topic LDAP Sync against large Active Directory groups in Alfresco Archive

LDAP Sync against large Active Directory groups

sburke2 — Tue, 01 Dec 2009 21:25:30 GMT

Hello All,We're using Alfresco 3.2r here and are running into a problem synchronizing against large groups served up by active directory. If a group has more than 1500 members (on versions after win2000), AD wants to serve up the member list in a paged manner (see http://msdn.microsoft.com/en-us/lib

Re: LDAP Sync against large Active Directory groups

sburke2 — Thu, 10 Dec 2009 14:34:09 GMT

Still haven't found a solution to this. I'm finding it hard to believe that Alfresco does not support this setup – surely there are plenty of groups out there backing Alfresco with AD where the groups have more than 1500 members? If it works for you (or not) please let me know.

Re: LDAP Sync against large Active Directory groups

dward — Thu, 10 Dec 2009 15:04:40 GMT

Alfresco does support this. The default setting for the ldap-ad subsystem in v3.2 is a page size of 1000. So not a problem. Just use v3.2.

Re: LDAP Sync against large Active Directory groups

dward — Thu, 10 Dec 2009 15:06:12 GMT

It's controlled by ldap.synchronization.queryBatchSize

See

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2

Re: LDAP Sync against large Active Directory groups

sburke2 — Thu, 10 Dec 2009 15:46:27 GMT

Thanks for the reply. We're using 3.2(r) here and I have looked at the queryBatchSize setting. From my understanding this setting is used to limit the results of, for example, the personQuery used to synchronize users. Our personQuery looks like:

ldap.synchronization.personQuery=(&(objectClass=user) (memberOf=CN=Employees,OU=Groups,DC=XXX,DC=XXX,DC=XXX) (cn=*))‍

and it works great; all of the members of our Employees group (about 4000) get synced just fine. Furthermore, our group query works fine – all of our groups get synchronized over and all groups which have < 1500 members have their members set correctly. The trouble is that groups with over 1500 members come up empty (have no members at all). I thought this might have something to do with the way AD serves up multi-valued attributes (see http://msdn.microsoft.com/en-us/library/aa367017%28VS.85%29.aspx); I'm not sure queryBatchSize would have any effect on this. I take it AD's paging of multi-valued attributes (the ;range) is non-standard?

Oh, here is a post where someone using a name service resolver against AD is experiencing the same problem. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476454 . I know the software is unrelated, but the behavior he is experiencing looks the same to me. In that case, libnss was not coded to handle AD's paging of multivalued attributes. To me it looks very much like Alfresco is running into the same problem. I hope I am wrong and that there is a simple solution that I'm overlooking. What do you think?

Re: LDAP Sync against large Active Directory groups

dward — Thu, 10 Dec 2009 16:24:33 GMT

Thanks for the link. This is news to us. We are using RFC 2696 paged results to overcome the limit on the number of individual results returned by a search. But we were not aware that AD also limits the number of values returned for a multi-valued attribute. Luckily there is an example of doing this in Java here

http://forums.sun.com/thread.jspa?threadID=578347

I have logged this bug and hope to fix it soon

https://issues.alfresco.com/jira/browse/ETHREEOH-3770

Re: LDAP Sync against large Active Directory groups

dward — Tue, 19 Jan 2010 08:57:39 GMT

FYI this is now fixed on HEAD.