Another LDAP Sync problem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-01-2009 02:08 AM
Very new to the world of Electronic Document Management, I am trying to get Alfresco CE 3.3 (nightly build) to work in my company. Not being a Network/System admin, I am currently struggling on 2 different points of the configuration of the application. In this topic, I will focus on the authentication and the LDAP Sync.
Alfresco is installed on a Windows XP 64 workstation with plenty of RAM & HD. We have an Exchange server and Active Directory. I have been reading the wiki and the forum for the last 4 days and I can't figure out what's wrong due to lack of technical knowledge/hindsight.
My authentication chain in alfresco-global.properties is as follow and respects Example 1: Advanced AD Chain given in the Wiki:
# The default authentication chainauthentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad
All the other files from the subsystems\Authentication folder have been modified accordingly.I struggled for a while with the LDAP userSearchBase but I think it's all good now as I have the following trace in tomcat:
User:System INFO [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO [management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, alfrescoNtlm1] User:System INFO [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO [management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, alfrescoNtlm1] complete User:System INFO [management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, passthru1] User:System INFO [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO [management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, passthru1] complete User:System INFO [management.subsystems.ChildApplicationContextFactory] Startup of 'fileServers' subsystem, ID: [default] complete User:System INFO [management.subsystems.ChildApplicationContextFactory] Starting 'imap' subsystem, ID: [default] User:System INFO [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO [management.subsystems.ChildApplicationContextFactory] Startup of 'imap' subsystem, ID: [default] complete User:System INFO [management.subsystems.ChildApplicationContextFactory] Starting 'Synchronization' subsystem, ID: [default] User:System INFO [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO [management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, ldap1] User:System INFO [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO [management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, ldap1] complete User:System INFO [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1' User:System INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since 1/09/2009 14:58:28 from user registry 'ldap1' User:System INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldap1' User:System INFO [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1' User:System INFO [security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed User:System INFO [management.subsystems.ChildApplicationContextFactory] Startup of 'Synchronization' subsystem, ID: [default] complete
The problem I encounter is related to the imported users. After the first synchronization, information are missing (like job title), some users are disabled, the default Home Space path is not the same for each user (ie some have /Company Home/User Homes/userA and some have /Company Home/userA) and lastly when I try to update their profile (and enable their accounts) in Share, I have the following error:
16:01:22,721 User:admin ERROR [web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 08010034 Wrapped Exception (witemplate): 08010033 Failed to execute script '/org/alfresco/repository/person/person.put.json.js (in classpath store file:C:/Alfresco/tomcat/webapps/alfresco/WEBes/alfresco/templates/webscripts)': 08010032 User not found: USERNAMEorg.alfresco.web.scripts.WebScriptException: 08010034 Wrapped Exception (with status template): 08010033 Failed to execute script '/org/alfresco/repository/persput.json.js (in classpath store file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts)': 08010032 User not found: USERNAME at org.alfresco.web.scripts.AbstractWebScript.createStatusException(AbstractWebScript.java:613) at org.alfresco.web.scripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:165) at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:357) at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:326) at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:407) at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:424) at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:288) at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:262) at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:139) at org.alfresco.web.scripts.servlet.WebScriptServlet.service(WebScriptServlet.java:122) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619)Caused by: org.alfresco.scripts.ScriptException: 08010033 Failed to execute script '/org/alfresco/repository/person/person.put.json.js (in classpath store file:o/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts)': 08010032 User not found: USERNAME at org.alfresco.repo.jscript.RhinoScriptProcessor.execute(RhinoScriptProcessor.java:178) at org.alfresco.repo.processor.ScriptServiceImpl.executeScript(ScriptServiceImpl.java:274) at org.alfresco.repo.web.scripts.RepositoryScriptProcessor.executeScript(RepositoryScriptProcessor.java:108) at org.alfresco.web.scripts.AbstractWebScript.executeScript(AbstractWebScript.java:819) at org.alfresco.web.scripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:90) … 21 moreCaused by: org.alfresco.repo.security.authentication.AuthenticationException: 08010032 User not found: USERNAME at org.alfresco.repo.security.authentication.RepositoryAuthenticationDao.setEnabled(RepositoryAuthenticationDao.java:563) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:95) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204) at $Proxy91.setEnabled(Unknown Source) at org.alfresco.repo.jscript.People.enableAccount(People.java:290) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:155) at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:243) at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:66) at org.mozilla.javascript.gen.c7._c1(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/persput.json.js:51) at org.mozilla.javascript.gen.c7.call(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per.put.json.js) at org.mozilla.javascript.optimizer.OptRuntime.callName0(OptRuntime.java:108) at org.mozilla.javascript.gen.c7._c0(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/persput.json.js:96) at org.mozilla.javascript.gen.c7.call(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per.put.json.js) at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:393) at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:2834) at org.mozilla.javascript.gen.c7.call(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per.put.json.js) at org.mozilla.javascript.gen.c7.exec(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per.put.json.js) at org.alfresco.repo.jscript.RhinoScriptProcessor.executeScriptImpl(RhinoScriptProcessor.java:457) at org.alfresco.repo.jscript.RhinoScriptProcessor.execute(RhinoScriptProcessor.java:174) … 25 more
However, when a user logs in for the first time in Share using his Windows credentials, then, the account becomes active and details can be updated.
I am completely puzzled and would greatly appreciate your insight on that matter. Let me know if you need more details on config/system/other.
Thanks,
Jonathan
- Labels:
-
Archive
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-01-2009 02:48 AM
look this post http://forums.alfresco.com/en/viewtopic.php?f=9&t=20864
i upload last version svn head and compiled, with your chain work normal (os xp 32). http://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/HEAD/
give you passthru-authentication-context.properties and ldap-ad-authentication.properties
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2009 01:14 AM
LDAP-AD is used only for synchronization purpose.
My passthru-authentication-context.properties is:
passthru.authentication.useLocalServer=falsepassthru.authentication.domain=MY_DOMAINpassthru.authentication.servers=passthru.authentication.guestAccess=falsepassthru.authentication.defaultAdministratorUserNames=sabahj#Timeout value when opening a session to an authentication server, in millisecondspassthru.authentication.connectTimeout=5000#Offline server check interval in secondspassthru.authentication.offlineCheckInterval=300passthru.authentication.protocolOrder=NetBIOS,TCPIPpassthru.authentication.authenticateCIFS=truepassthru.authentication.authenticateFTP=true
And ldap-ad-authentication.properties is:
ldap.authentication.active=falseldap.authentication.allowGuestLogin=falseldap.authentication.userNameFormat=%s@domainldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryldap.authentication.java.naming.provider.url=ldap://my_domain:389ldap.authentication.java.naming.security.authentication=simpleldap.authentication.escapeCommasInBind=falseldap.authentication.escapeCommasInUid=falseldap.authentication.defaultAdministratorUserNames=Administratorldap.synchronization.active=trueldap.synchronization.java.naming.security.principal=sabahj@domainldap.synchronization.java.naming.security.credentials=my_passwordldap.synchronization.queryBatchSize=1000ldap.synchronization.groupQuery=(objectclass\=group)ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))ldap.synchronization.groupSearchBase=OU\=Users,OU=\ORGA,DC=DOMAIN,DC=localldap.synchronization.userSearchBase=OU\=Users,OU=\ORGA,DC=DOMAIN,DC=localldap.synchronization.modifyTimestampAttributeName=modifyTimestampldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'ldap.synchronization.userIdAttributeName=sAMAccountNameldap.synchronization.userFirstNameAttributeName=givenNameldap.synchronization.userLastNameAttributeName=snldap.synchronization.userEmailAttributeName=mailldap.synchronization.userOrganizationalIdAttributeName=companyldap.synchronization.defaultHomeFolderProvider=personalHomeFolderProviderldap.synchronization.groupIdAttributeName=cnldap.synchronization.groupType=groupldap.synchronization.personType=userldap.synchronization.groupMemberAttributeName=member
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2009 01:46 AM
ldap.synchronization.groupSearchBase=OU\=Users,OU=\ORGA,DC=DOMAIN,DC=localmaybe
ldap.synchronization.userSearchBase=OU\=Users,OU=\ORGA,DC=DOMAIN,DC=local
ldap.synchronization.groupSearchBase=OU\=Users,OU\=ORGA,DC=DOMAIN,DC=local
ldap.synchronization.userSearchBase=OU\=Users,OU\=ORGA,DC=DOMAIN,DC=local
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2009 01:49 AM
ldap.authentication.userNameFormat=%s@domain
you have there instead of domain your real AD-Domain, have you?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2009 01:59 AM
you have there instead of domain your real AD-Domain, have you?Do I need to put the real AD domain ? I thought it was just a format naming convention.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2009 02:10 AM
ldap.authentication.active=trueldap.authentication.allowGuestLogin=trueldap.authentication.userNameFormat=%s@my-domain.ruldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryldap.authentication.java.naming.provider.url=ldap://pridc.my-domain.ru:3268ldap.authentication.java.naming.security.authentication=simpleldap.authentication.escapeCommasInBind=falseldap.authentication.escapeCommasInUid=falseldap.authentication.defaultAdministratorUserNames=iamldap.synchronization.active=trueldap.synchronization.java.naming.security.principal=iam@my-domain.ruldap.synchronization.java.naming.security.credentials=passwordldap.synchronization.queryBatchSize=1000ldap.synchronization.groupQuery=(objectclass\=group)ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))ldap.synchronization.groupSearchBase=ou\=XXXX XXXX XXXXXX,dc=my-domain,dc=ruldap.synchronization.userSearchBase=ou\=XXXX XXXX XXXXXX,dc=my-domain,dc=ruldap.synchronization.modifyTimestampAttributeName=modifyTimestampldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'ldap.synchronization.userIdAttributeName=sAMAccountNameldap.synchronization.userFirstNameAttributeName=givenNameldap.synchronization.userLastNameAttributeName=snldap.synchronization.userOrganizationalIdAttributeName=companyldap.synchronization.defaultHomeFolderProvider=personalHomeFolderProviderldap.synchronization.groupIdAttributeName=cnldap.synchronization.groupType=groupldap.synchronization.personType=userldap.synchronization.groupMemberAttributeName=member
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2009 02:58 AM
ldap.authentication.userNameFormat=%s@MY_DOMAIN
andldap.synchronization.userSearchBase=OU\=Users,OU=\ORGA,DC=DOMAIN,DC=localldap.synchronization.userSearchBase=OU\=Users,OU\=ORGA,DC=DOMAIN,DC=local
I don't have any errors during Alfresco server startup, but I don't see any synchronization happening. I'd say it didn't really affect the sync behaviour.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2009 06:30 AM
ldap.authentication.userNameFormat
Should be a UPN. You can check what the correct format is using an LDAP browser. See
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-02-2009 07:06 PM
On ADOK, using Softerra LDAP Browser, I found that my UPN is "sabahj@MY.DOMAIN"
ldap.authentication.userNameFormat
Should be a UPN. You can check what the correct format is using an LDAP browser. See
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2
Now in order to have the synchronization working correctly (imported users are active by default with all their contact details) do I have to put:
ldap.authentication.userNameFormat=%s@MY.DOMAIN #— which would give the correct formatORldap.authentication.userNameFormat=sabahj@MY.DOMAIN #— which is specific to my account
![](/skins/images/3EA4296CAFBBFFCF1FE252BDE05FE3BC/responsive_peak/images/icon_anonymous_message.png)