topic Re: How do I know LDAP Sync is working? in Alfresco Archive

How do I know LDAP Sync is working?

jriker1 — Fri, 19 Jun 2009 16:29:30 GMT

So I have LDAP working, and have configured my Sync xml file. How do I know it's working? If I go into the admin screen and add a user, what should I see? Do I enter their network ID and the rest fills in from AD? Any info would be appreciated.JR

Re: How do I know LDAP Sync is working?

dward — Fri, 19 Jun 2009 16:46:14 GMT

Until v3.2, LDAP sync is done through a scheduled job. You can only edit cron expressions to change the frequency with which Alfresco queries users and groups and brings them in to its own repository.

You shouldn't be adding users manually via the admin screen. They are all added during a sync operation.

See

http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#LDAP_Synchronization

Or if you try the latest and greatest nightly build, the synchronization capability is actually integrated into the authentication chain and users and their groups can actually be pulled in 'on demand' as you are probably expecting.

I'm guessing you're going to ask me about that

So suppose I have this in my alfresco-global.properties (see http://wiki.alfresco.com/wiki/Developer_Runtime_Configuration)

authentication.chain=myldap1:ldap,myldap2:ldap

i.e. I have a chain of two LDAP servers

Then, assuming you have configured the properties for myldap1 and myldap2 (look at other forum posts for how to do this - about to publish on Wiki) the preconfigured synchronization service will kick in as soon as a user is successfully authenticated and retrieve the users and groups added since the last sync. 'Collision' resolution is done using the directory's position in the chain.

Note we are still working on ironing out some AD compatibility problems in the nightly build- it currently works with openldap.

Re: How do I know LDAP Sync is working?

jtp — Fri, 19 Jun 2009 16:57:51 GMT

Should I bother trying to get LDAP sync working with AD until there's a new nightly build? I installed the June 18th build and it's not going so well. I had almost everything working with LDAP and NTLM on the June 1 or 2nd build except SSO on Share.

Re: How do I know LDAP Sync is working?

jriker1 — Fri, 19 Jun 2009 17:51:08 GMT

I am actually working in 3.2. How does it work there?

Thanks.

JR

Re: How do I know LDAP Sync is working?

dward — Fri, 19 Jun 2009 18:43:31 GMT

If a user is successfully authenticated via LDAP but a person object doesn't yet exist for them in Alfresco, the sync service is called to do a differential sync (fetch all users and groups modified since it last synced) and the person object is created automatically.

Re: How do I know LDAP Sync is working?

jriker1 — Fri, 19 Jun 2009 18:45:35 GMT

If a user is successfully authenticated via LDAP but a person object doesn't yet exist for them in Alfresco, the sync service is called to do a differential sync (fetch all users and groups modified since it last synced) and the person object is created automatically.

So I'm assuming this is automatic. Is there something I can enable in log4g to check if the sync piece is running or has run?

JR

Re: How do I know LDAP Sync is working?

dward — Fri, 19 Jun 2009 18:49:12 GMT

With the default log settings you would see this in alfresco.log

15:44:56,575 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'lap1'
15:44:56,575 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since 18-Jun-2009 13:45:34 from user registry 'AUTH.EXT.lap1'
15:44:56,966 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user 'dward'
15:44:56,981 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user 'hippo'
15:44:56,997 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user 'fullname'
15:44:57,012 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user 'walrus'
15:44:57,028 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user 'platypus'
15:44:57,044 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user 'emu'
15:44:57,059 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Creating user 'koala'
15:44:57,403 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user 'kangaroo'
15:44:57,419 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Creating user 'hippo2'
15:44:57,669 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving groups changed since 18-Jun-2009 13:30:59 from user registry 'AUTH.EXT.lap1'
15:44:57,716 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.lap1'
15:44:57,716 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 9 user(s) and 3 group(s) processed

Re: How do I know LDAP Sync is working?

jriker1 — Thu, 25 Jun 2009 13:46:17 GMT

Thanks for the info. I now have LDAP sync working however have tried adding some custom attributes to the sync pull. Not sure that it is working. Is there any way to make the output more verbose to see the properties that are being pulled from AD for each user?

Thanks.

JR

Re: How do I know LDAP Sync is working?

dward — Thu, 25 Jun 2009 14:23:14 GMT

I'm afraid we don't log at the attribute level, but see my response to your "Synchronization questions" thread on attribute mapping. We may consider making the attribute map a 'composite property' one day so that it would be fully controllable via alfresco-global.properties (see the Subsystems Wiki).

Re: How do I know LDAP Sync is working?

jriker1 — Thu, 25 Jun 2009 18:31:13 GMT

I was able to get my attributes to pull so all is good there. Now to try and figure out why thru Share my personal account doesn't show up in the people search but in the Alfresco client it does. I am listed in the properties file as an admin, however if I manually pull up my account it shows all my LDAP details I pulled so know I'm physically in there.

JR

Re: How do I know LDAP Sync is working?

dward — Thu, 25 Jun 2009 19:21:43 GMT

FYI in the next nightly build you should find AD sync + auth is working and supports differential sync (only pull in changes since last sync) when a new user is successfully authenticated.

We've also created a new authentication subsystem type called ldap-ad that has some more useful defaults preconfigured for Active Directory.

We found that if you use a userNameFormat that matches the userPrincipalName (UPN) of your users (these seem to be <sAMAccountName>@<domain.dns>) you can get authentication and sync working in tandem

ldap.authentication.userNameFormat=%s@domain.dns
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=alfresco@domain.dns
ldap.synchronization.userIdAttributeName=sAMAccountName

use DIGEST-MD5 instead of simple if your user passwords are stored with reversible encryption, but this is not the default and passwords would have to be reset.

Alternatively, chain the passthru subsystem so that authentication is performed more securely.

Re: How do I know LDAP Sync is working?

jriker1 — Mon, 24 Aug 2009 19:06:44 GMT

I have everything working now however due to some waiting for my domain groups to store valid users, have tried synching up a couple people manually by hard coding them one at a time in my ldap-ad property file under ldap.synchronization.userSearchBase= Problem is after it syncs up the first user, when I change the name of the user in this field and restart Alfresco it doesn't find the next user that I put in there. I think this is because it may be looking for changes since last start and technically that user existed last time it checked. Is there a way to force Alfresco on start to sync up finding the user irregardless of if they existed before as they may have been in the AD last check but are not in Alfresco.

Thanks.

JR

Re: How do I know LDAP Sync is working?

dward — Tue, 25 Aug 2009 11:24:55 GMT

Only the scheduled sync job will do a full re-sync. By default it runs every 24 hours, but you can change this by editing

synchronization.import.cron

This page explains the cron format in use

http://www.opensymphony.com/quartz/wikidocs/TutorialLesson6.html