Hyland Connect

aique · ‎06-29-2010

Hi!.

I'm trying to get the OpenLDAP authentication and synchronization process working in Alfresco 3.3. I've seen that in the version I'm using it's only needed change the /opt/Alfresco/tomcat/shared/classes/alfresco-global.properties file.

I don't have an admin user in the OpenLDAP, even I don't have any LDAP user password, so I only can log in as Alfresco admin and see in the all the users to check if the LDAP user are synchronized.

I changed my alfresco-global.properties but nothing seems to do. I log in as Alfresco admin, but I only can see the Alfresco internal users, no one from the LDAP.

Here is my alfresco-global.properties file


###############################
## Common Alfresco Properties #
###############################

#
# Sample custom content and index data location
#————-
dir.root=/opt/Alfresco/alf_data

#
# Sample database connection properties
#————-
db.name=alfresco
db.username=alfresco
db.password=alfresco
db.host=localhost
db.port=3306

#
# External locations
#————-
ooo.exe=/opt/Alfresco/program/soffice
ooo.user=<%ShortInstallDir%>/alf_data/oouser
jodconverter.officeHome=/opt/Alfresco
jodconverter.portNumbers=8101
#ooo.enabled=false
#jodconverter.enabled=true
img.root=/usr/local
swf.exe=/opt/Alfresco/bin/pdf2swf

#
# Initial admin password
#————-
alfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634

#
# MySQL connection
#————-
db.driver=org.gjt.mm.mysql.Driver
db.url=jdbc:mysql://${db.host}:${db.port}/${db.name}

#
# Oracle connection
#
#oracle#db.driver=oracle.jdbc.OracleDriver
#oracle#db.url=jdbc:oracle:thin:@${db.host}:${db.port}:${db.name}

#
# SQLServer connection
# Requires jTDS driver version 1.2.5 and SNAPSHOT isolation mode
# Enable TCP protocol on fixed port db.port
# Prepare the database with:
# ALTER DATABASE db.name SET ALLOW_SNAPSHOT_ISOLATION ON; 
#
#mssql#db.driver=net.sourceforge.jtds.jdbc.Driver
#mssql#db.url=jdbc:jtds:sqlserver://${db.host}:${db.port}/${db.name}
#mssql#db.txn.isolation=4096

#
# PostgreSQL connection (requires postgresql-8.2-504.jdbc3.jar or equivalent)
#
#postgres#db.driver=org.postgresql.Driver
#postgres#db.url=jdbc:postgresql://${db.host}:${db.port}/${db.name}

#
# Index Recovery Mode
#————-
#index.recovery.mode=Auto

#
# Outbound Email Configuration
#————-
#mail.host=
#mail.port=25
#mail.username=anonymous
#mail.password=
#mail.encoding=UTF-8
#mail.from.default=alfresco@alfresco.org
#mail.smtp.auth=false

#
# Alfresco Email Service and Email Server
#————-

# Enable/Disable the inbound email service.  The service could be used by processes other than
# the Email Server (e.g. direct RMI access) so this flag is independent of the Email Service.
#————-
#email.inbound.enabled=true

# Email Server properties 
#————-
#email.server.enabled=true
#email.server.port=25
#email.server.domain=alfresco.com
#email.inbound.unknownUser=anonymous

# A comma separated list of email REGEX patterns of allowed senders.
# If there are any values in the list then all sender email addresses
# must match.  For example:
#   .*\@alfresco\.com, .*\@alfresco\.org
# Allow anyone:
#————-
#email.server.allowed.senders=.*

#
# The default authentication chain
# To configure external authentication subsystems see:
# http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
#————-
#authentication.chain=alfrescoNtlm1:alfrescoNtlm

# MODIFICACION_INI

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

# MODIFICACION_FIN

#
# URL Generation Parameters (The ${localname} token is replaced by the local server name)
#————-
#alfresco.context=alfresco
#alfresco.host=${localname}
#alfresco.port=8080
#alfresco.protocol=http
#
#share.context=share
#share.host=${localname}
#share.port=8080
#share.protocol=http

# MODIFICACION_INI

ldap.authentication.active=true
ldap.synchronization.active=true

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
# - this must be a DN and would be something like
# CN=%s,DC=company,DC=com
# - digest
# - usually pass through what is entered
# %s
ldap.authentication.userNameFormat=uid=%s,ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es
 
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://di002.edv.uniovi.es:389
 
# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=DIGEST-MD5
 
# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=""
 
# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=""
 
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false
 
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false
 
#
# This properties file is used to configure LDAP syncronisation
#
 
# The LDAP user to connect as to do the export operation.
ldap.synchronization.java.naming.security.principal=""
 
# The password for this user, if required
ldap.synchronization.java.naming.security.credentials=""
 
# The timestamp format
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
 
# The query to find the people to import
ldap.synchronization.personQuery=(objectclass=inetOrgPerson)
 
# The search base of the query to find people to import
ldap.synchronization.personSearchBase=ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es
ldap.synchronization.userSearchBase=ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es
 
# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid
 
# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
 
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn
 
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
 
# The attribute on person objects in LDAP to map to the organizational id property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=o
 
# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=personalHomeFolderProvider
 
# The query to find group objects
ldap.synchronization.groupQuery=(objectclass=groupOfUniqueNames)
 
# The search base to use to find group objects
ldap.synchronization.groupSearchBase=ou=Group,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es
 
# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronization.groupIdAttributeName=cn
 
# The group type in LDAP
ldap.synchronization.groupType=groupOfUniqueNames
 
# The person type in LDAP
ldap.synchronization.personType=inetOrgPerson
 
# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=uniqueMember
 
# The cron expression defining when people imports should take place
ldap.synchronization.import.person.cron=0 */10 * * * ?
 
# The cron expression defining when group imports should take place
ldap.synchronization.import.group.cron=0 30 * * * ?
 
# Should all groups be cleared out at import time?
# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)
# - setting this to true means old group definitions will be tidied up.
ldap.synchronization.import.group.clearAllChildren=true

# MODIFICACION_FIN
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Hope you can help me, I need to finish this project yesterday!.

Thanks.

nguser1 · ‎07-06-2010

Its probably too late to help you now but I think the following blog post should cover most of the instructions you need:

http://www.anotherstrangerme.com/alfresco-3-3g-integration-with-active-directory-and-google-docs/

aique · ‎07-10-2010

Thanks NGUser1, I have read your reply right now and I can't test the conf in that blog, but I'll try it.

Now a days the authentication process is working, but the synchronization process is not working. Here is the log about it:

Synchronizing users and groups with user registry 'ldap1'
Retrieving all groups from user registry 'ldap1'
ldap1 Group Analysis: Commencing batch of 0 entries
ldap1 Group Analysis: Completed batch of 0 entries
Retrieving all users from user registry 'ldap1'
ldap1 User Creation and Association: Commencing batch of 0 entries
ldap1 User Creation and Association: Completed batch of 0 entries
Finished synchronizing users and groups with user registry 'ldap1'
0 user(s) and 0 group(s) processed

My ldap properties file is:

ldap.authentication.active=true

ldap.authentication.allowGuestLogin=false

ldap.authentication.userNameFormat=uid=%s,ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

ldap.authentication.java.naming.provider.url=<url>

ldap.authentication.java.naming.security.authentication=SIMPLE

ldap.authentication.escapeCommasInBind=false

ldap.authentication.escapeCommasInUid=false

ldap.authentication.defaultAdministratorUserNames=

ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=<ldap admin user>

ldap.synchronization.java.naming.security.credentials=<pass>

ldap.synchronization.queryBatchSize=1000

ldap.synchronization.attributeBatchSize=1000

ldap.synchronization.groupQuery=ou=Group,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es

ldap.synchronization.groupDifferentialQuery=(objectclass=posixGroup)

ldap.synchronization.personQuery=ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es

ldap.synchronization.personDifferentialQuery=(objectclass=inetOrgPerson)

ldap.synchronization.groupSearchBase=ou=Group,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es

ldap.synchronization.userSearchBase=ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es

ldap.synchronization.modifyTimestampAttributeName=

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

ldap.synchronization.userIdAttributeName=uid

ldap.synchronization.userFirstNameAttributeName=givenName

ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.userOrganizationalIdAttributeName=o

ldap.synchronization.defaultHomeFolderProvider=homeDirectory

ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupDisplayNameAttributeName=description

ldap.synchronization.groupType=posixGroup

ldap.synchronization.personType=inetOrgPerson

ldap.synchronization.groupMemberAttributeName=memberUid

ldap.synchronization.enableProgressEstimation=true‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Here are some images from my LDAP, to check my parameters in the config file:

[img]http://ubuntuone.com/p/9Hz/[/img]

[img]http://ubuntuone.com/p/9Hx/[/img]

[img]http://ubuntuone.com/p/9Hy/[/img]

If some one find errors in my conf to help me in the synchronization process, I'll appreciate it very much

.

dward · ‎07-12-2010

We can't see the images. And please do not cross-post.

Just check you've got your group search base, person search base, and attribute names correct with an LDAP browser such as the one from http://ldapbrowser.com.

dward · ‎07-12-2010

I can see one problem. You've set personQuery and groupQuery to be DNs rather than LDAP queries!

See http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2

And your differential queries don't contain modifyTimestamp so the differential sync won't work.

It's best just to use the default parameters from $TOMCAT_HOME/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/*.properties

as a starting point (in your own extension properties file or alfresco-global.properties).

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))

aique · ‎07-12-2010

Thanks for your reply.

I'll try this conf tomorrow and I'll post the result here.

In other forum, someone post that could be a problem in the mapping between users and groups.

In the LDAP, groups must have an attribute with:

memberUid ——- uid=pepito, ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es
memberUid ——- uid=juanito, ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es
memberUid ——- uid=luis, ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es

And I have:

memberUid ——- pepito
memberUid ——- juanito
memberUid ——- luis

And users must have an attribute with:

o ———— cn=PAS, ou=Group .. etc.

And I don't have this attribute in the users, they are into an organizational structure ou=People, ou=PAS, ou=pepito.

Could be a problem with that?

And finally, I don't have any attribute called modifyTimestamp in the users or groups in my LDAP, ¿I have to create it or is an attribute created automatically by the LDAP?.

Thanks a lot.

dward · ‎07-12-2010

No that's not a problem. The sync supports posixGroup where members are UIDs rather than DNs. See http://forums.alfresco.com/en/viewtopic.php?f=9&t=20408&p=66718#p66718

Just make sure you set ldap.synchronization.groupType, ldap.synchronization.groupMemberAttributeName, ldap.synchronization.groupQuery and ldap.synchronization.groupDifferentialQuery to use posixGroup

dward · ‎07-12-2010

I'll spell it out to save some time.

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=posixGroup)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))

# The group type in LDAP
ldap.synchronization.groupType=posixGroup

# The attribute in LDAP on group objects that defines the DN or UID for its members
ldap.synchronization.groupMemberAttributeName=memberUid

aique · ‎07-13-2010

It Works!.

Finally here is my ldap-authentication.properties file:


# This flag enables use of this LDAP subsystem for authentication. It may be

# that this subsytem should only be used for synchronization, in which case

# this flag should be set to false.


ldap.authentication.active=true



#

# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions

#


ldap.authentication.allowGuestLogin=false


# How to map the user id entered by the user to that passed through to LDAP

# - simple 

#    - this must be a DN and would be something like

#      uid=%s,ou=People,dc=company,dc=com

# - digest

#    - usually pass through what is entered

#      %s

# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will 

# be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to

# appear in the DN.


ldap.authentication.userNameFormat=uid=%s,ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es



# The LDAP context factory to use

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory



# The URL to connect to the LDAP server 

ldap.authentication.java.naming.provider.url=<ldap url>



# The authentication mechanism to use

ldap.authentication.java.naming.security.authentication=SIMPLE



# Escape commas entered by the user at bind time

# Useful when using simple authentication and the CN is part of the DN and contains commas

ldap.authentication.escapeCommasInBind=false



# Escape commas entered by the user when setting the authenticated user

# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 

# pulled in as part of an LDAP sync

# If this option is set to true it will break the default home folder provider as space names can not contain \

ldap.authentication.escapeCommasInUid=false



# Comma separated list of user names who should be considered administrators by default

ldap.authentication.defaultAdministratorUserNames=



# This flag enables use of this LDAP subsystem for user and group

# synchronization. It may be that this subsytem should only be used for 

# authentication, in which case this flag should be set to false.

ldap.synchronization.active=true



# The default principal to use (only used for LDAP sync)

ldap.synchronization.java.naming.security.principal=<admin user uid>



# The password for the default principal (only used for LDAP sync)

ldap.synchronization.java.naming.security.credentials=<admin user uid pass>



# If positive, this property indicates that RFC 2696 paged results should be

# used to split query results into batches of the specified size. This

# overcomes any size limits imposed by the LDAP server.

ldap.synchronization.queryBatchSize=1000



# If positive, this property indicates that range retrieval should be used to fetch

# multi-valued attributes (such as member) in batches of the specified size.

# Overcomes any size limits imposed by Active Directory.        

ldap.synchronization.attributeBatchSize=1000



# The query to select all objects that represent the groups to import.

ldap.synchronization.groupQuery=(objectclass\=posixGroup)



# The query to select objects that represent the groups to import that have changed since a certain time.

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))



# The query to select all objects that represent the users to import.

ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)



# The query to select objects that represent the users to import that have changed since a certain time.

ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))



# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.

ldap.synchronization.groupSearchBase=ou=Group,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es



# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.

ldap.synchronization.userSearchBase=ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es



# The name of the operational attribute recording the last update time for a group or user.

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp



# The timestamp format. Unfortunately, this varies between directory servers.

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'



# The attribute name on people objects found in LDAP to use as the uid in Alfresco

ldap.synchronization.userIdAttributeName=uid



# The attribute on person objects in LDAP to map to the first name property in Alfresco

ldap.synchronization.userFirstNameAttributeName=givenName



# The attribute on person objects in LDAP to map to the last name property in Alfresco

ldap.synchronization.userLastNameAttributeName=sn



# The attribute on person objects in LDAP to map to the email property in Alfresco

ldap.synchronization.userEmailAttributeName=mail



# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco

ldap.synchronization.userOrganizationalIdAttributeName=o



# The default home folder provider to use for people created via LDAP import

ldap.synchronization.defaultHomeFolderProvider=homeDirectory



# The attribute on LDAP group objects to map to the authority name property in Alfresco

ldap.synchronization.groupIdAttributeName=cn



# The attribute on LDAP group objects to map to the authority display name property in Alfresco

ldap.synchronization.groupDisplayNameAttributeName=description



# The group type in LDAP

ldap.synchronization.groupType=posixGroup



# The person type in LDAP

ldap.synchronization.personType=inetOrgPerson



# The attribute in LDAP on group objects that defines the DN for its members

ldap.synchronization.groupMemberAttributeName=memberUid



# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.

ldap.synchronization.enableProgressEstimation=true‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Thanks a lot dward, you save my life. Congrats for the Alfresco program and for your work helping people in the forums. One point to your post

.

zydoon · ‎08-22-2010

It Works!.

Finally here is my ldap-authentication.properties file:
…….

Thanks a lot dward, you save my life. Congrats for the Alfresco program and for your work helping people in the forums. One point to your post .

Even users<–>group mapping works too ?

Hyland Connect

LDAP Auth and Synch in Alfresco 3.3