Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Alfresco + Zimbra LDAP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Alfresco + Zimbra LDAP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-11-2009 08:02 PM
Dear all,
Im trying to combine Alfresco with my existing Zimbra server.
My idea is to use zimba's LDAP server as the only one authentication mechanism.
It means that every Zimbra's user may login into Alfresco with the same credentials and the home folders as his/her full name.
As I see for this purpose I have to set
authentication.chain=ldap1:ldap
ldap.authentication.active=true
ldap.synchronization.active=true
…
My problem that LDAP schema in Zimbra is quite different than it was described in wiki and on this forum and I'm not LDAP guru.
Here is Zimbra LDAP scheme
[img]http://wiki.zimbra.com/images/b/bc/5_Zimbra_LDAP.4.1.2.jpg[/img]
Zimbra LDAP info http://wiki.zimbra.com/index.php?title=Zimbra_Directory_Service_(LDAP)
As you see there is no any subtrees.
All user info stores in flat structure. ()
Here is example of users LDIF record for Zimbra's user.
#——————————————————————————-
# This file has been generated on from zimbra.local:389
# by Softerra LDAP Browser 2.6 (http://www.ldapbrowser.com)
#——————————————————————————-
version: 1
dn: uid=vasisualy,ou=people,dc=zimbra,dc=local
zimbraMailTransport: lmtp:zimbra.local:7025
zimbraAccountStatus: active
zimbraMailDeliveryAddress: vasisualy@zimbra.local
initials: Middle
givenName: John
sn: Smith
userPassword: {SSHA}Zb9zGRCymqk76tjE9BBZT8D8789D0Hf6
zimbraMailStatus: enabled
zimbraId: f22d0251-453d-474a-a3e4-c4f2bf3c8698
mail: sti@zimbra.local
displayName: John Middle. Smith
uid: vasisualy
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount
zimbraPasswordModifiedTime: 20090910110003Z
cn: John Middle. Smith
zimbraMailHost: zimbra.local
zimbraLastLogonTimestamp: 20090910134126Z
zimbraPrefDefaultSignatureId: f748cca8-04dd-4e7f-a066-187e22357b85
zimbraSignatureName: My signature
zimbraPrefMailSignature: Here is my signature.
zimbraSignatureId: f748cca8-04dd-4e7f-a066-187e22357b85
zimbraPrefUseTimeZoneListInCalendar: TRUE
postalCode: 01030
ou: Department No 1
zimbraAllowAnyFromAddress: FALSE
street:: 5th Street
zimbraNotes: Notes text.
description: Description
co: Ukraine
physicalDeliveryOfficeName: Office 1
l: Kiev
telephoneNumber: 1125
st: State
company: Company Name
—————–
I have done some work and authentication works.
When user logs into Alfresco as vasisualy it displays as vasisualy.
But I need a user like "John Middle. Smith" instead of vasisualy with home folder.
As I see for this I have to use LDAP sync and it is a problem for me now.
ldap.synchronization.personQuery=(&(ou\=*)(objectClass\=organizationalPerson)(zimbraMailStatus\=enabled))
ldap.synchronization.userSearchBase=ou\=People,dc\=zimbra,dc\=local
Alfresco imports users but stops on groups.
I do not know how to configure following group parameters in Alfresco for my LDAP my schema.
Could someone explain me this parameters more detailed than wiki?
ldap.synchronization.groupQuery=
ldap.synchronization.groupSearchBase=
ldap.synchronization.groupType=
ldap.synchronization.groupIdAttributeName=
ldap.synchronization.groupMemberAttributeName=
Is it possible to configure static non LDAP groups for LDAP users?
Thank you in advance.
Im trying to combine Alfresco with my existing Zimbra server.
My idea is to use zimba's LDAP server as the only one authentication mechanism.
It means that every Zimbra's user may login into Alfresco with the same credentials and the home folders as his/her full name.
As I see for this purpose I have to set
authentication.chain=ldap1:ldap
ldap.authentication.active=true
ldap.synchronization.active=true
…
My problem that LDAP schema in Zimbra is quite different than it was described in wiki and on this forum and I'm not LDAP guru.
Here is Zimbra LDAP scheme
[img]http://wiki.zimbra.com/images/b/bc/5_Zimbra_LDAP.4.1.2.jpg[/img]
Zimbra LDAP info http://wiki.zimbra.com/index.php?title=Zimbra_Directory_Service_(LDAP)
As you see there is no any subtrees.
All user info stores in flat structure. ()
Here is example of users LDIF record for Zimbra's user.
#——————————————————————————-
# This file has been generated on from zimbra.local:389
# by Softerra LDAP Browser 2.6 (http://www.ldapbrowser.com)
#——————————————————————————-
version: 1
dn: uid=vasisualy,ou=people,dc=zimbra,dc=local
zimbraMailTransport: lmtp:zimbra.local:7025
zimbraAccountStatus: active
zimbraMailDeliveryAddress: vasisualy@zimbra.local
initials: Middle
givenName: John
sn: Smith
userPassword: {SSHA}Zb9zGRCymqk76tjE9BBZT8D8789D0Hf6
zimbraMailStatus: enabled
zimbraId: f22d0251-453d-474a-a3e4-c4f2bf3c8698
mail: sti@zimbra.local
displayName: John Middle. Smith
uid: vasisualy
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount
zimbraPasswordModifiedTime: 20090910110003Z
cn: John Middle. Smith
zimbraMailHost: zimbra.local
zimbraLastLogonTimestamp: 20090910134126Z
zimbraPrefDefaultSignatureId: f748cca8-04dd-4e7f-a066-187e22357b85
zimbraSignatureName: My signature
zimbraPrefMailSignature: Here is my signature.
zimbraSignatureId: f748cca8-04dd-4e7f-a066-187e22357b85
zimbraPrefUseTimeZoneListInCalendar: TRUE
postalCode: 01030
ou: Department No 1
zimbraAllowAnyFromAddress: FALSE
street:: 5th Street
zimbraNotes: Notes text.
description: Description
co: Ukraine
physicalDeliveryOfficeName: Office 1
l: Kiev
telephoneNumber: 1125
st: State
company: Company Name
—————–
I have done some work and authentication works.
When user logs into Alfresco as vasisualy it displays as vasisualy.
But I need a user like "John Middle. Smith" instead of vasisualy with home folder.
As I see for this I have to use LDAP sync and it is a problem for me now.
ldap.synchronization.personQuery=(&(ou\=*)(objectClass\=organizationalPerson)(zimbraMailStatus\=enabled))
ldap.synchronization.userSearchBase=ou\=People,dc\=zimbra,dc\=local
Alfresco imports users but stops on groups.
I do not know how to configure following group parameters in Alfresco for my LDAP my schema.
Could someone explain me this parameters more detailed than wiki?
ldap.synchronization.groupQuery=
ldap.synchronization.groupSearchBase=
ldap.synchronization.groupType=
ldap.synchronization.groupIdAttributeName=
ldap.synchronization.groupMemberAttributeName=
Is it possible to configure static non LDAP groups for LDAP users?
Thank you in advance.
Labels:
- Labels:
-
Archive
29 REPLIES 29
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-21-2010 03:45 PM
Dear mates,
I use Zimbra community edition 6.0.8 + Alfresco 3.3g community edition.
I works pretty good.
Here is my cron setting on zimbra server. It makes LDAP changes to provide ou=groups for Alfresco and other services.
zimbra@zimbraserver:~$ crontab -l
….
# ZIMBRAEND – DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
# Zimbra LDAP groups mirroring
# minute(s) hour(s) day(s)_of_month month(s) day(s)_of_week user command
*/15 * * * * /usr/bin/python /opt/bin/dl2groups.py -a -d -p `/opt/zimbra/bin/zmlocalconfig -s -m nokey zimbra_ldap_password` > /dev/null 2>&1
Here is cut from my Alfresco settings files.
Please note that I use 3 different domains in Zimbra thus in Alfresco I use 3 auth. chains.
In Zimbra I created for each of 3 domains distribution list like only_domain1, only_domain2, only_domain3
In my setting Alfresco imports only thees lists. I do not need in my Alfresco groups like support or info.
It also filters maintenance zimbra accounts, etc.
Please bear in mind that account synchronization and LDAP authentication is different things. 🙂
/opt/tomcat/shared/classes/alfresco-global.properties
…
# LDAP Sync options
synchronization.syncOnStartup=true
synchronization.synchronizeChangesOnly=false
# A cron expression defining when the scheduled synchronization job should run, by default at midnight every day
# java quartz cron see http://quartz.sourceforge.net/javadoc/org/quartz/CronTrigger.html
# http://www.quartz-scheduler.org/docs/tutorial/TutorialLesson06.html
# sync every 10 minutes
synchronization.import.cron=0 0/30 * * * ?
# Should we trigger a differential sync when a user is successfully authenticated who does not yet exist in Alfresco?
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=false
…
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap,ldap2:ldap,ldap3:ldap
# authentication.chain=crowd-auth:crowd-auth
alfresco.authentication.allowGuestLogin=false
# LDAP part (ldap1)
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=domain_1,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://my_fimbra_server.com:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=my_zimbra_login
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=uid\=zimbra,cn\=admins,cn\=zimbra
ldap.synchronization.java.naming.security.credentials=PasswordForZimbraLdapUserZimbra
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(&(objectClass=groupOfNames)(cn=only_*))
ldap.synchronization.groupDifferentialQuery=(&(objectClass=groupOfNames)(cn=only_*))
ldap.synchronization.personQuery=(&(objectclass=organizationalPerson)(!(objectClass=zimbraCalendarResource))(zimbraMailStatus=enabled)(zimbraAccountStatus=active)(!(|(uid=wiki)(uid=admin)(uid=spam.*)(uid=ham.*)(uid=galsync)(uid=*robot*))))
ldap.synchronization.personDifferentialQuery=(&(objectclass=organizationalPerson)(!(objectClass=zimbraCalendarResource))(zimbraMailStatus=enabled)(zimbraAccountStatus=active)(!(|(uid=wiki)(uid=admin)(uid=spam.*)(uid=ham.*)(uid=galsync)(uid=*robot*)))(!(modifyTimestamp<\={0})))
#ldap.synchronization.personDifferentialQuery=(&(objectclass=organizationalPerson)(!(objectClass=zimbraCalendarResource))(zimbraMailStatus=enabled)(zimbraAccountStatus=active)(!(|(uid=wiki)(uid=admin)(uid=spam.*)(uid=ham.*)(uid=galsync)(uid=*robot*))))
ldap.synchronization.groupSearchBase=dc=com
ldap.synchronization.userSearchBase=dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=groupOfNames
ldap.synchronization.personType=organizationalPerson
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
Due to I use 3 auth. chains I had to create on Alfresco server 3 directories in /opt/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/
ldap1 - empty. We already set settings for ldap1 in alfresco-global.properties
ldap2 - for 2nd chain
contains file ldap-authentication.properties
ldap3 - for 3rd chain
contains file ldap-authentication.properties
In my case file ldap-authentication.properties is almost the same for ldap2 and ldap3
The only difference is domain names.
# LDAP part
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=domain_2,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://my_fimbra_server.com:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
#ldap.authentication.defaultAdministratorUserNames=my_zimbra_login
Wish you luck.
I use Zimbra community edition 6.0.8 + Alfresco 3.3g community edition.
I works pretty good.
Here is my cron setting on zimbra server. It makes LDAP changes to provide ou=groups for Alfresco and other services.
zimbra@zimbraserver:~$ crontab -l
….
# ZIMBRAEND – DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
# Zimbra LDAP groups mirroring
# minute(s) hour(s) day(s)_of_month month(s) day(s)_of_week user command
*/15 * * * * /usr/bin/python /opt/bin/dl2groups.py -a -d -p `/opt/zimbra/bin/zmlocalconfig -s -m nokey zimbra_ldap_password` > /dev/null 2>&1
Here is cut from my Alfresco settings files.
Please note that I use 3 different domains in Zimbra thus in Alfresco I use 3 auth. chains.
In Zimbra I created for each of 3 domains distribution list like only_domain1, only_domain2, only_domain3
In my setting Alfresco imports only thees lists. I do not need in my Alfresco groups like support or info.
It also filters maintenance zimbra accounts, etc.
Please bear in mind that account synchronization and LDAP authentication is different things. 🙂
/opt/tomcat/shared/classes/alfresco-global.properties
…
# LDAP Sync options
synchronization.syncOnStartup=true
synchronization.synchronizeChangesOnly=false
# A cron expression defining when the scheduled synchronization job should run, by default at midnight every day
# java quartz cron see http://quartz.sourceforge.net/javadoc/org/quartz/CronTrigger.html
# http://www.quartz-scheduler.org/docs/tutorial/TutorialLesson06.html
# sync every 10 minutes
synchronization.import.cron=0 0/30 * * * ?
# Should we trigger a differential sync when a user is successfully authenticated who does not yet exist in Alfresco?
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=false
…
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap,ldap2:ldap,ldap3:ldap
# authentication.chain=crowd-auth:crowd-auth
alfresco.authentication.allowGuestLogin=false
# LDAP part (ldap1)
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=domain_1,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://my_fimbra_server.com:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=my_zimbra_login
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=uid\=zimbra,cn\=admins,cn\=zimbra
ldap.synchronization.java.naming.security.credentials=PasswordForZimbraLdapUserZimbra
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(&(objectClass=groupOfNames)(cn=only_*))
ldap.synchronization.groupDifferentialQuery=(&(objectClass=groupOfNames)(cn=only_*))
ldap.synchronization.personQuery=(&(objectclass=organizationalPerson)(!(objectClass=zimbraCalendarResource))(zimbraMailStatus=enabled)(zimbraAccountStatus=active)(!(|(uid=wiki)(uid=admin)(uid=spam.*)(uid=ham.*)(uid=galsync)(uid=*robot*))))
ldap.synchronization.personDifferentialQuery=(&(objectclass=organizationalPerson)(!(objectClass=zimbraCalendarResource))(zimbraMailStatus=enabled)(zimbraAccountStatus=active)(!(|(uid=wiki)(uid=admin)(uid=spam.*)(uid=ham.*)(uid=galsync)(uid=*robot*)))(!(modifyTimestamp<\={0})))
#ldap.synchronization.personDifferentialQuery=(&(objectclass=organizationalPerson)(!(objectClass=zimbraCalendarResource))(zimbraMailStatus=enabled)(zimbraAccountStatus=active)(!(|(uid=wiki)(uid=admin)(uid=spam.*)(uid=ham.*)(uid=galsync)(uid=*robot*))))
ldap.synchronization.groupSearchBase=dc=com
ldap.synchronization.userSearchBase=dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=groupOfNames
ldap.synchronization.personType=organizationalPerson
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
Due to I use 3 auth. chains I had to create on Alfresco server 3 directories in /opt/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/
ldap1 - empty. We already set settings for ldap1 in alfresco-global.properties
ldap2 - for 2nd chain
contains file ldap-authentication.properties
ldap3 - for 3rd chain
contains file ldap-authentication.properties
In my case file ldap-authentication.properties is almost the same for ldap2 and ldap3
The only difference is domain names.
# LDAP part
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=domain_2,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://my_fimbra_server.com:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
#ldap.authentication.defaultAdministratorUserNames=my_zimbra_login
Wish you luck.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2010 04:15 PM
Hi,
I'm attempting to do this exact thing and can't get it to work properly. I've tried a few things in this thread, and can't get it to authenticate or create users. Since my machine authenticates to LDAP just fine, I figured I would post a snip of my ldap.conf file…
–ldap.conf–
base dc=csl-mail,dc=<domain>,dc=com
binddn uid=zmposix,cn=appaccts,cn=zimbra
bindpw zmposis%password
ldap_version 3
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,sync,sys,syslog,uucp,www-data
pam_password md5
rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
uri ldap://csl-mail.
—
—alfresco-global.properties—
authentication.chain=zimbraldap:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=zimbra,dc=csl-mail,dc=<domain>,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.120.10:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=<<my username>>
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=uid=zmposix,cn=appaccts,cn=zimbra
ldap.synchronization.java.naming.security.credentials=zmposis%password
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=posixAccount)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=posixAccount)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou=groups,dc=csl-mail,dc=<domain>,dc=com
ldap.synchronization.userSearchBase=ou=people,dc=csl-mail,dc=<domain>,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=zimbraId
ldap.synchronization.defaultHomeFolderProvider=homeDirectory
ldap.synchronization.groupIdAttributeName=gidNumber
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=organizationalPerson
ldap.synchronization.groupMemberAttributeName=memberUid
ldap.synchronization.enableProgressEstimation=true
#other stuff
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=false
–
Any help is appreciated.
I'm attempting to do this exact thing and can't get it to work properly. I've tried a few things in this thread, and can't get it to authenticate or create users. Since my machine authenticates to LDAP just fine, I figured I would post a snip of my ldap.conf file…
–ldap.conf–
base dc=csl-mail,dc=<domain>,dc=com
binddn uid=zmposix,cn=appaccts,cn=zimbra
bindpw zmposis%password
ldap_version 3
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,proxy,root,sshd,sync,sys,syslog,uucp,www-data
pam_password md5
rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
uri ldap://csl-mail.
—
—alfresco-global.properties—
authentication.chain=zimbraldap:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=zimbra,dc=csl-mail,dc=<domain>,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.120.10:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=<<my username>>
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=uid=zmposix,cn=appaccts,cn=zimbra
ldap.synchronization.java.naming.security.credentials=zmposis%password
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=posixAccount)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=posixAccount)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou=groups,dc=csl-mail,dc=<domain>,dc=com
ldap.synchronization.userSearchBase=ou=people,dc=csl-mail,dc=<domain>,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=zimbraId
ldap.synchronization.defaultHomeFolderProvider=homeDirectory
ldap.synchronization.groupIdAttributeName=gidNumber
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=organizationalPerson
ldap.synchronization.groupMemberAttributeName=memberUid
ldap.synchronization.enableProgressEstimation=true
#other stuff
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=false
–
Any help is appreciated.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2015 08:32 AM
Hello, sorry to revive an old thread but, i am having similar problems Alfresco + Zimbra Auth and found myself into this thread. Wiz561, you are referring to groupType=posixGroup which does not exist in Zimbra LDAP schema, are you using a modified schema?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-26-2010 10:27 PM
Did you have any luck with that configuration?
If yes, post your solution please.
If yes, post your solution please.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2010 08:48 AM
I haven't had any luck with the configurations. I'm hoping somebody could help because it's no easy task. 
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-27-2010 12:14 PM
OK, I figured half of it out…
First, I turned on the ldap debug mode in zimbra and monitored /var/log/debug, despite the fact the logs should end up in /var/log/zimbra.log.
After that, I viewed a sample logon over ssh, which authenticates to the ldap server…just to see what I should be seeing during ldap authentication. Then looked at the alfresco one and made a minor change. I don't know if it helped the problem or not.
The interesting thing I found is that during one instance, I deleted my user account from alfresco, but it would never re-add it. I don't know if there's a way to resync user accounts in alfresco or not. What I did was go into my zimbra admin page and edited the address property so it would update my user record. Restarted alfresco, and I was able to logon.
Here's my global snippet that worked…
authentication.chain=zimbraldap:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=csl-mail,dc=<domain>,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.120.10:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=<<username>>
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=uid=zmposixroot,cn=appaccts,cn=zimbra
ldap.synchronization.java.naming.security.credentials=<<<password>>>
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=posixAccount)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=posixAccount)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou=groups,dc=csl-mail,dc=<domain>,dc=com
ldap.synchronization.userSearchBase=ou=people,dc=csl-mail,dc=<domain>,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=zimbraId
ldap.synchronization.defaultHomeFolderProvider=homeDirectory
ldap.synchronization.groupIdAttributeName=gidNumber
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=organizationalPerson
ldap.synchronization.groupMemberAttributeName=memberUid
ldap.synchronization.enableProgressEstimation=true
#other stuff
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=false
==============
Now, one thing that didn't work are cifs mounts. I'm thinking that my cifs authentication part is messed up, as I can mount as admin but not a user. So onto that part now….
First, I turned on the ldap debug mode in zimbra and monitored /var/log/debug, despite the fact the logs should end up in /var/log/zimbra.log.
After that, I viewed a sample logon over ssh, which authenticates to the ldap server…just to see what I should be seeing during ldap authentication. Then looked at the alfresco one and made a minor change. I don't know if it helped the problem or not.
The interesting thing I found is that during one instance, I deleted my user account from alfresco, but it would never re-add it. I don't know if there's a way to resync user accounts in alfresco or not. What I did was go into my zimbra admin page and edited the address property so it would update my user record. Restarted alfresco, and I was able to logon.
Here's my global snippet that worked…
authentication.chain=zimbraldap:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=csl-mail,dc=<domain>,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.120.10:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=<<username>>
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=uid=zmposixroot,cn=appaccts,cn=zimbra
ldap.synchronization.java.naming.security.credentials=<<<password>>>
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=posixAccount)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=posixAccount)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou=groups,dc=csl-mail,dc=<domain>,dc=com
ldap.synchronization.userSearchBase=ou=people,dc=csl-mail,dc=<domain>,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=zimbraId
ldap.synchronization.defaultHomeFolderProvider=homeDirectory
ldap.synchronization.groupIdAttributeName=gidNumber
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=organizationalPerson
ldap.synchronization.groupMemberAttributeName=memberUid
ldap.synchronization.enableProgressEstimation=true
#other stuff
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=false
==============
Now, one thing that didn't work are cifs mounts. I'm thinking that my cifs authentication part is messed up, as I can mount as admin but not a user. So onto that part now….
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-20-2012 07:12 AM
So, i've done with a working LDAP configuration to sync users and groups from Zimbra (see below), but one thing missing yet… The Alfresco synchronizer service reads from LDAP and writes all users and all groups into repository, but does not reproduce nested group hierarchy.
Debug log reports with group names as non-existent:
shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-authentication.properties:
Debug log reports with group names as non-existent:
12:50:33,657 DEBUG [security.sync.ChainingUserRegistrySynchronizer] Ignoring non-existent member 'XXX-99@XXX.hu' in groups {'YYY9@XXX.hu'}
…
12:50:33,661 DEBUG [security.sync.ChainingUserRegistrySynchronizer] Ignoring non-existent member 'XXX@XXX.hu' in groups {'YYY@XXX.hu'}
shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-authentication.properties:
…
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://zimbra.XXX.hu:389
# The authentication mechanism to use for password validation
ldap.authentication.java.naming.security.authentication=simple
…
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true
# The authentication mechanism to use for synchronization
ldap.synchronization.java.naming.security.authentication=simple
# The default principal to use (only used for LDAP sync)
ldap.synchronization.java.naming.security.principal=uid\=zimbra,cn\=admins,cn\=zimbra
# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=ZIMBRA_LDAP_PASSWORD
# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=zimbraDistributionList)
# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=zimbraDistributionList)(!(modifyTimestamp<\={0})))
# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(objectClass\=organizationalPerson)
# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=organizationalPerson)(!(modifyTimestamp<\={0})))
# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=ou\=people,dc\=XXX,dc\=hu
# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=ou\=people,dc\=XXX,dc\=hu
# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=mail
# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=displayName
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
# The attribute on person objects in LDAP to map to the organizational id property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=cn
# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
# The attribute on LDAP group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=mail
# The attribute on LDAP group objects to map to the authority display name property in Alfresco (v3.3+)
ldap.synchronization.groupDisplayNameAttributeName=mail
# The group type in LDAP
ldap.synchronization.groupType=zimbraDistributionList
# The person type in LDAP
ldap.synchronization.personType=organizationalPerson
# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=zimbraMailForwardingAddress
# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-04-2012 06:45 AM
Hello Community,
im trying to get a Zimbra LDAP synced with the Alfreso LDAP, in order to import the Users from Zimbra.
1.) Authenticate to the Zimbra LDAP:
- Do i need to configure a special user with the Accessrights in Zimbra and type this usersettings in the Alfresco Config File in order to get Acces to the Zimbra LDAP? If not, how can i provide a mechanism that not everybody can fetch the LDAP Schema from Zimbra?
2.) Is the Synchronisation in bothways? Im asking because i dont want to change the Zimbra LDAP.
would be graet if anybody has an answer on this questions…
Sincerly Halion
im trying to get a Zimbra LDAP synced with the Alfreso LDAP, in order to import the Users from Zimbra.
1.) Authenticate to the Zimbra LDAP:
- Do i need to configure a special user with the Accessrights in Zimbra and type this usersettings in the Alfresco Config File in order to get Acces to the Zimbra LDAP? If not, how can i provide a mechanism that not everybody can fetch the LDAP Schema from Zimbra?
2.) Is the Synchronisation in bothways? Im asking because i dont want to change the Zimbra LDAP.
would be graet if anybody has an answer on this questions…
Sincerly Halion
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-29-2012 12:53 AM
Dear all,
Im trying to combine Alfresco 4.0.e (already setup on Ubuntu 12.04 Sever) with my existing Zimbra Collaboration Suite Open Source Edition 7.2.0 (on Ubuntu 10.04.4 Sever).
Can you provide me with step by step instructions please.
Im trying to combine Alfresco 4.0.e (already setup on Ubuntu 12.04 Sever) with my existing Zimbra Collaboration Suite Open Source Edition 7.2.0 (on Ubuntu 10.04.4 Sever).
Can you provide me with step by step instructions please.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2015 08:37 AM
Hi thread,
Anyone having a working Zimbra LDAP auth config without LDAP schema patch and duplicate home folders? Please post here. I am running Alfresco 4.2.e on Centos 6.5. I think this is not solved yet.
Best regards,
Suleyman
Anyone having a working Zimbra LDAP auth config without LDAP schema patch and duplicate home folders? Please post here. I am running Alfresco 4.2.e on Centos 6.5. I think this is not solved yet.
Best regards,
Suleyman
Related Content
- ldapS configuration for samba-ad in Alfresco Forum
- ldap configuration in alfresco 7.2 in docker in Alfresco Forum
- Authentication and synchronisation of Alfresco 23 with Active Directory in Alfresco Forum
- Mapeamento dos campos do cadastro de usuário entre Keycloak e alfresco in Alfresco Archive
- Alfresco Community Edition 23.2 Release Notes in Alfresco Blog
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
