Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD authentication & user properties reset

rajd
Champ in-the-making
Champ in-the-making

‎10-28-2009 06:14 AM

Hello all,

We’re running Alfresco CE 3.2. This installation has been configured to use our Microsoft AD as userbackend. This “kind of” works.

Our problem is that the ldap synchronization resets user properties. For example, once a LDAP user is known in Alfresco, we may change the user’s home directory in Alfresco. This works until the next synchronization, which defaults the home directory.

We’re wondering what is going on here. I’ve found some clues suggesting that all AD users are automatically recreated every sync run, which of course should not be. Also, upon updating a user I would not suspect non-AD values to be defaulted.

The relevant configuration:


ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@domain.Local
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://adserver:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=cn\=alfrescoadm,ou\=_Users,ou\=ourcompany,dc\=domain,dc\=Local
ldap.synchronization.queryBatchSize=10000
ldap.synchronization.groupQuery=(objectclass\=Nogroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(memberOf\=CN\=Alfresco,CN\=Users,DC\=domain,DC\=Local))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0}))(memberOf\=CN\=Alfresco,CN\=Users,DC\=domain,DC\=Local))
ldap.synchronization.groupSearchBase=OU\=ourcomapny,DC\=domain,DC\=Local
ldap.synchronization.userSearchBase=OU\=ourcompany,DC\=domain,DC\=Local
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupType=NoGroup
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member

From the Logs:


10:08:03,346 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '748'
10:08:03,376 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 112
10:08:03,376 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '747'
10:08:03,395 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 401
10:08:03,395 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '112'
10:08:03,431 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '401'
10:08:03,481 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'
10:08:03,542 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Found 0
10:08:03,578 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.ldap1'
10:08:03,578 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 144 user(s) and 0 group(s) processed
10:12:00,056 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
10:12:00,056 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Forced synchronization with user registry 'ldap1'; some users and groups previously created by synchronization with this user registry may be removed.
10:12:00,056 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'AUTH.EXT.ldap1'
10:12:00,260 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 400
10:12:00,275 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 029
10:12:00,276 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '400'
10:12:00,290 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 012
10:12:00,290 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '029'
10:12:00,304 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 013
10:12:00,304 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '012'
10:12:00,321 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 015
10:12:00,321 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '013'
10:12:00,335 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 017
10:12:00,335 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '015'
10:12:00,349 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 019
10:12:00,349 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '017'
10:12:00,378 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 020
10:12:00,378 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '019'
10:12:00,394 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 022
10:12:00,394 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '020'
10:12:00,408 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 023
10:12:00,409 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '022'
10:12:00,423 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 025
10:12:00,423 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user '023'
10:12:00,438 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for 028

I’m quite confused about what’s happening here. The log suggests that all AD users are recreated (and consecutively updated) every sync. That shouldn’t be, should it? Is our configuration to authenticate against AD wrong?

Best, Raj
Labels:
0 Kudos
3 REPLIES 3

rajd
Champ in-the-making
Champ in-the-making

‎11-02-2009 10:31 AM

http://wiki.alfresco.com/wiki/The_Synchronization_Subsystem

Hi there Ivan,

I'm aware of the online manual. I even read it 🙂

Is there something in here I should have a look at? For as far as I understand I don't know what should be changed.

Best, Robin
0 Kudos

ivan_plestina
Champ in-the-making
Champ in-the-making

‎11-03-2009 09:33 AM

Well by wiki this:
synchronization.synchronizeChangesOnly
    Should the scheduled sync job run in differential mode? The default is false, which means that the scheduled sync job is run in full mode. Regardless of this setting a differential sync may still be triggered when a user is successfully authenticated who does not yet exist in Alfresco.


If the change doesn't work out as expected then it looks like a bug to me…
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC