Sync all the active users of LDAP

hardik_thakkar — Mon, 15 Jun 2020 08:07:01 GMT

Hi Team,

I have configured LDAP using below properties:

### Ldap : Synchronization  ###
ldap.synchronization.active=true

######  LDAP configuration  ############
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@xyz.in
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://<ip adress>:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
synchronization.syncOnStartup=true
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=username
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
synchronization.synchronizeChangesOnly=true
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true

ldap.synchronization.groupQuery=objectclass\=group
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=objectclass\=user
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=dc\=XYZ,dc\=IN

ldap.synchronization.userSearchBase=dc\=XYZ,dc\=IN


ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

As per alfresco.log, i can see all the groups and users are synced in alfresco.
But when i search with '*', in admin tools --> users, i can see only 813 users available. As per my knowledge, organization has more than 15000 active AD users.

In the alfresco.log file, it says :

2020-06-15 11:52:18,428 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Processed 81803 entries out of 81803. 100% complete. Rate: 67216 per second. 0 failures detected.

Questions:
1. How can i sync all the available active users of AD?

2. Getting below mentioned warning for multiple groups and users:

2020-06-15 11:33:17,119 WARN [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Google_Meet_POC_Group' with distinguished name: CN=Gowtham B A 90000054,OU=Users,OU=QMM-Migrated User,OU=XYZ Users,DC=xyz,DC=in

So, how to sync users/groups which has multiple OU?

3. Is there any api available through which we can identify the number of synced users from LDAP?

4. During starting of server, it prints below logs:

2020-06-15 11:42:27,849 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since Apr 15, 2020 2:38:57 PM from user registry 'ldap-ad1'

How to sync with latest data?

Thanks,

Hardik

Re: Sync all the active users of LDAP

heiko_robert — Mon, 15 Jun 2020 15:41:45 GMT

Are you sure

ldap.synchronization.userSearchBase=dc\=XYZ,dc\=IN

contains all the users referenced in the groups as member? You could check your query using https://directory.apache.org/studio/

Additionally: are your group names unique?

Re: Sync all the active users of LDAP

hardik_thakkar — Mon, 15 Jun 2020 16:53:00 GMT

Hi @heiko_robert ,

In Apache directory studio, under "Root DSE", i can see 3 differrent

dc\=XYZ,dc\=IN

There are unique group name also.

I didn't have much idea about how to run queries in studio.

Thanks,

Hardik

Re: Sync all the active users of LDAP

hardik_thakkar — Sun, 30 Aug 2020 08:41:54 GMT

Hi @heiko_robert

I have verified that all the users are part of

dc\=XYZ,dc\=IN

In the ldap more than 15000 active users are there, but in admin-console --> users section, when i search with *, it provides max. 5000 results.

How to view all the active users list?
During individual search, I can't get result for many users.

Is there any other configuration required?

Thanks,

Hardik

Re: Sync all the active users of LDAP

acsme — Mon, 27 Nov 2023 10:50:30 GMT

Solved?

topic Re: Sync all the active users of LDAP in Alfresco Forum

Sync all the active users of LDAP

Re: Sync all the active users of LDAP

Re: Sync all the active users of LDAP

Re: Sync all the active users of LDAP

Re: Sync all the active users of LDAP