Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active Directory group sync not working

akhan
Champ in-the-making
Champ in-the-making

‎01-19-2010 04:36 PM

I followed the example on http://www.anotherstrangerme.com/alfresco-integration-with-active-directory/ to setup authentication and ldap/ad sync. Authentication (using NTLM) is working fine but I am not seeing any group information from AD.  I am trying map some AD groups to Alfresco groups and assign space permission to the group.  I have enable debugging for log4j.logger.org.alfresco.repo.security.* and not seeing any issues. 

Please help.

Thanks and regards,
AK
Labels:
0 Kudos
8 REPLIES 8

ivan_plestina
Champ in-the-making
Champ in-the-making

‎01-21-2010 03:45 AM

Can you post your config?
0 Kudos

akhan
Champ in-the-making
Champ in-the-making

‎01-21-2010 01:06 PM 

    #
    # LDAP Sync
    #
    # This flag enables use of this LDAP subsystem for authentication. It may be
    # that this subsytem should only be used for synchronization, in which case
    # this flag should be set to false.
    ldap.authentication.active=false
    ldap.authentication.java.naming.security.authentication=simple

    # This flag enables use of this LDAP subsystem for user and group
    # synchronization. It may be that this subsytem should only be used for
    # authentication, in which case this flag should be set to false.
    ldap.synchronization.active=true
    ldap.authentication.userNameFormat=%s
    ldap.authentication.allowGuestLogin=true
    ldap.authentication.java.naming.provider.url=ldap://206.x.x.x:389

    # The default principal to bind with (only used for LDAP sync). This should be a UPN or DN
    ldap.synchronization.java.naming.security.principal=CN\=Alfresco User,CN\=Users,DC\=myorg,DC\=ca,DC\=us

    # The password for the default principal (only used for LDAP sync)
    ldap.synchronization.java.naming.security.credentials=password

    # If positive, this property indicates that RFC 2696 paged results should be
    # used to split query results into batches of the specified size. This
    # overcomes any size limits imposed by the LDAP server.
    ldap.synchronization.queryBatchSize=1000

ldap.authentication.escapeCommasInUid=false

    # The query to select all objects that represent the groups to import.
    ldap.synchronization.groupQuery=(&(objectclass=group)(memberOf=DC\=myorg,DC\=ca,DC\=us))

    # The query to select objects that represent the groups to import that have changed since a certain time.
    ldap.synchronization.groupDifferentialQuery=(&(objectclass=group)(memberOf=DC\=myorg,DC\=ca,DC\=us)(!(modifyTimestamp<={0})))

    # The query to select all objects that represent the users to import.
    ldap.synchronization.personQuery=(&(objectclass=user)(|(memberOf=DC\=myorg,DC\=ca,DC\=us)(memberOf=DC\=\myorg,DC\=ca,DC\=us))(userAccountControl\:1.2.840.113556.1.4.803\:=512))

    # The query to select objects that represent the users to import that have changed since a certain time.
    ldap.synchronization.personDifferentialQuery=(&(objectclass=user)(|(memberOf=DC\=\myorg,DC\=ca,DC\=us)(memberOf=DC\=\myorg,DC\=ca,DC\=us))(userAccountControl\:1.2.840.113556.1.4.803\:=512)(!(modifyTimestamp<={0})))

    # The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
    ldap.synchronization.groupSearchBase=DC=\myorg,DC\=ca,DC\=us)

    # The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
    ldap.synchronization.userSearchBase=DC=\myorg,DC\=ca,DC\=us)

    # The name of the operational attribute recording the last update time for a group or user.
    ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

    # The timestamp format. Unfortunately, this varies between directory servers.
    ldap.synchronization.timestampFormat=yyyyMMddHHmmss’.0Z’

    # The attribute name on people objects found in LDAP to use as the uid in Alfresco
    ldap.synchronization.userIdAttributeName=sAMAccountName

    # The attribute on person objects in LDAP to map to the first name property in Alfresco
    ldap.synchronization.userFirstNameAttributeName=givenName

    # The attribute on person objects in LDAP to map to the last name property in Alfresco
    ldap.synchronization.userLastNameAttributeName=sn

    # The attribute on person objects in LDAP to map to the email property in Alfresco
    ldap.synchronization.userEmailAttributeName=mail

    # The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
    ldap.synchronization.userOrganizationalIdAttributeName=company

    # The default home folder provider to use for people created via LDAP import
    ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

    # The attribute on LDAP group objects to map to the gid property in Alfrecso
    ldap.synchronization.groupIdAttributeName=cn

    # The group type in LDAP
    ldap.synchronization.groupType=group

    # The person type in LDAP
    ldap.synchronization.personType=user

    # The attribute in LDAP on group objects that defines the DN for its members
    ldap.synchronization.groupMemberAttributeName=member

    synchronization.synchronizeChangesOnly=true
0 Kudos

ivan_plestina
Champ in-the-making
Champ in-the-making

‎01-21-2010 05:12 PM

Well for start your group and user queries are wrong. In AD lets say that you want to import all groups that are member of "Alfresco Groups" group you'd use something like this:
ldap.synchronization.groupQuery=(&(objectclass=group)(memberOf=CN\=Alfresco Groups,CN\=Users,DC\=myorg,DC\=ca,DC\=us))

To import all groups in AD use just:
ldap.synchronization.groupQuery=(objectclass=group)

To import all groups from some OU then use the above query but narrow down the groupSearchBase.

Same rules apply for users. I suggest using a tool like SysInternals ADExplorer that shows you alot more useful information to build proper queries.
0 Kudos

akhan
Champ in-the-making
Champ in-the-making

‎01-25-2010 04:26 PM

I think the query should be fine since I have used it in other systems. I am not seeing any errors!  And I am not seeing any of the AD groups.
0 Kudos

ivan_plestina
Champ in-the-making
Champ in-the-making

‎01-26-2010 05:57 AM

Well, to prove you wrong why don't you try setting the following:
ldap.synchronization.personQuery=(objectclass=user)
ldap.synchronization.groupQuery=(objectclass=group)

And then do the full sync…

You're not seeing any errors because you can put anything in your LDAP query but what yours return is simply an empty set because it's not good.
0 Kudos

micdy
Champ in-the-making
Champ in-the-making

‎01-27-2010 03:19 PM

Ok, i think i start to anderstand.

so if i want to select all users who are in group  :  my_employees


ldap.synchronization.personQuery=(&(objectclass=user)(memberOf=CN\=my_employee,CN\=Users,DC\=metal_org,DC\=com))

is that rite?
because it dont work for me  Smiley Sad
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎02-02-2010 06:49 AM

You are confusing groups with organizational units (OUs). Group and User distinguished names (DNs) are organized in a tree structure containing the names of various OUs and domain components (DCs).

To restrict the user and group search to specific OUs, you must include these in groupSearchBase and userSearchBase. These "SearchBase" attributes are simply the DN suffix that should be common to all members.

So the only attributes you would have to change would be these (just remove or comment out all the rest to get sensible defaults)

ldap.authentication.active=false
ldap.authentication.java.naming.provider.url=ldap://206.x.x.x:389
ldap.synchronization.java.naming.security.principal=CN\=Alfresco User,CN\=Users,DC\=myorg,DC\=ca,DC\=us
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.groupSearchBase=DC=\myorg,DC\=ca,DC\=us
ldap.synchronization.userSearchBase=DC=\myorg,DC\=ca,DC\=us

Now if you really want to restrict it to only the users in a certain group (rather than a certain OU) whose full DN is CN\=my_employee,CN\=Users,DC\=metal_org,DC\=com you can use memberof, but remember to extend the differentialquery too!

ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf=CN\=my_employee,CN\=Users,DC\=metal_org,DC\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf=CN\=my_employee,CN\=Users,DC\=metal_org,DC\=com)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=my_employee))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(CN\=my_employee)(!(modifyTimestamp<\={0})))
0 Kudos

micdy
Champ in-the-making
Champ in-the-making

‎02-03-2010 09:38 AM

Wow, thanks,  now i anderstand querry better,  and i really only have the users i want to  Smiley Happy

thank you Smiley Happy
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC