Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Another LDAP Sync problem

jsabah
Champ on-the-rise
Champ on-the-rise

‎09-01-2009 02:08 AM

Hi everyone,

Very new to the world of Electronic Document Management, I am trying to get Alfresco CE 3.3 (nightly build) to work in my company. Not being a Network/System admin, I am currently struggling on 2 different points of the configuration of the application. In this topic, I will focus on the authentication and the LDAP Sync.
Alfresco is installed on a Windows XP 64 workstation with plenty of RAM & HD. We have an Exchange server and Active Directory. I have been reading the wiki and the forum for the last 4 days and I can't figure out what's wrong due to lack of technical knowledge/hindsight.

My authentication chain in alfresco-global.properties is as follow and respects Example 1: Advanced AD Chain  given in the Wiki:
# The default authentication chain
authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad
All the other files from the subsystems\Authentication folder have been modified accordingly.

I struggled for a while with the LDAP userSearchBase but I think it's all good now as I have the following trace in tomcat:
 User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, alfrescoNtlm1]
 User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, alfrescoNtlm1] complete
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, passthru1]
 User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, passthru1] complete
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'fileServers' subsystem, ID: [default] complete
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Starting 'imap' subsystem, ID: [default]
 User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'imap' subsystem, ID: [default] complete
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Starting 'Synchronization' subsystem, ID: [default]
 User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, ldap1]
 User:System INFO  [alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, ldap1] complete
 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since 1/09/2009 14:58:28 from user registry 'ldap1'
 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldap1'
 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1'
 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed
 User:System INFO  [management.subsystems.ChildApplicationContextFactory] Startup of 'Synchronization' subsystem, ID: [default] complete

The problem I encounter is related to the imported users. After the first synchronization, information are missing (like job title), some users are disabled, the default Home Space path is not the same for each user (ie some have /Company Home/User Homes/userA and some have /Company Home/userA) and lastly when I try to update their profile (and enable their accounts) in Share, I have the following error:
16:01:22,721 User:admin ERROR [web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 08010034 Wrapped Exception (wit
emplate): 08010033 Failed to execute script '/org/alfresco/repository/person/person.put.json.js (in classpath store file:C:/Alfresco/tomcat/webapps/alfresco/WEB
es/alfresco/templates/webscripts)': 08010032 User not found: USERNAME
org.alfresco.web.scripts.WebScriptException: 08010034 Wrapped Exception (with status template): 08010033 Failed to execute script '/org/alfresco/repository/pers
put.json.js (in classpath store file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts)': 08010032 User not found: USERNAME
        at org.alfresco.web.scripts.AbstractWebScript.createStatusException(AbstractWebScript.java:613)
        at org.alfresco.web.scripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:165)
        at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:357)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:326)
        at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:407)
        at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:424)
        at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:288)
        at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:262)
        at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:139)
        at org.alfresco.web.scripts.servlet.WebScriptServlet.service(WebScriptServlet.java:122)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
        at java.lang.Thread.run(Thread.java:619)
Caused by: org.alfresco.scripts.ScriptException: 08010033 Failed to execute script '/org/alfresco/repository/person/person.put.json.js (in classpath store file:
o/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts)': 08010032 User not found: USERNAME
        at org.alfresco.repo.jscript.RhinoScriptProcessor.execute(RhinoScriptProcessor.java:178)
        at org.alfresco.repo.processor.ScriptServiceImpl.executeScript(ScriptServiceImpl.java:274)
        at org.alfresco.repo.web.scripts.RepositoryScriptProcessor.executeScript(RepositoryScriptProcessor.java:108)
        at org.alfresco.web.scripts.AbstractWebScript.executeScript(AbstractWebScript.java:819)
        at org.alfresco.web.scripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:90)
        … 21 more
Caused by: org.alfresco.repo.security.authentication.AuthenticationException: 08010032 User not found: USERNAME
        at org.alfresco.repo.security.authentication.RepositoryAuthenticationDao.setEnabled(RepositoryAuthenticationDao.java:563)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:95)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy91.setEnabled(Unknown Source)
        at org.alfresco.repo.jscript.People.enableAccount(People.java:290)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:155)
        at org.mozilla.javascript.NativeJavaMethod.call(NativeJavaMethod.java:243)
        at org.mozilla.javascript.optimizer.OptRuntime.call1(OptRuntime.java:66)
        at org.mozilla.javascript.gen.c7._c1(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/pers
put.json.js:51)
        at org.mozilla.javascript.gen.c7.call(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per
.put.json.js)
        at org.mozilla.javascript.optimizer.OptRuntime.callName0(OptRuntime.java:108)
        at org.mozilla.javascript.gen.c7._c0(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/pers
put.json.js:96)
        at org.mozilla.javascript.gen.c7.call(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per
.put.json.js)
        at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:393)
        at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:2834)
        at org.mozilla.javascript.gen.c7.call(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per
.put.json.js)
        at org.mozilla.javascript.gen.c7.exec(file:C:/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/templates/webscripts/org/alfresco/repository/per
.put.json.js)
        at org.alfresco.repo.jscript.RhinoScriptProcessor.executeScriptImpl(RhinoScriptProcessor.java:457)
        at org.alfresco.repo.jscript.RhinoScriptProcessor.execute(RhinoScriptProcessor.java:174)
        … 25 more

However, when a user logs in for the first time in Share using his Windows credentials, then, the account becomes active and details can be updated.

I am completely puzzled and would greatly appreciate your insight on that matter. Let me know if you need more details on config/system/other.

Thanks,

Jonathan
Labels:
0 Kudos
22 REPLIES 22

paulweb
Champ in-the-making
Champ in-the-making

‎09-02-2009 07:23 PM

ldap.authentication.userNameFormat=%s@MY.DOMAIN  
ldap.authentication.defaultAdministratorUserNames=sabahj
0 Kudos

jsabah
Champ on-the-rise
Champ on-the-rise

‎09-02-2009 07:28 PM

OK for the first item, I just enter the correct path with %s@MY.DOMAIN

ldap.authentication.defaultAdministratorUserNames=sabahj

Now I am confused. Isn't this item only used when ldap authentication is used to access the Alfresco platform ? Is it also needed to perform sync ?
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-02-2009 07:43 PM

in alfresco administrator: admin
If you (or other user) wish to be the admin of system Alfresco should specify that
ldap.authentication.defaultAdministratorUserNames=sabahj
0 Kudos

jsabah
Champ on-the-rise
Champ on-the-rise

‎09-03-2009 09:48 PM

Well, to make myself an admin, I used the following propertie passthru.authentication.defaultAdministratorUserNames=sabahj and it does work fine.

But back to the LDAP user details synchronization, it still doesn't work Smiley Sad

Haven't tried touching the ldap properties, I don't want to break what is working so far  Smiley Indifferent
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-03-2009 11:22 PM

We in Russia have a saying:
"Wolves are afraid not to go to wood".

synchronization :

ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=sabahj@MY.DOMAIN 
ldap.synchronization.java.naming.security.credentials=my_password

ldap.synchronization.queryBatchSize=1000

ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=OU\=Users,OU\=ORGA,DC\=DOMAIN,DC\=local
ldap.synchronization.userSearchBase=OU\=Users,OU\=ORGA,DC\=DOMAIN,DC\=local

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company

ldap.synchronization.defaultHomeFolderProvider=personalHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member

ldap.synchronization.groupSearchBase=OU\=Users,OU\=ORGA,DC\=DOMAIN,DC\=local
ldap.synchronization.userSearchBase=OU\=Users,OU\=ORGA,DC\=DOMAIN,DC\=local
for example is my work searchBase (our AD all groups on the russian language therefor i am converting search base  )

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=ou\=\u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0441\u0442\u044b, ou\=\u0418\u0422 \u0434\u0435\u043f\u0430\u0440\u0442\u0430\u043c\u0435\u043d\u0442,ou\=\u042d\u043d\u043a\u043e\u0432\u0441\u043a, dc\=my-domain,dc\=ru

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=ou\=\u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0441\u0442\u044b, ou\=\u0418\u0422 \u0434\u0435\u043f\u0430\u0440\u0442\u0430\u043c\u0435\u043d\u0442,ou\=\u042d\u043d\u043a\u043e\u0432\u0441\u043a, dc\=my-domain,dc\=ru
and in default-synchronization.properties

synchronization.synchronizeChangesOnly=true

# The cron expression defining when imports should take place
synchronization.import.cron=0 0 0 * * ?

# Should we trigger a differential sync when missing people log in?
synchronization.syncWhenMissingPeopleLogIn=true

# Should we auto create a missing person on log in?
synchronization.autoCreatePeopleOnLogin=true

In dependence that you wish to receive from authentification in ALFRESCO, look following posts (if there will be that that not clearly I will try to explain)
http://forums.alfresco.com/en/viewtopic.php?f=9&t=21248
http://forums.alfresco.com/en/viewtopic.php?f=9&t=21339
http://forums.alfresco.com/en/viewtopic.php?f=9&t=21268
http://forums.alfresco.com/en/viewtopic.php?f=9&t=21482
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎09-04-2009 06:55 AM

I think PaulWeb may have led you a merry dance in his unique brand of English. So you actually have sync working but have found that user homes are appearing in the wrong place?

This was logged and fixed in

https://issues.alfresco.com/jira/browse/ETHREEOH-2535

Just set

ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

Or build the latest code from HEAD.

You are using passthru for authentication and have rightly switched of LDAP authentication, so the LDAP authentication properties will not be relevant.

And your other problem is about enabling accounts in Share? This appears to be a bug in share. I have logged

https://issues.alfresco.com/jira/browse/ETHREEOH-2800

It looks to me that you're trying to edit ldap-ad-authentication.properties directly. This is not how to configure a subsystem as you will lose all your settings when you next upgrade. Your settings should be in alfresco-global.properties.
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-04-2009 07:22 AM

unique brand of English
Thanks for a compliment dward.
I apologise, for my cheerful English but if not to practise, it becomes better not precisely.

It I still while in section configuration, and here when will pass in section development…

Thanks you for the help and for understanding dward.

P.S: We are born, that a fairy tale to make a reality.  Smiley Very Happy
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎09-04-2009 07:30 AM

I apologise for my cheerful English but if I don't practise it will not get better

Sorry - I'll stop the language classes now.
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-04-2009 07:35 AM

Sorry - I'll stop the language classes now
I will try, but if stop, from it it becomes better not.

I feel to us long work on errors is necessary.
0 Kudos

paulweb
Champ in-the-making
Champ in-the-making

‎09-04-2009 07:38 AM

And here to you still bug dward
https://issues.alfresco.com/jira/browse/ALFCOM-3370
It is good, when I will come to work, I will place screen with an error. Synchronisation stops and gives out an error.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2026 Khoros, LLC