cancel
Showing results for 
Search instead for 
Did you mean: 

Another LDAP Sync problem

jsabah
Champ on-the-rise
Champ on-the-rise
Hi everyone,

Very new to the world of Electronic Document Management, I am trying to get Alfresco CE 3.3 (nightly build) to work in my company. Not being a Network/System admin, I am currently struggling on 2 different points of the configuration of the application. In this topic, I will focus on the authentication and the LDAP Sync.
Alfresco is installed on a Windows XP 64 workstation with plenty of RAM & HD. We have an Exchange server and Active Directory. I have been reading the wiki and the forum for the last 4 days and I can't figure out what's wrong due to lack of technical knowledge/hindsight.

My authentication chain in alfresco-global.properties is as follow and respects Example 1: Advanced AD Chain  given in the Wiki:
# The default authentication chainauthentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad‍‍
All the other files from the subsystems\Authentication folder have been modified accordingly.

I struggled for a while with the LDAP userSearchBase but I think it's all good now as I have the following trace in tomcat:
 User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO  [management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, alfrescoNtlm1] User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, alfrescoNtlm1] complete User:System INFO  [management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, passthru1] User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, passthru1] complete User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'fileServers' subsystem, ID: [default] complete User:System INFO  [management.subsystems.ChildApplicationContextFactory] Starting 'imap' subsystem, ID: [default] User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'imap' subsystem, ID: [default] complete User:System INFO  [management.subsystems.ChildApplicationContextFactory] Starting 'Synchronization' subsystem, ID: [default] User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO  [management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, ldap1] User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties] User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, ldap1] complete User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1' User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since 1/09/2009 14:58:28 from user registry 'ldap1' User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldap1' User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1' User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'Synchronization' subsystem, ID: [default] complete‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

The problem I encounter is related to the imported users. After the first synchronization, information are missing (like job title), some users are disabled, the default Home Space path is not the same for each user (ie some have /Company Home/User Homes/userA and some have /Company Home/userA) and lastly when I try to update their profile (and enable their accounts) in Share, I have the following error:
16:01:22,721 User:admin ERROR [web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 08010034 Wrapped Exception (witemplate): 08010033 Failed to execute script '/org/alfresco/repository/person/person.put.json.js (in classpath store file:C:/Alfresco/tomcat/webapps/alfresco/WEBes/alfresco/templates/webscripts)': 08010032 User not found: USERNAMEorg.alfresco.web.scripts.WebScriptException: 08010034 Wrapped Exception (with status template): 08010033 Failed to execute script '/org/alfresco/repository/persput.json.js (in classpath store file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts)': 08010032 User not found: USERNAME        at org.alfresco.web.scripts.AbstractWebScript.createStatusException(AbstractWebScript.java:613)        at org.alfresco.web.scripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:165)        at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:357)        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:326)        at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:407)        at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:424)        at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:288)        at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:262)        at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:139)        at org.alfresco.web.scripts.servlet.WebScriptServlet.service(WebScriptServlet.java:122)        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)        at java.lang.Thread.run(Thread.java:619)Caused by: org.alfresco.scripts.ScriptException: 08010033 Failed to execute script '/org/alfresco/repository/person/person.put.json.js (in classpath store file:o/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts)': 08010032 User not found: USERNAME        at org.alfresco.repo.jscript.RhinoScriptProcessor.execute(RhinoScriptProcessor.java:178)        at org.alfresco.repo.processor.ScriptServiceImpl.executeScript(ScriptServiceImpl.java:274)        at org.alfresco.repo.web.scripts.RepositoryScriptProcessor.executeScript(RepositoryScriptProcessor.java:108)        at org.alfresco.web.scripts.AbstractWebScript.executeScript(AbstractWebScript.java:819)        at org.alfresco.web.scripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:90)        … 21 moreCaused by: org.alfresco.repo.security.authentication.AuthenticationException: 08010032 User not found: USERNAME        at org.alfresco.repo.security.authentication.RepositoryAuthenticationDao.setEnabled(RepositoryAuthenticationDao.java:563)        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)        at java.lang.reflect.Method.invoke(Method.java:597)        at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:95)        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)        at $Proxy91.setEnabled(Unknown Source)        at org.alfresco.repo.jscript.People.enableAccount(People.java:290)        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)        at java.lang.reflect.Method.invoke(Method.java:597)        at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:155)        at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:243)        at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:66)        at org.mozilla.javascript.gen.c7._c1(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/persput.json.js:51)        at org.mozilla.javascript.gen.c7.call(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per.put.json.js)        at org.mozilla.javascript.optimizer.OptRuntime.callName0(OptRuntime.java:108)        at org.mozilla.javascript.gen.c7._c0(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/persput.json.js:96)        at org.mozilla.javascript.gen.c7.call(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per.put.json.js)        at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:393)        at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:2834)        at org.mozilla.javascript.gen.c7.call(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per.put.json.js)        at org.mozilla.javascript.gen.c7.exec(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per.put.json.js)        at org.alfresco.repo.jscript.RhinoScriptProcessor.executeScriptImpl(RhinoScriptProcessor.java:457)        at org.alfresco.repo.jscript.RhinoScriptProcessor.execute(RhinoScriptProcessor.java:174)        … 25 more‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

However, when a user logs in for the first time in Share using his Windows credentials, then, the account becomes active and details can be updated.

I am completely puzzled and would greatly appreciate your insight on that matter. Let me know if you need more details on config/system/other.

Thanks,

Jonathan
22 REPLIES 22

paulweb
Champ in-the-making
Champ in-the-making
Hi,
look this post http://forums.alfresco.com/en/viewtopic.php?f=9&t=20864
i upload last version svn head and compiled, with your chain work normal (os xp 32). http://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/HEAD/
give you passthru-authentication-context.properties and ldap-ad-authentication.properties

jsabah
Champ on-the-rise
Champ on-the-rise
Authentication is performed against AlfrescoNTLM and then Pagainst Active Directory (passthru).
LDAP-AD is used only for synchronization purpose.

My passthru-authentication-context.properties is:
passthru.authentication.useLocalServer=falsepassthru.authentication.domain=MY_DOMAINpassthru.authentication.servers=passthru.authentication.guestAccess=falsepassthru.authentication.defaultAdministratorUserNames=sabahj#Timeout value when opening a session to an authentication server, in millisecondspassthru.authentication.connectTimeout=5000#Offline server check interval in secondspassthru.authentication.offlineCheckInterval=300passthru.authentication.protocolOrder=NetBIOS,TCPIPpassthru.authentication.authenticateCIFS=truepassthru.authentication.authenticateFTP=true‍‍‍‍‍‍‍‍‍‍‍‍

And ldap-ad-authentication.properties is:
ldap.authentication.active=falseldap.authentication.allowGuestLogin=falseldap.authentication.userNameFormat=%s@domainldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryldap.authentication.java.naming.provider.url=ldap://my_domain:389ldap.authentication.java.naming.security.authentication=simpleldap.authentication.escapeCommasInBind=falseldap.authentication.escapeCommasInUid=falseldap.authentication.defaultAdministratorUserNames=Administratorldap.synchronization.active=trueldap.synchronization.java.naming.security.principal=sabahj@domainldap.synchronization.java.naming.security.credentials=my_passwordldap.synchronization.queryBatchSize=1000ldap.synchronization.groupQuery=(objectclass\=group)ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))ldap.synchronization.groupSearchBase=OU\=Users,OU=\ORGA,DC=DOMAIN,DC=localldap.synchronization.userSearchBase=OU\=Users,OU=\ORGA,DC=DOMAIN,DC=localldap.synchronization.modifyTimestampAttributeName=modifyTimestampldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'ldap.synchronization.userIdAttributeName=sAMAccountNameldap.synchronization.userFirstNameAttributeName=givenNameldap.synchronization.userLastNameAttributeName=snldap.synchronization.userEmailAttributeName=mailldap.synchronization.userOrganizationalIdAttributeName=companyldap.synchronization.defaultHomeFolderProvider=personalHomeFolderProviderldap.synchronization.groupIdAttributeName=cnldap.synchronization.groupType=groupldap.synchronization.personType=userldap.synchronization.groupMemberAttributeName=member‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

paulweb
Champ in-the-making
Champ in-the-making
ldap.synchronization.groupSearchBase=OU\=Users,OU=\ORGA,DC=DOMAIN,DC=local
ldap.synchronization.userSearchBase=OU\=Users,OU=\ORGA,DC=DOMAIN,DC=local
maybe
ldap.synchronization.groupSearchBase=OU\=Users,OU\=ORGA,DC=DOMAIN,DC=local
ldap.synchronization.userSearchBase=OU\=Users,OU\=ORGA,DC=DOMAIN,DC=local

oklein
Champ on-the-rise
Champ on-the-rise
ldap.authentication.userNameFormat=%s@domain

you have there instead of domain your real AD-Domain, have you?

jsabah
Champ on-the-rise
Champ on-the-rise
you have there instead of domain your real AD-Domain, have you?
Do I need to put the real AD domain ? I thought it was just a format naming convention.

paulweb
Champ in-the-making
Champ in-the-making
it is my work config for tests (full domain name my-domain.ru)
ldap.authentication.active=trueldap.authentication.allowGuestLogin=trueldap.authentication.userNameFormat=%s@my-domain.ruldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryldap.authentication.java.naming.provider.url=ldap://pridc.my-domain.ru:3268ldap.authentication.java.naming.security.authentication=simpleldap.authentication.escapeCommasInBind=falseldap.authentication.escapeCommasInUid=falseldap.authentication.defaultAdministratorUserNames=iamldap.synchronization.active=trueldap.synchronization.java.naming.security.principal=iam@my-domain.ruldap.synchronization.java.naming.security.credentials=passwordldap.synchronization.queryBatchSize=1000ldap.synchronization.groupQuery=(objectclass\=group)ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))ldap.synchronization.groupSearchBase=ou\=XXXX XXXX XXXXXX,dc=my-domain,dc=ruldap.synchronization.userSearchBase=ou\=XXXX XXXX XXXXXX,dc=my-domain,dc=ruldap.synchronization.modifyTimestampAttributeName=modifyTimestampldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'ldap.synchronization.userIdAttributeName=sAMAccountNameldap.synchronization.userFirstNameAttributeName=givenNameldap.synchronization.userLastNameAttributeName=snldap.synchronization.userOrganizationalIdAttributeName=companyldap.synchronization.defaultHomeFolderProvider=personalHomeFolderProviderldap.synchronization.groupIdAttributeName=cnldap.synchronization.groupType=groupldap.synchronization.personType=userldap.synchronization.groupMemberAttributeName=member‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

jsabah
Champ on-the-rise
Champ on-the-rise
I changed
ldap.authentication.userNameFormat=%s@MY_DOMAIN‍
and
ldap.synchronization.userSearchBase=OU\=Users,OU=\ORGA,DC=DOMAIN,DC=localldap.synchronization.userSearchBase=OU\=Users,OU\=ORGA,DC=DOMAIN,DC=local‍‍
I don't have any errors during Alfresco server startup, but I don't see any synchronization happening. I'd say it didn't really affect the sync behaviour.

dward
Champ on-the-rise
Champ on-the-rise
On AD

ldap.authentication.userNameFormat

Should be a UPN. You can check what the correct format is using an LDAP browser. See

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2

jsabah
Champ on-the-rise
Champ on-the-rise
On AD
ldap.authentication.userNameFormat
Should be a UPN. You can check what the correct format is using an LDAP browser. See
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2
OK, using Softerra LDAP Browser, I found that my UPN is "sabahj@MY.DOMAIN"

Now in order to have the synchronization working correctly (imported users are active by default with all their contact details) do I have to put:
ldap.authentication.userNameFormat=%s@MY.DOMAIN         #— which would give the correct formatORldap.authentication.userNameFormat=sabahj@MY.DOMAIN         #— which is specific to my account‍‍‍‍‍