https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298227#M251357 <HTML><HEAD></HEAD><BODY><SPAN>I am having a load of issues with integrating Alfresco 4.2.c with Active Directory. Please allow me to detail my first issue and hopefully some of you will point out my mistake. All/any help will be greatly appreciated…</SPAN><BR /><BR /><SPAN>If I clean the DB and start Alfresco with my configuration - listed below, everything is fine. If I then simply stop and restart Alfresco I get this exception:</SPAN><BR /><BR /><SPAN>12:51:51,022 INFO&nbsp; [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Synchronization' subsystem, ID: [Synchronization, default]</SPAN><BR /><SPAN>12:51:51,069 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'</SPAN><BR /><SPAN>12:51:51,116 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving groups changed since 12-Nov-2013 16:16:33 from user registry 'ldap1'</SPAN><BR /><SPAN>12:51:51,755 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Commencing batch of 0 entries</SPAN><BR /><SPAN>12:51:51,755 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Completed batch of 0 entries</SPAN><BR /><SPAN>12:51:51,771 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since 03-Feb-2014 17:28:21 from user registry 'ldap1'</SPAN><BR /><SPAN>12:51:51,771 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error</SPAN><BR /><SPAN>org.alfresco.error.AlfrescoRuntimeException: 01040001 User and group import failed</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1188)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.access$2500(LDAPUserRegistry.java:77)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$PersonCollection.&lt;init&gt;(LDAPUserRegistry.java:1349)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getPersons(LDAPUserRegistry.java:544)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:1599)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:587)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer$7.doWork(ChainingUserRegistrySynchronizer.java:1919)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:529)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onBootstrap(ChainingUserRegistrySynchronizer.java:1913)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecyc</SPAN><BR /><BR /><SPAN>Caused by: javax.naming.directory.InvalidSearchFilterException: invalid attribute description; remaining name 'ou=Workers,dc=vvv,dc=xxx,dc=yyy,dc=zzz'</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:446)</SPAN><BR /><BR /><SPAN>The funny thing is that any subsequent CRON synch jobs run without any errors:</SPAN><BR /><BR /><SPAN>12:55:00,078 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'</SPAN><BR /><SPAN>12:55:00,078 WARN&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Full synchronization with user registry 'ldap1'</SPAN><BR /><SPAN>12:55:00,078 WARN&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Some users and groups previously created by synchronization with this user registry may be removed.</SPAN><BR /><SPAN>12:55:00,094 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldap1'</SPAN><BR /><SPAN>12:55:01,092 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Commencing batch of 1 entries</SPAN><BR /><SPAN>12:55:01,124 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 31 per second. 0 failures detected.</SPAN><BR /><SPAN>12:55:01,124 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Completed batch of 1 entries</SPAN><BR /><SPAN>12:55:01,358 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'ldap1'</SPAN><BR /><SPAN>12:55:01,451 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Commencing batch of 11 entries</SPAN><BR /><SPAN>12:55:01,607 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Processed 11 entries out of 11. 100% complete. Rate: 70 per second. 0 failures detected.</SPAN><BR /><SPAN>12:55:01,607 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Completed batch of 11 entries</SPAN><BR /><SPAN>12:55:02,138 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1'</SPAN><BR /><SPAN>12:55:02,138 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 11 user(s) and 1 group(s) processed</SPAN><BR /><BR /><BR /><SPAN>Here is my configuration:</SPAN><BR /><BR /><SPAN># This flag enables use of this LDAP subsystem for authentication. It may be</SPAN><BR /><SPAN># that this subsytem should only be used for synchronization, in which case</SPAN><BR /><SPAN># this flag should be set to false.</SPAN><BR /><SPAN>ldap.authentication.active=true</SPAN><BR /><SPAN>#</SPAN><BR /><SPAN># This properties file brings together the common options for LDAP authentication rather than editing the bean definitions</SPAN><BR /><SPAN>#</SPAN><BR /><SPAN>ldap.authentication.allowGuestLogin=false</SPAN><BR /><BR /><SPAN># How to map the user id entered by the user to taht passed through to LDAP</SPAN><BR /><SPAN># In Active Directory, this can either be the user principal name (UPN) or DN.</SPAN><BR /><SPAN># UPNs are in the form &lt;sAMAccountName&gt;@domain and are held in the userPrincipalName attribute of a user</SPAN><BR /><SPAN>ldap.authentication.userNameFormat=ger\\%s</SPAN><BR /><SPAN># The LDAP context factory to use</SPAN><BR /><SPAN>ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory</SPAN><BR /><BR /><SPAN># The URL to connect to the LDAP server </SPAN><BR /><SPAN>ldap.authentication.java.naming.provider.url=ldap://….</SPAN><BR /><BR /><SPAN># The authentication mechanism to use for password validation</SPAN><BR /><SPAN>ldap.authentication.java.naming.security.authentication=simple</SPAN><BR /><BR /><SPAN># Escape commas entered by the user at bind time</SPAN><BR /><SPAN># Useful when using simple authentication and the CN is part of the DN and contains commas</SPAN><BR /><SPAN>ldap.authentication.escapeCommasInBind=false</SPAN><BR /><BR /><SPAN># Escape commas entered by the user when setting the authenticated user</SPAN><BR /><SPAN># Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is </SPAN><BR /><SPAN># pulled in as part of an LDAP sync</SPAN><BR /><SPAN># If this option is set to true it will break the default home folder provider as space names can not contain \</SPAN><BR /><SPAN>ldap.authentication.escapeCommasInUid=false</SPAN><BR /><BR /><SPAN># Comma separated list of user names who should be considered administrators by default</SPAN><BR /><SPAN>ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco,admin</SPAN><BR /><BR /><SPAN># This flag enables use of this LDAP subsystem for user and group</SPAN><BR /><SPAN># synchronization. It may be that this subsytem should only be used for </SPAN><BR /><SPAN># authentication, in which case this flag should be set to false.</SPAN><BR /><SPAN>ldap.synchronization.active=true</SPAN><BR /><BR /><SPAN># The authentication mechanism to use for synchronization</SPAN><BR /><SPAN>ldap.synchronization.java.naming.security.authentication=simple</SPAN><BR /><BR /><SPAN># The default principal to bind with (only used for LDAP sync). This should be a UPN or DN</SPAN><BR /><SPAN>ldap.synchronization.java.naming.security.principal=….</SPAN><BR /><BR /><SPAN># The password for the default principal (only used for LDAP sync)</SPAN><BR /><SPAN>ldap.synchronization.java.naming.security.credentials=….</SPAN><BR /><BR /><SPAN># If positive, this property indicates that RFC 2696 paged results should be</SPAN><BR /><SPAN># used to split query results into batches of the specified size. This</SPAN><BR /><SPAN># overcomes any size limits imposed by the LDAP server.</SPAN><BR /><SPAN>ldap.synchronization.queryBatchSize=1000</SPAN><BR /><BR /><SPAN># If positive, this property indicates that range retrieval should be used to fetch</SPAN><BR /><SPAN># multi-valued attributes (such as member) in batches of the specified size.</SPAN><BR /><SPAN># Overcomes any size limits imposed by Active Directory.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><BR /><SPAN>ldap.synchronization.attributeBatchSize=1000</SPAN><BR /><BR /><BR /><BR /><SPAN>#*********************************************************************************************</SPAN><BR /><SPAN>#</SPAN><BR /><SPAN>#&nbsp;&nbsp;&nbsp;LDAP Query Properties</SPAN><BR /><SPAN>#</SPAN><BR /><SPAN>#*********************************************************************************************</SPAN><BR /><BR /><SPAN># The query to select all objects that represent the groups to import.</SPAN><BR /><SPAN>ldap.synchronization.groupQuery=(&amp;(objectclass\=group) (CN=IR Manu))</SPAN><BR /><BR /><SPAN># The query to select objects that represent the groups to import that have changed since a certain time.</SPAN><BR /><SPAN>ldap.synchronization.groupDifferentialQuery=(&amp;(objectclass\=group) (CN=IR Manu, ou\=Delegated,ou\=Groups,DC=vvv,DC=xxx,DC=yyy,DC=zzz)(!(whenChanged&lt;\={0})))</SPAN><BR /><BR /><SPAN># The query to select all objects that represent the users to import.</SPAN><BR /><SPAN>ldap.synchronization.personQuery=(&amp;(objectclass\=user)(memberOf=CN=IR Manu,ou\=Delegated,ou\=Groups,DC=vvv,DC=xxx,DC=yyy,DC=zzz))</SPAN><BR /><BR /><SPAN># The query to select objects that represent the users to import that have changed since a certain time.</SPAN><BR /><SPAN>ldap.synchronization.personDifferentialQuery=((&amp;(objectclass\=user)(memberOf=CN=IR Manu) (!(whenChanged&lt;\={0}))))</SPAN><BR /><BR /><SPAN># The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.</SPAN><BR /><SPAN>ldap.synchronization.groupSearchBase=ou\=Groups,dc=vvv,dc=xxx,dc=yyy,dc=zzz</SPAN><BR /><BR /><SPAN># The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.</SPAN><BR /><SPAN>ldap.synchronization.userSearchBase=ou\=Workers,dc=vvv,dc=xxx,dc=yyy,dc=zzz</SPAN><BR /><BR /><SPAN># The name of the operational attribute recording the last update time for a group or user.</SPAN><BR /><SPAN>ldap.synchronization.modifyTimestampAttributeName=whenChanged</SPAN><BR /><BR /><SPAN># The timestamp format. Unfortunately, this varies between directory servers.</SPAN><BR /><SPAN>ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'</SPAN><BR /><BR /><SPAN># The attribute name on people objects found in LDAP to use as the uid in Alfresco</SPAN><BR /><SPAN>ldap.synchronization.userIdAttributeName=sAMAccountName</SPAN><BR /><BR /><SPAN># The attribute on person objects in LDAP to map to the first name property in Alfresco</SPAN><BR /><SPAN>ldap.synchronization.userFirstNameAttributeName=givenName</SPAN><BR /><BR /><SPAN># The attribute on person objects in LDAP to map to the last name property in Alfresco</SPAN><BR /><SPAN>ldap.synchronization.userLastNameAttributeName=sn</SPAN><BR /><BR /><SPAN># The attribute on person objects in LDAP to map to the email property in Alfresco</SPAN><BR /><SPAN>ldap.synchronization.userEmailAttributeName=mail</SPAN><BR /><BR /><SPAN># The attribute on person objects in LDAP to map to the organizational id&nbsp; property in Alfresco</SPAN><BR /><SPAN>ldap.synchronization.userOrganizationalIdAttributeName=intelOrgUnitDesc</SPAN><BR /><BR /><SPAN># The default home folder provider to use for people created via LDAP import</SPAN><BR /><SPAN>ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider</SPAN><BR /><BR /><SPAN># The attribute on LDAP group objects to map to the authority name property in Alfresco</SPAN><BR /><SPAN>ldap.synchronization.groupIdAttributeName=cn</SPAN><BR /><BR /><SPAN># The attribute on LDAP group objects to map to the authority display name property in Alfresco</SPAN><BR /><SPAN>ldap.synchronization.groupDisplayNameAttributeName=displayName</SPAN><BR /><BR /><SPAN># The group type in LDAP</SPAN><BR /><SPAN>ldap.synchronization.groupType=group</SPAN><BR /><BR /><SPAN># The person type in LDAP</SPAN><BR /><SPAN>ldap.synchronization.personType=user</SPAN><BR /><BR /><SPAN># The attribute in LDAP on group objects that defines the DN for its members</SPAN><BR /><SPAN>ldap.synchronization.groupMemberAttributeName=member</SPAN><BR /><BR /><SPAN># If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.</SPAN><BR /><SPAN>ldap.synchronization.enableProgressEstimation=true</SPAN><BR /><BR /><SPAN># Requests timeout, in miliseconds, use 0 for none (default)</SPAN><BR /><SPAN>ldap.authentication.java.naming.read.timeout=60000</SPAN><BR /><BR /></BODY></HTML> Tue, 04 Feb 2014 17:34:08 GMT jdel23 2014-02-04T17:34:08Z https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298227#M251357 I am having a load of issues with integrating Alfresco 4.2.c with Active Directory. Please allow me to detail my first issue and hopefully some of you will point out my mistake. All/any help will be greatly appreciated…If I clean the DB and start Alfresco with my configuration - listed below, everyt Tue, 04 Feb 2014 17:34:08 GMT https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298227#M251357 jdel23 2014-02-04T17:34:08Z https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298228#M251358 <HTML><HEAD></HEAD><BODY><SPAN>It doesn't like your user search base.&nbsp;&nbsp; Double check that query.&nbsp; Do you have an ldap browser you can try it on.</SPAN><BR /><BR /><SPAN>&nbsp; Also you may have a spurious backslash character.</SPAN></BODY></HTML> Tue, 04 Feb 2014 22:01:33 GMT https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298228#M251358 mrogers 2014-02-04T22:01:33Z https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298229#M251359 <HTML><HEAD></HEAD><BODY><SPAN>Hi M, thanks for the quick response. I removed the backslash in the user and group search base and I get the same response. I also verified with LDAPAdmin that the user path and filter syntax is correct.</SPAN><BR /><BR /><SPAN>What I do not understand is why the same config works when starting a clean system, then fails on a restart but works again on subsequent sync tasks?</SPAN><BR /><BR /><SPAN>Is the usrSearchBase used in sync and not on startup? Is there any documentation that describes the usage and syntax of the configuration elements?</SPAN><BR /><BR /><SPAN>Again thanks for your help&nbsp;&nbsp;&nbsp; </SPAN></BODY></HTML> Wed, 05 Feb 2014 12:45:45 GMT https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298229#M251359 jdel23 2014-02-05T12:45:45Z https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298230#M251360 <HTML><HEAD></HEAD><BODY><SPAN>There's a full sync and an incremental sync.&nbsp;&nbsp;&nbsp; I suspect one of them is not working, from what you are saying Full sync is O.K.&nbsp;&nbsp;&nbsp; But that does not square with the error message which was to do with userSearchBase&nbsp; 'ou=Workers,dc=vvv,dc=xxx,dc=yyy,dc=zzz'</SPAN></BODY></HTML> Wed, 05 Feb 2014 12:53:29 GMT https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298230#M251360 mrogers 2014-02-05T12:53:29Z https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298231#M251361 <HTML><HEAD></HEAD><BODY><SPAN>Hi M, yes you are right - my stupid mistake. I had a syntax error AND I had inadvertently set synchronizeChangesOnly=false.</SPAN><BR /><BR /><SPAN>This issue is now closed.</SPAN><BR /><BR /><SPAN>Thanks again for your help.</SPAN><BR /></BODY></HTML> Wed, 12 Feb 2014 12:55:50 GMT https://connect.hyland.com/t5/alfresco-archive/inconsistency-with-ldap-query/m-p/298231#M251361 jdel23 2014-02-12T12:55:50Z