Hyland Connect

jsosic · ‎11-30-2009

Hi. Zimbra is Collaboration tool that comes in bundle with mysql, openldap, postfix, amavis, ….

Anyway, I've integrated succesfully Zimbra and samba/posix zimlets (addons) and I've set up Zimbra's LDAP as master LDAP for Samba PDC. So, users are now added only in one place - in Zimbra's administration panel.

Now I want to sync Alfresco with Zimbra LDAP users/groups. I've succeded pretty much with it, with only one problem remaining. I can't connect users to groups. Although they are set OK in LDAP, and in Zimbra, in alfresco I can see all the groups and all the users, but there is no connection between them. Here is my /var/lib/tomcat5/shared/classes/alfresco/extension/subsystems/Authentication/ldap/zimbraldap/ldap-authentication.properties:

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=zimbra,dc=company,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://IP_OF_LDAP:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=jsosic
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=cn=config
ldap.synchronization.java.naming.security.credentials=PASSWORD
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=posixAccount)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=posixAccount)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou=groups,dc=company,dc=com
ldap.synchronization.userSearchBase=ou=people,dc=zimbra,dc=company,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=zimbraId ***
ldap.synchronization.defaultHomeFolderProvider=homeDirectory
ldap.synchronization.groupIdAttributeName=gidNumber
ldap.synchronization.groupType=posixGroup ***
ldap.synchronization.personType=organizationalPerson ***
ldap.synchronization.groupMemberAttributeName=memberUid ***
ldap.synchronization.enableProgressEstimation=true‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Now, I've put three asterisks (***) by the configuration options that I don't understand….

So for example, my DC for one person is for example: dn: uid=jsosic,ou=people,dc=zimbra,dc=company,dc=com. So that means that uid=jsosic. In a group description, I have memberUid: jsosic, so I've presumed that connection between groups and people is:

ldap.synchronization.groupMemberAttributeName=memberUid‍

but that doesn't work in my case. Maybe there should be something else? And what about groupType and personType attributes? How can I be sure I've selected the correct ones? If you want, I may give you a slapcat for user and for a group or something…
I also totaly don't understand userOrganizationalIdAttributeName and how to find it in slapcat's output.

Anyway, one more question. If I restart tomcat, with changed settings in this file, will it update groups just because file changed? Or should I delete some group and then try to sync… I'm afraid if I delete group from Alfresco, that it won't be fetched ever again…

Also is there a way to force the start of sync without restarting whole Tomcat. It takes around 90 seconds for Tomcat5+Alfresco to start, and it's a pain to wait for every configuration change…

gyro_gearless · ‎12-01-2009

Well, this is a well known problem (== "well known to me") :lol:

Seriously, it has to do with the way Zimbra stores its group attributes in LDAP:

Zimbra only stores a short id in the memberUid attribute (eg: 'aw'), while Alfresco obviously expects the full dn (eg 'uid=aw,ou=people,dc=abcona,dc=int'). Bang!

A while ago i wrote an patch for Alfresco 3.0 - will try to retrofit this patch to 3.2 (it's on my todays agenda, luckily…) and then publish it as soon as it is tested 🙂

BTW, could you give a short outline how you configured authentication chain? I think i have this basically working here, but i am not 100% sure if all is set correctly….

Cheers
Gyro

jsosic · ‎12-01-2009

Well, I thought that might present a problem but I hoped it doesn't

I'll wait for your patch, hope you can do it soon. My authentication chain is:

# LDAP
authentication.chain=zimbraldap:ldap,alfrescoNtlm1:alfrescoNtlm‍‍

My ldap-authentication.properties is in the following directory: /var/lib/tomcat5/shared/classes/alfresco/extension/subsystems/Authentication/ldap/zimbraldap.

Do you need any more information?

kmanickam · ‎01-01-2015

Hi Jsosic,

could you please help me how to configure for alfresco 5.0 users authentication via zimbra ldap 8.0.5

pls guide setp-by-step

Thanks
Manickam

gyro_gearless · ‎12-02-2009

Hi,

you may eventually find the patch located at

http://alfredolabs.abcona.org/download/Alfresco-3.2CE-abcona-patch-20091201.zip

and also a short README at

http://alfredolabs.abcona.org/download/README.TXT

Take care to not forget the ldap.synchronization.groupLookupPattern parameter, otherwise nothing will happen :mrgreen:

LDAP group synchronization seems to run pretty smooth now, but again: no warranties, but all kind of feedback welcome!

Have fun and let me know if this works for you!

Greetings
Gyro

dward · ‎12-03-2009

This patch shouldn't be necessary. LDAPUserRegistry already has a workaround for posixGroup that means it will already accept groups containing UIDs that don't parse as DNs.

                            catch (InvalidNameException e)
                            {
                                // The member attribute didn't parse as a DN. So assume we have a group class like
                                // posixGroup (FDS) that directly lists user names
                                childAssocs.add(attribute);
                            }

You just need a new 3.2 build. See http://forums.alfresco.com/en/viewtopic.php?f=9&t=20408&p=66718#p66718

jsosic · ‎12-09-2009

I have a 3.2r2, that's the latest community stable release… Is it fixed in this release or do I need nightly build?

dward · ‎12-09-2009

Yes it should be in 3.2r2.

jsosic · ‎12-17-2009

Hi,
you may eventually find the patch located at
http://alfredolabs.abcona.org/download/Alfresco-3.2CE-abcona-patch-20091201.zip

Thank you but that patch is 3.2 version and I have 3.2r2… so I guess I can't use that patch for 3.2r2

Also, I still haven't figured it out how to sync the groups-user connection although I have 3.2r2 which should have been fixed for this issue…

jsosic · ‎12-17-2009

Is there a way to set up logging level for ldap and ldap sync to DEBUG?

I'm really puzzled why is this not working

Hyland Connect

Alfresco and Zimbra LDAP - sync