Hyland Connect

sscbrian · ‎09-09-2014

On 5.0a now, but had the same issue with 4.2e. My AD users can login, and new accounts auto create as necessary, but they have to manually edit their profile and put in their own e-mail address. My alfresco-global.properties does include a "ldap.synchronization.userEmailAttributeName=mail" entry line. That's the only thing that seems to be related to e-mail that I can see. What am I missing?

mrogers · ‎09-09-2014

That's the setting. Are your email addresses stored in a property called mail on AD?

The default settings should work without modification.

sscbrian · ‎09-10-2014

They appear to be so stored, unless I'm missing something. I threw together a quick .Net app (as shown below) to query the mail property, and I do actually get my e-mail address from it.


using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;

namespace AlfrescoADQueryTest
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.Write(testLDAP());
        }

        private static string testLDAP()
        {
            //Set the correct format for the AD query and filter
            string rootQuery = "LDAP://mydomain.com/DC=mydomain,DC=com";
            string searchFilter = "(&(samAccountName=myname)(objectCategory=person)(objectClass=user))";
            SearchResult result = null;
            using (DirectoryEntry root = new DirectoryEntry(rootQuery))
            {
                using (DirectorySearcher searcher = new DirectorySearcher(root))
                {
                    searcher.Filter = searchFilter;
                    SearchResultCollection results = searcher.FindAll();
                    result = (results.Count != 0) ? results[0] : null;
                }
            }
            //Get the email property from AD            
            return (result == null ? "null" : result.Properties["mail"][0] as string);
        }
    }
}
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

rjohnson · ‎09-09-2014

Posted to the wrong place

mrogers · ‎09-10-2014

one final thing. have you got synchronozation turned on? ldap.synchronization.active=true

Please post all your config.

sscbrian · ‎09-10-2014

It looks like I do. Here's the AD portion of my properties file:


### Active Directory Integration ###
authentication.chain=passthru1:passthru,ldap1:ldap
passthru.authentication.sso.enabled=false
passthru.authentication.allowGuestLogin=false
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false
#passthru.authentication.servers=192.168.100.1
passthru.authentication.servers=mydomain.com
passthru.authentication.domain=MYDOMAIN
passthru.authentication.useLocalServer=false
passthru.authentication.defaultAdministratorUserNames=bob
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS
ldap.authentication.active=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://:389
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal= SSCORP\\Principal
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=nogroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupSearchBase=cn\=users,dc=mydomain,dc=com
ldap.synchronization.userSearchBase=cn\=users,dc=mydomain,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss’.0Z’
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=Nogroup
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
synchronization.synchronizeChangesOnly=false
cifs.enabled=false
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

mrogers · ‎09-11-2014

I note that you are using the ldap subsystem, not the ldap-ad. However it will probably not matter since you are specifying all the values.

Are there any errors in the log file. In particular there's an annoying bug if you have debug logging turned on.

sscbrian · ‎09-16-2014

Well, here's an interesting error:

org.alfresco.repo.security.authentication.AuthenticationException: 08150001 Failed to communicate with ldap://:389. Reason javax.naming.CommunicationException, localhost:389, java.net.ConnectException, Connection refused: connect‍

Looks like it's trying to talk to localhost for LDAP for some reason, and that's certainly not going to work. Oddly, user authentication does work though.

mrogers · ‎09-17-2014

That's because you set ldap.authentication.java.naming.provider.url=ldap://:389

You must be authenticating via passthru if you can't connect to your ldap server.

sscbrian · ‎09-17-2014

Ah, I'd totally missed that. I'm inserting my proper LDAP information and am switching to LDAP-AD to see if that combination works better for me. We've got some users that still need to login. Prompting their supervisor to have them do so and let me know the results!

Hyland Connect

Active Directory integration, not pulling e-mail addresses.