Hyland Connect

lvalero · ‎01-26-2010

Hello,

The user synchronization is ok, groups from active directory are created but they are empty, is it normal ?


root@hechix:/opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad# cat ldap-ad-authentication.properties 
ldap.authentication.active=false
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=%s@domain
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://xx.xx.xx.x:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=alfrescoadm
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=aldap@gch.mycomp.ca
ldap.synchronization.java.naming.security.credentials=xxxxx
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(memberOf\=cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(memberOf\=cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf\=cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf\=cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=dc\=gch,dc\=mycomp,dc\=ca
ldap.synchronization.userSearchBase=dc\=gch,dc\=mycomp,dc\=ca
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
synchronization.synchronizeChangesOnly=true
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Regards.

lvalero · ‎01-26-2010

hello,

As it is the first ldap sync that i did, i think i misunderstood, by doing that setup, i actually chose to import and synchronize a part of my ldap into alfresco, but a user in my windows active directory that is not part of
the imported/synchronized ldap user/group will be able to login into alfresco.

Is there a way to restrict login ?

I am still facing the problem that my Group into alfresco are empty (they are created when alfresco starts, but not populated with users), is it a normal behaviour ?

Regards

dward · ‎02-02-2010

You have asked for only groups that are a member of AlfrescoGroup, but not AlfrescoGroup itself. Try this.

ldap.synchronization.groupQuery=(&(objectclass\=group)(|(cn\=AlfrescoGroup)(memberOf\=cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca)))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(|(cn\=AlfrescoGroup)(memberOf\=cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca))(!(modifyTimestamp<\={0})))

To ensure that only your restricted set of users can authenticate, use

synchronization.autoCreatePeopleOnLogin=false

micdy · ‎02-02-2010

interesting

i keep seeing : "dc\=gch" in lot of script… whats this?
thank you.

lvalero · ‎02-10-2010

Hello,

I did :
hello,

I did :
ldap.synchronization.groupQuery=(&(objectclass\=group)(|(cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca)(memberOf\=cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca)))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(|(cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca)(memberOf\=cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca))(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(memberOf\=cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(memberOf\=cn\=AlfrescoGroup,dc\=gch,dc\=mycomp,dc\=ca)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=dc\=gch,dc\=mycomp,dc\=ca
ldap.synchronization.userSearchBase=dc\=gch,dc\=mycomp,dc\=ca

and set autoCreatePeopleOnLogin to false in default-synchronization.properties

and it works except some stuff, the result is :

* i get all users in my AlfrescoGroup (it is what i wanted)
* the AlfrescoGroup itself is NOT imported as a group, i do not understand why.
* when i add a user in AlfrescoGroup in my Active Directory, Alfresco do not synchronize it (the user is not added in Alfresco) :
11:00:06,678 User

ystem INFO [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap-ad1'
11:00:06,704 User

ystem INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldap-ad1'
11:00:06,706 User

ystem INFO [security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 Group Analysis: Commencing batch of 0 entries
11:00:06,706 User

ystem INFO [security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 Group Analysis: Completed batch of 0 entries
11:00:06,709 User

ystem INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since Feb 9, 2010 9:15:40 PM from user registry 'ldap-ad1'
11:00:06,720 User

ystem INFO [security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 User Creation and Association: Commencing batch of 0 entries
11:00:06,728 User

ystem INFO [security.sync.ChainingUserRegistrySynchronizer] ldap-ad1 User Creation and Association: Completed batch of 0 entries
11:00:06,740 User

ystem INFO [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap-ad1'
11:00:06,740 User

ystem INFO [security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed

Best regards.

lvalero · ‎02-10-2010

Actually,

removing the data for the timestamp :
http://forums.alfresco.com/en/viewtopic.php?f=9&t=24509&p=80444&hilit=modifyTimestamp+WhenChanged#p8...

and changed the cron :
synchronization.import.cron=0 0/15 * * * ?

solved my synchronization problem.

dward · ‎03-01-2010

That's a shame you have to disable incremental sync. You could have forced a re-sync by setting

synchronization.synchronizeChangesOnly=false

letting the CRON job run once, and then setting it back to true.

marcobusetto · ‎06-08-2010

I'm having a similar problem.

I'm trying to synchronize Alfresco 3.3. CE with CentOS Directory Server (read: Fedora / RedHat Directory Server). In Alfresco Administration Console I can see my LDAP groups, my LDAP users and I can log-on with them. But all my groups are empty.

I tryed to create users within groups and I tryed to build groups with members association only, but in both cases in alfresco I keep seeing only empty groups.

I configured ldap-authentication.properties to match (I hope) the CentOS Directory Server but I didn't get any benefit. Below there are the properties that I changed:

alfresco-global.properties

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap2:ldap
ntlm.authentication.sso.enabled=false
synchronization.import.cron=0 0/5 * * * ?
‍‍‍‍

ldap-authentication.properties

ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://alfrescolnx.mylab.loc:389
ldap.authentication.defaultAdministratorUserNames=cn\=Directory Manager
ldap.synchronization.java.naming.security.principal=cn\=Directory Manager
ldap.synchronization.java.naming.security.credentials=**********
ldap.synchronization.groupQuery=(objectclass\=groupOfUniqueNames)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfUniqueNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou\=mycompany,dc\=myldap,dc\=loc
ldap.synchronization.userSearchBase=ou\=mycompany,dc\=myldap,dc\=loc
ldap.synchronization.groupType=groupOfUniqueNames
ldap.synchronization.groupMemberAttributeName=uniqueMember
ldap.synchronization.enableProgressEstimation=true
‍‍‍‍‍‍‍‍‍‍‍‍‍

Note that for some properties there are some differences between CentOS Directory Server and the default ldap-authentication.properties file. For instance, "groupOfUniqueNames" instead of "groupOfNames", "uniqueMember" instead of "member", etc. - I used Softerra LDAP browser to catch these differences and try to configure my ldap-authentication.properties file but it still doesn't work (maybe because I'm newbie of LDAP and perhaps I missed some setting).

Can anybody help me?
Thanks in advance.

marcobusetto · ‎06-09-2010

I made some more try in my test environment and I discovered that in my LDAP I wrongly defined my users under a group and not within an Organizational Unit. I placed my users into an Organizational Unit and I redefined the membership of my groups, so now these groups are not empty anymore in Alfresco.

However there's still a quite serious problem. It seems that if a LDAP user belongs to more than one group, in Alfresco I can see him only in the first one. Example:

LDAP

Alfresco

(User_1 is missing!)

Has anyone never found a similar problem and can confirm this?

Hyland Connect

ldap-ad empty groups