Hyland Connect

_sax · ‎07-13-2009

With the newly factored Authentication subsystems I was able to get up CIFS, NTLM and LDAP sync running in almost no time, great work!

Now I'm having one issue with LDAP sync. It works for users, but then tries to import groups, which I don't want it to do.
So I commented the sections in ldap-ad-authentication.properties that belong to groups. I also commented the sections in common-ldap-context.xml, each having the following result:

19:44:19,032 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Creating user 'DonaldDuck'
19:44:19,790 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'
19:44:27,477 ERROR [org.quartz.core.JobRunShell] Job DEFAULT.ldapPeopleJobDetail threw an unhandled Exception:
java.lang.NullPointerException

After the import of persons, it stops with an error message (a null pointer exception, because the blank options point to nowhere).
The problem is, that no user is being displayed in the admin console, and no home folder is created.

With 2.x it was possible to comment the group import trigger and have all users imported, but no groups. Is that possible with 3.2?

With the manual creation of my windows user with password in Alfresco, both NTLM and CIFS are working greatly.

fo1337 · ‎07-13-2009

If you want to sync users and not groups, you could that:

ldap.synchronization.groupType=group.no
ldap.synchronization.groupQuery=(objectclass\=group.no)

the sync won't find that group type and no group will be imported.

Now I have another issue which is kind of the opposite. I WANT to get my groups but I can't, because whenever there's a little glitch in the LDAP, such as a missing attribute in one of the members of the group, the whole sync goes down. See my thread at http://forums.alfresco.com/en/viewtopic.php?f=9&t=20325 and my bug report at https://issues.alfresco.com/jira/browse/ETHREEOH-2484. If you're interested in a fix, make sure you "vote" on my bug report, so it will get some attention!

_sax · ‎07-14-2009

I voted for you.
Still, I am fuddling with the group trigger:
I replaced the options as you've told me and now it throws

[flawless user import]
11:56:01,904 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'

11:56:54,778 ERROR [org.quartz.core.JobRunShell] Job DEFAULT.ldapPeopleJobDetail threw an unhandled Exception:
org.alfresco.error.AlfrescoRuntimeException: 06140003 User and group import failed
[…]
Caused by: javax.naming.directory.InvalidSearchFilterException: Missing 'equals'; remaining name 'ou=groups,ou=_global,dc=intra',

which is my ldap.synchronization.groupSearchBase. If I leave that with the original Alfresco-provided options, it stays the same.
The above searchBase works with 2.9b.
Could you probably post your file? Thanks a lot!

dward · ‎07-14-2009

Please paste in exactly what you have configured for ldap.synchronization.groupQuery and ldap.synchronization.groupSearchBase in alfresco-global.properties. E.g.

ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.groupSearchBase=ou\=Groups,dc\=company,dc\=com

Please also provide the full stack trace from the error message

It's probably best to not use a dot character in the group type and group query

_sax · ‎07-14-2009

I'm really sorry, I left two options commented, though it couldn't work. With

ldap.synchronization.groupQuery=(objectclass\=Nogroup)
ldap.synchronization.groupType=Nogroup

in ldap-ad-authentication.properties it worked:
15:10:17,333 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Creating user 'XYZ'
15:10:18,068 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'
15:10:18,403 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.ldap1'
15:10:18,403 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 1920 user(s) and 0 group(s) processed

If I'm trying to login through IE7, I'm now mapped to guest. With Opera, logged in as admin, every user is there with its homefolder.
Via CIFS, the log states that it can't find me:
15:13:44,030 DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=8, UID=0, PID=65279
15:13:44,031 DEBUG [org.alfresco.smb.protocol.auth] Using Write transaction
15:13:44,117 DEBUG [org.alfresco.smb.protocol.auth] NT Session setup NTLMSSP, MID=16, UID=0, PID=65279
15:13:44,124 DEBUG [org.alfresco.smb.protocol.auth] Using Write transaction
15:13:44,174 WARN [org.alfresco.smb.protocol.auth] User does not exist, XYZ
although I'm displayed in admin panel, with the correct upper and lowercase spelling. A manual login with my credentials too, says, I'm not there.

My authentication chain in alfresco-global.properties:
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad

My corresponding options set are:
/alfrescoNtlm
ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=true
/ldap-ad
alfresco.authentication.allowGuestLogin=true
alfresco.authentication.authenticateCIFS=true
/alfresco
alfresco.authentication.allowGuestLogin=true
alfresco.authentication.authenticateCIFS=true

I want to use LDAP sync and NTLM sign on. Is this possible?
With passthru, user's details like mail wouldn't be available, I presume?

dward · ‎07-14-2009

OK so we've established you are using Active Directory.

You shouldn't be copying all of ldap-ad-authentication.properties. All you need to do is include a subsystem of type ldap-ad in your authentication chain and set the properties you want to override in alfresco-global.properties.

Now it sounds like you want to use passthru for authentication and use ldap for synchronization only.

You can do this with the following in alfresco-global.properties

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad

Stop it trying to chain LDAP authentication with

ldap.authentication.active=false

Then configure the alfrescoNtlm and ldap-ad subsystems. See http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2 for a full guide

passthru.authentication.servers=DOMAINNAME\server1,DOMAINNAME\server2,server1

ldap.synchronization.java.naming.security.principal=alfresco@domain
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.groupQuery=(objectclass\=group) # Only include if you want to customize the group query
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0}))) # Only include if you want to customize the group query
ldap.synchronization.groupSearchBase=ou\=Security Groups,ou\=Alfresco,dc=domain
ldap.synchronization.userSearchBase=ou\=User Accounts,ou=\Alfresco,dc=domain

_sax · ‎07-14-2009

Thanks for your immediate answer!

I'm using ActiveDirectory.
The LDAP authentication was set to ldap.authentication.active=false, already.

(Should it read authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad ? Are those descriptors system-inherent?)

If I'm adding "me" before the LDAP-sync as admin in Opera in an emptied but identically configured Alfresco, I can work via CIFS and NTLM, correctly. Does that mean, that authentication works, but there's a problem while syncing (syncing taking place in an emptied one as well, of course)?

Would the first passthru server be my Alfresco one?
passthru.authentication.servers=INTRANET\alfresco-server,INTRANET\ldap-server?

Thanks again!

dward · ‎07-14-2009

authentication.chain is a comma separate list of name:type pairs. name can be any unique identifier of your choice. type must match a subsystem type, such as ldap or ldap-ad.

passthru.authentication.servers should be a comma separated list of Windows Domain servers. It has nothing to do with the LDAP subsystem.

The list should prefix the server by domain name, and should also include a server to use when the domain name isn't known.

So suppose your domain is DOMAIN and server is server1. Then

passthru.authentication.servers=DOMAIN\server1,server1

should work

Yes it sounds as though LDAP sync isn't configured correctly.

_sax · ‎07-14-2009

Thank you!

When I import users, delete my imported user and create it manually (upper- and lowercases are identical) I can instantly use CIFS and NTLM.
There seems to be something, that makes me look like another person, when being imported. Which property could that be? There are no special characters in my name or password and it's the same case for another user (in our testing environment).

The LDAP-sync configuration being used here worked with 2.9b.

By the way, what exactly is the purpose of '\' in ldap.synchronization.userSearchBase=ou\=_Departments,dc=intranet,dc=de ?
For me, leaving it out, doesn't make a difference. Is it an escaping character? In the example file, it's
ldap.synchronization.userSearchBase=ou\=User Accounts,ou=\Alfresco,dc=domain after ou=.

dward · ‎07-14-2009

Yes, the \ is the escape character. Because = has a special meaning in a properties file, it should usually be escaped. But normally it doesn't matter if you forget to, unless the property key has an = in it. The colon character also behaves like = and should be escaped. See

http://java.sun.com/j2se/1.5.0/docs/api/java/util/Properties.html#load(java.io.InputStream)

So is the sync working or not? If it is you would see messages about users and groups being created in your logs.

Hyland Connect

Alfresco 3.2 LDAP user sync without group sync possible!