Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco + Zimbra LDAP

vasisualy
Champ on-the-rise
Champ on-the-rise

‎09-11-2009 08:02 PM

Dear all,

Im trying to combine Alfresco with my existing Zimbra server.
My idea is to use zimba's LDAP server as the only one authentication mechanism.
It means that every Zimbra's user may login into Alfresco with the same credentials and the home folders as his/her full name.

As I see for this purpose I have to set
authentication.chain=ldap1:ldap
ldap.authentication.active=true
ldap.synchronization.active=true


My problem that LDAP schema in Zimbra is quite different than it was described in wiki and on this forum and I'm not LDAP guru.

Here is Zimbra LDAP scheme
[img]http://wiki.zimbra.com/images/b/bc/5_Zimbra_LDAP.4.1.2.jpg[/img]

Zimbra LDAP info http://wiki.zimbra.com/index.php?title=Zimbra_Directory_Service_(LDAP)
As you see there is no any subtrees.
All user info stores in flat structure. ()

Here is example of users LDIF record for Zimbra's user.
#——————————————————————————-
# This file has been generated on  from zimbra.local:389
# by Softerra LDAP Browser 2.6 (http://www.ldapbrowser.com)
#——————————————————————————-
version: 1
dn: uid=vasisualy,ou=people,dc=zimbra,dc=local
zimbraMailTransport: lmtp:zimbra.local:7025
zimbraAccountStatus: active
zimbraMailDeliveryAddress: vasisualy@zimbra.local
initials: Middle
givenName: John
sn: Smith
userPassword: {SSHA}Zb9zGRCymqk76tjE9BBZT8D8789D0Hf6
zimbraMailStatus: enabled
zimbraId: f22d0251-453d-474a-a3e4-c4f2bf3c8698
mail: sti@zimbra.local
displayName: John Middle. Smith
uid: vasisualy
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount
zimbraPasswordModifiedTime: 20090910110003Z
cn: John Middle. Smith
zimbraMailHost: zimbra.local
zimbraLastLogonTimestamp: 20090910134126Z
zimbraPrefDefaultSignatureId: f748cca8-04dd-4e7f-a066-187e22357b85
zimbraSignatureName: My signature
zimbraPrefMailSignature: Here is my signature.
zimbraSignatureId: f748cca8-04dd-4e7f-a066-187e22357b85
zimbraPrefUseTimeZoneListInCalendar: TRUE
postalCode: 01030
ou: Department No 1
zimbraAllowAnyFromAddress: FALSE
street:: 5th Street
zimbraNotes: Notes text.
description: Description
co: Ukraine
physicalDeliveryOfficeName: Office 1
l: Kiev
telephoneNumber: 1125
st: State
company: Company Name
—————–

I have done some work and authentication works.

When user logs into Alfresco as  vasisualy it displays as vasisualy.
But I need a user like "John Middle. Smith" instead of vasisualy with home folder.
As I see for this I have to use LDAP sync and it is a problem for me now.

ldap.synchronization.personQuery=(&(ou\=*)(objectClass\=organizationalPerson)(zimbraMailStatus\=enabled))
ldap.synchronization.userSearchBase=ou\=People,dc\=zimbra,dc\=local
Alfresco imports users but stops on groups.

I do not know how to configure following group parameters in Alfresco for my LDAP my schema.
Could someone explain me this parameters more detailed than wiki?
ldap.synchronization.groupQuery=
ldap.synchronization.groupSearchBase= 
ldap.synchronization.groupType=
ldap.synchronization.groupIdAttributeName=
ldap.synchronization.groupMemberAttributeName=

Is it possible to configure static non LDAP groups for LDAP users?


Thank you in advance.
Labels:
0 Kudos
29 REPLIES 29

ivan_plestina
Champ in-the-making
Champ in-the-making

‎09-12-2009 05:56 AM

By taking a quick look at the zimbra wiki I would say that zimbraDistributionList is equivalent to a group. Create one, add some members to it and then run some LDAP queries to map correct values. BTW, if you manage to get this all together, please post your configs.
0 Kudos

vasisualy
Champ on-the-rise
Champ on-the-rise

‎09-12-2009 02:01 PM

Thank you, Ivan, for replay.

Unfortunately Zimbra's distribution list is not an equivalent of user group.
It's the same as aliases for mailing lists like info@company.com, support@company.com 

I will try add custom group parameter to existing schema and make setup.

Anyway following parameters still are not clear for me.

ldap.synchronization.groupQuery=
ldap.synchronization.groupSearchBase=
ldap.synchronization.groupType=
ldap.synchronization.groupIdAttributeName=
ldap.synchronization.groupMemberAttributeName=

Could someone explain it for me.

Thank you in advance.
0 Kudos

ivan_plestina
Champ in-the-making
Champ in-the-making

‎09-12-2009 03:41 PM 

# The query to find group objects
ldap.synchronisation.groupQuery=(objectclass=groupOfNames)

# The search base to use to find group objects
ldap.synchronisation.groupSearchBase=ou=groups,dc=company,dc=com

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronisation.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronisation.groupType=groupOfNames

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronisation.groupMemberAttributeName=member

Sync-ing a group is pretty much the same as sync-ing a user. groupQuery is just a proper LDAP query with a proper objectclass - very similar to the personQuery. This is why I said you could use zimbraDistributionList in a way that you put all target group members into a distribution list and then use something like:
ldap.synchronisation.groupQuery=(objectclass=zimbraDistributionList)
ldap.synchronisation.groupMemberAttributeName=member
where 'member' field in LDAP should contain the person's userIdAttributeName that you defined in user's sync. So to conclude, if you settle that your username in Alfresco should be for example your email vasisualy@domain.com, and that email is also member of a zimbraDistributionList then you could have both users and groups in this way.

If you post results of a LDAP query that describes zimbraDistributionList I could be more concrete…
0 Kudos

vasisualy
Champ on-the-rise
Champ on-the-rise

‎09-13-2009 02:20 PM

Here is LDIF record of Zimbra's Distribution list.
This list contain only one member.
Members are listed in zimbraMailForwardingAddress.
=============================

dn: uid=all_users,ou=people,dc=zimbra,dc=local
zimbraMailStatus: enabled
zimbraId: 88fb2bcb-bfd1-4806-8c28-a87d005831b1
displayName: All Users
mail: all_users@zimbra.local
uid: all_users
objectClass: zimbraDistributionList
objectClass: zimbraMailRecipient
zimbraMailAlias: all_users@zimbra.local
cn: All Users
description: All users in Zimbra
zimbraHideInGal: TRUE
zimbraMailForwardingAddress: vasisualy@zimbra.local
0 Kudos

ivan_plestina
Champ in-the-making
Champ in-the-making

‎09-13-2009 03:15 PM

Ok so something like this should work if you settle with username@zombra.local form of usernames (and modify the user sync accordingly):
ldap.synchronisation.groupQuery=(objectclass=zimbraDistributionList)
ldap.synchronisation.groupSearchBase=dc=zimbra,dc=local
ldap.synchronisation.groupIdAttributeName=cn
ldap.synchronisation.groupType=zimbraDistributionList
ldap.synchronisation.groupMemberAttributeName=zimbraMailForwardingAddress
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎09-14-2009 04:30 AM

Please note that vasisualy's original question was regarding the v3.2 LDAP properties which all use the letter 'z' in their name and are documented here.

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#LDAP
0 Kudos

vasisualy
Champ on-the-rise
Champ on-the-rise

‎09-14-2009 12:56 PM

Thank you everyone for help.
I got first results.
I've done following steps.
1. Downloaded from Alfresco.com "Alfresco-Community-3.2-MacOS-X-Install" and install it w/o WCM and SharePoint protocol.
2. Created fresh MySQL DB.
3. Than I added following lines to  /opt/Alfresco/tomcat/shared/classes/alfresco-global.properties
===============================================================
authentication.chain=ldap1:ldap

ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=zimbra,dc=local
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://zimbra.local:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=vasisualy

ldap.synchronization.active=true

ldap.synchronization.queryBatchSize=1000
ldap.synchronization.java.naming.security.principal=uid=zimbra,cn=admins,cn=zimbra
ldap.synchronization.java.naming.security.credentials=Password

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

ldap.synchronization.userSearchBase=dc=zimbra,dc=local
ldap.synchronization.userIdAttributeName=zimbraMailDeliveryAddress
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider


ldap.synchronization.personQuery=(&(objectClass=organizationalPerson)(zimbraMailStatus=enabled))
ldap.synchronization.personDifferentialQuery=(&(objectClass=organizationalPerson)(zimbraMailStatus=enabled)(!(modifyTimestamp<={0})))
ldap.synchronization.personType=organizationalPerson

ldap.synchronization.groupSearchBase=dc=zimbra,dc=local
ldap.synchronization.groupQuery=(&(objectclass=zimbraDistributionList)(zimbraMailStatus=enabled))
ldap.synchronization.groupDifferentialQuery=(&(objectclass=zimbraDistributionList)(zimbraMailStatus=enabled)(!(modifyTimestamp<={0})))
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=zimbraDistributionList
ldap.synchronization.groupMemberAttributeName=zimbraMailForwardingAddress


synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=true
# every 5 minutes
#ldap.synchronization.import.cron=0 * * * * ?
============================================

4. Alfresco started and on login I see in catalina.out following:
19:45:09,697  INFO  [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
19:45:09,698  INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'AUTH.EXT.ldap1'
19:45:10,265  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'admin@zimbra.local'
19:45:10,661  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'wiki@zimbra.local'
19:45:11,016  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'spam.gq9grspa@zimbra.local'
19:45:11,257  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'ham.gftvdq5ag@zimbra.local'
19:45:11,470  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'vasisualy@zimbra.local'
19:45:11,753  INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'
19:45:11,782  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating group 'All Users'
19:45:11,916  INFO  [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.ldap1'
19:45:11,918  INFO  [security.sync.ChainingUserRegistrySynchronizer] 5 user(s) and 1 group(s) processed

User logged in and everything seems Ok.

But users synced in tricky way. Please see attached picture.
http://tinypic.com/r/27xecf5/3
or [img]http://i27.tinypic.com/27xecf5.jpg[/img]


I need an advice is the any way to point Alfresco that I logs as vasisualy and it corresponds to "Vasily Pupkin" and do not make
2 different user records: vasisualy and "Vasily Pupkin" 

Thank you in advance.
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎09-14-2009 01:04 PM

You need to set

ldap.synchronization.userIdAttributeName=uid

zimbraMailDeliveryAddress was the wrong attribute to use, as it contains the @zimbra.local suffix.
0 Kudos

ivan_plestina
Champ in-the-making
Champ in-the-making

‎09-14-2009 03:03 PM

You need to set

ldap.synchronization.userIdAttributeName=uid

zimbraMailDeliveryAddress was the wrong attribute to use, as it contains the @zimbra.local suffix.

Wiki states:
ldap.synchronization.groupMemberAttributeName
    The name of the multi-valued attribute on an LDAP group object that lists its members. If the value of this attribute parses as a Distinguished Name (DN) then the exporter will resolve the member name and type by looking up that DN, determining its object class (user or group) and getting the appropriate name attribute. This strategy will work with the groupOfNames class, for example. Otherwise, the attribute value is assumed to contain a user ID. This strategy will work with the posixGroup class, for example.

So, in order to use zimbraDistributionList as a "virtual group" (if I understood vasisualy correctly there are no real groups in zimbra LDAP scheme), he must also use email addresses as UIDs in Alfresco to map users to groups correctly. I would have put the same config as vasisualy.

I understand this is some black magic we're trying here but it would be great if Alfresco and Zimbra could integrate this way and we are very close to the solution.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC