.security.credentials=password

    # If positive, this property indicates that RFC 2696 paged results should be
    # used to split query results into batches of the specified size. This
    # overcomes any size limits imposed by the LDAP server.
    ldap.synchronization.queryBatchSize=1000

ldap.authentication.escapeCommasInUid=false

    # The query to select all objects that represent the groups to import.
    ldap.synchronization.groupQuery=(&(objectclass=group)(memberOf=DC\=myorg,DC\=ca,DC\=us))

    # The query to select objects that represent the groups to import that have changed since a certain time.
    ldap.synchronization.groupDifferentialQuery=(&(objectclass=group)(memberOf=DC\=myorg,DC\=ca,DC\=us)(!(modifyTimestamp<={0})))

    # The query to select all objects that represent the users to import.
    ldap.synchronization.personQuery=(&(objectclass=user)(|(memberOf=DC\=myorg,DC\=ca,DC\=us)(memberOf=DC\=\myorg,DC\=ca,DC\=us))(userAccountControl\:1.2.840.113556.1.4.803\:=512))

    # The query to select objects that represent the users to import that have changed since a certain time.
    ldap.synchronization.personDifferentialQuery=(&(objectclass=user)(|(memberOf=DC\=\myorg,DC\=ca,DC\=us)(memberOf=DC\=\myorg,DC\=ca,DC\=us))(userAccountControl\:1.2.840.113556.1.4.803\:=512)(!(modifyTimestamp<={0})))

    # The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
    ldap.synchronization.groupSearchBase=DC=\myorg,DC\=ca,DC\=us)

    # The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
    ldap.synchronization.userSearchBase=DC=\myorg,DC\=ca,DC\=us)

    # The name of the operational attribute recording the last update time for a group or user.
    ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

    # The timestamp format. Unfortunately, this varies between directory servers.
    ldap.synchronization.timestampFormat=yyyyMMddHHmmss’.0Z’

    # The attribute name on people objects found in LDAP to use as the uid in Alfresco
    ldap.synchronization.userIdAttributeName=sAMAccountName

    # The attribute on person objects in LDAP to map to the first name property in Alfresco
    ldap.synchronization.userFirstNameAttributeName=givenName

    # The attribute on person objects in LDAP to map to the last name property in Alfresco
    ldap.synchronization.userLastNameAttributeName=sn

    # The attribute on person objects in LDAP to map to the email property in Alfresco
    ldap.synchronization.userEmailAttributeName=mail

    # The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
    ldap.synchronization.userOrganizationalIdAttributeName=company

    # The default home folder provider to use for people created via LDAP import
    ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

    # The attribute on LDAP group objects to map to the gid property in Alfrecso
    ldap.synchronization.groupIdAttributeName=cn

    # The group type in LDAP
    ldap.synchronization.groupType=group

    # The person type in LDAP
    ldap.synchronization.personType=user

    # The attribute in LDAP on group objects that defines the DN for its members
    ldap.synchronization.groupMemberAttributeName=member

    synchronization.synchronizeChangesOnly=true‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: Active Directory group sync not working

ivan_plestina — Thu, 21 Jan 2010 22:12:43 GMT

Well for start your group and user queries are wrong. In AD lets say that you want to import all groups that are member of "Alfresco Groups" group you'd use something like this:

ldap.synchronization.groupQuery=(&(objectclass=group)(memberOf=CN\=Alfresco Groups,CN\=Users,DC\=myorg,DC\=ca,DC\=us))‍

To import all groups in AD use just:

ldap.synchronization.groupQuery=(objectclass=group)‍

To import all groups from some OU then use the above query but narrow down the groupSearchBase.

Same rules apply for users. I suggest using a tool like SysInternals ADExplorer that shows you alot more useful information to build proper queries.

Re: Active Directory group sync not working

akhan — Mon, 25 Jan 2010 21:26:54 GMT

I think the query should be fine since I have used it in other systems. I am not seeing any errors! And I am not seeing any of the AD groups.

Re: Active Directory group sync not working

ivan_plestina — Tue, 26 Jan 2010 10:57:08 GMT

Well, to prove you wrong why don't you try setting the following:

ldap.synchronization.personQuery=(objectclass=user)
ldap.synchronization.groupQuery=(objectclass=group)‍‍

And then do the full sync…

You're not seeing any errors because you can put anything in your LDAP query but what yours return is simply an empty set because it's not good.

Re: Active Directory group sync not working

micdy — Wed, 27 Jan 2010 20:19:51 GMT

Ok, i think i start to anderstand.

so if i want to select all users who are in group : my_employees


ldap.synchronization.personQuery=(&(objectclass=user)(memberOf=CN\=my_employee,CN\=Users,DC\=metal_org,DC\=com))
‍‍‍

is that rite?
because it dont work for me

Re: Active Directory group sync not working

dward — Tue, 02 Feb 2010 11:49:32 GMT

You are confusing groups with organizational units (OUs). Group and User distinguished names (DNs) are organized in a tree structure containing the names of various OUs and domain components (DCs).

To restrict the user and group search to specific OUs, you must include these in groupSearchBase and userSearchBase. These "SearchBase" attributes are simply the DN suffix that should be common to all members.

So the only attributes you would have to change would be these (just remove or comment out all the rest to get sensible defaults)

ldap.authentication.active=false
ldap.authentication.java.naming.provider.url=ldap://206.x.x.x:389
ldap.synchronization.java.naming.security.principal=CN\=Alfresco User,CN\=Users,DC\=myorg,DC\=ca,DC\=us
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.groupSearchBase=DC=\myorg,DC\=ca,DC\=us
ldap.synchronization.userSearchBase=DC=\myorg,DC\=ca,DC\=us

Now if you really want to restrict it to only the users in a certain group (rather than a certain OU) whose full DN is CN\=my_employee,CN\=Users,DC\=metal_org,DC\=com you can use memberof, but remember to extend the differentialquery too!

ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=my_employee,CN\=Users,DC\=metal_org,DC\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=my_employee,CN\=Users,DC\=metal_org,DC\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=my_employee))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=my_employee)(!(modifyTimestamp<\={0})))

Re: Active Directory group sync not working

micdy — Wed, 03 Feb 2010 14:38:26 GMT

Wow, thanks, now i anderstand querry better, and i really only have the users i want to

thank you