topic Re: Differential sync and full sync between AD and Alfresco in Alfresco Archive

Differential sync and full sync between AD and Alfresco

erinn — Sun, 24 Jan 2010 04:29:48 GMT

I have spent a fair amount of time configuring a new alfresco install (community edition 3.2r2) and have run into some issues which I can't seem to get past. I am no LDAP expert so please hang in with me as I try to fumble my way through this.We have multiple domain controllers in our environment (a

Re: Differential sync and full sync between AD and Alfresco

sergio1024 — Mon, 25 Jan 2010 10:07:48 GMT

Hi,

I have the same problem… The first synchro get all my users (members of my AD group "GRP_ALFRSCO").

If I upgrade the group and reboot alfresco, the log is :
…0 user(s) and 0 group(s) processed…

I tried to install the alfresco.war version 3.3DEV but the problem still…

If you find the solution … I take !! lol

Regards.

Re: Differential sync and full sync between AD and Alfresco

dward — Mon, 25 Jan 2010 18:01:26 GMT

When you start / restart Alfresco, it always does a differential sync (unless it is the first startup).This is because doing a full sync every time would take too long to start Alfresco.

It's only the sync triggered by the CRON expression that's affected by the synchronization.synchronizeChangesOnly flag.

If you can't rely on timestamps, I would recommend that you configure the differential queries to be identical to the non-differential queries.

See this page for Quartz cron syntax

http://www.quartz-scheduler.org/docs/tutorial/TutorialLesson06.html

Re: Differential sync and full sync between AD and Alfresco

mkalyta — Tue, 26 Jan 2010 13:02:38 GMT

Dward,

I have the same problem as guys describe - using Windows Server 2008 R2 and Alfresco 3.2. Tried various ways but still does not work as expected.

When you say "If you can't rely on timestamps" does it mean that Alfresco may fail to get the date/time values from AD?
I have noticed that by default for AD LDAP configuration in Alfresco one of the settings is:

# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

but in AD the change attribute is called "whenChanged". So should I use whenChanged instead of modifyTimestamp?

Also - could somebody tell me for which exact purpose it is recommended to grant "Read all inetOrgPerson information" permission to a bind account - this is what is stated here: http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Active_Directory_Tips

Thanks

Re: Differential sync and full sync between AD and Alfresco

erinn — Thu, 28 Jan 2010 00:29:29 GMT

When you start / restart Alfresco, it always does a differential sync (unless it is the first startup).This is because doing a full sync every time would take too long to start Alfresco.

It's only the sync triggered by the CRON expression that's affected by the synchronization.synchronizeChangesOnly flag.

If you can't rely on timestamps, I would recommend that you configure the differential queries to be identical to the non-differential queries.

See this page for Quartz cron syntax

http://www.quartz-scheduler.org/docs/tutorial/TutorialLesson06.html

In hindsight that seems pretty clear thanks for the help and the link to the cron docs, it was seconds of course, who knew they added another field.

I don't know if there is a way to fix this overall but you are pitching this as an enterprise solution and surely in most enterprises you are going to run into more than one domain controller, so although this can be worked around, maybe another route for differential syncs is needed (if it is even possible another way).

As for the other user that is experiencing issues, yours may not be exactly the same as mine, the problem with whenChanged/modifyTimestamp only crops up if you have more than one domain controller and you have no way of ensuring that the domain controller you are talking to this time is the same as the domain controller you talked to during the last sync. But for historical sake here is my new config that works:

ldap.synchronization.groupQuery=(&(objectclass=group)(memberOf=cn=Alfresco Groups,OU=Alfresco,DC=domain,DC=local))

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass=group)(memberOf=cn=Alfresco Groups,OU=Alfresco,DC=domain,DC=local))

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=cn=Alfresco Users,OU=Alfresco,DC=domain,DC=local)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=cn=Alfresco Users,OU=Alfresco,DC=domain,DC=local)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

The only thing that is different is the removal of the whenChanged/modifyTimestamp part of the query, this makes all queries full queries.

Now if I can figure out why share isn't working with any of this and I will be in business.

Thanks again,
-Erinn

Re: Differential sync and full sync between AD and Alfresco

dward — Tue, 02 Feb 2010 11:34:12 GMT

It would seem that it is possible to force connection to a single domain controller every time, e.g. LDAP://somedc.domain.com/RootDSE

See http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&mid=2f866a91-8613-4b01-a6be-e8efff11f4d1

This will be necessary to enable differential sync, given that whenChanged/modifyTimestamp/uSNChanged are not replicated. Microsoft have acknowledged this limitation. See

http://msdn.microsoft.com/en-us/library/ms677627(VS.85).aspx