Hyland Connect

aique · ‎06-29-2010

Hi!.

I'm trying to get the OpenLDAP authentication and synchronization process working in Alfresco 3.3. I've seen that in the version I'm using it's only needed change the /opt/Alfresco/tomcat/shared/classes/alfresco-global.properties file.

I don't have an admin user in the OpenLDAP, even I don't have any LDAP user password, so I only can log in as Alfresco admin and see in the all the users to check if the LDAP user are synchronized.

I changed my alfresco-global.properties but nothing seems to do. I log in as Alfresco admin, but I only can see the Alfresco internal users, no one from the LDAP.

Here is my alfresco-global.properties file

################################# Common Alfresco Properties ################################## Sample custom content and index data location#————-dir.root=/opt/Alfresco/alf_data## Sample database connection properties#————-db.name=alfrescodb.username=alfrescodb.password=alfrescodb.host=localhostdb.port=3306## External locations#————-ooo.exe=/opt/Alfresco/program/sofficeooo.user=<%ShortInstallDir%>/alf_data/oouserjodconverter.officeHome=/opt/Alfrescojodconverter.portNumbers=8101#ooo.enabled=false#jodconverter.enabled=trueimg.root=/usr/localswf.exe=/opt/Alfresco/bin/pdf2swf## Initial admin password#————-alfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634## MySQL connection#————-db.driver=org.gjt.mm.mysql.Driverdb.url=jdbc:mysql://${db.host}:${db.port}/${db.name}## Oracle connection##oracle#db.driver=oracle.jdbc.OracleDriver#oracle#db.url=jdbc:oracle:thin:@${db.host}:${db.port}:${db.name}## SQLServer connection# Requires jTDS driver version 1.2.5 and SNAPSHOT isolation mode# Enable TCP protocol on fixed port db.port# Prepare the database with:# ALTER DATABASE db.name SET ALLOW_SNAPSHOT_ISOLATION ON; ##mssql#db.driver=net.sourceforge.jtds.jdbc.Driver#mssql#db.url=jdbc:jtds:sqlserver://${db.host}:${db.port}/${db.name}#mssql#db.txn.isolation=4096## PostgreSQL connection (requires postgresql-8.2-504.jdbc3.jar or equivalent)##postgres#db.driver=org.postgresql.Driver#postgres#db.url=jdbc:postgresql://${db.host}:${db.port}/${db.name}## Index Recovery Mode#————-#index.recovery.mode=Auto## Outbound Email Configuration#————-#mail.host=#mail.port=25#mail.username=anonymous#mail.password=#mail.encoding=UTF-8#mail.from.default=alfresco@alfresco.org#mail.smtp.auth=false## Alfresco Email Service and Email Server#————-# Enable/Disable the inbound email service.  The service could be used by processes other than# the Email Server (e.g. direct RMI access) so this flag is independent of the Email Service.#————-#email.inbound.enabled=true# Email Server properties #————-#email.server.enabled=true#email.server.port=25#email.server.domain=alfresco.com#email.inbound.unknownUser=anonymous# A comma separated list of email REGEX patterns of allowed senders.# If there are any values in the list then all sender email addresses# must match.  For example:#   .*\@alfresco\.com, .*\@alfresco\.org# Allow anyone:#————-#email.server.allowed.senders=.*## The default authentication chain# To configure external authentication subsystems see:# http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#————-#authentication.chain=alfrescoNtlm1:alfrescoNtlm# MODIFICACION_INIauthentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap# MODIFICACION_FIN## URL Generation Parameters (The ${localname} token is replaced by the local server name)#————-#alfresco.context=alfresco#alfresco.host=${localname}#alfresco.port=8080#alfresco.protocol=http##share.context=share#share.host=${localname}#share.port=8080#share.protocol=http# MODIFICACION_INIldap.authentication.active=trueldap.synchronization.active=true# How to map the user id entered by the user to taht passed through to LDAP# - simple# - this must be a DN and would be something like# CN=%s,DC=company,DC=com# - digest# - usually pass through what is entered# %sldap.authentication.userNameFormat=uid=%s,ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es # The LDAP context factory to useldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory # The URL to connect to the LDAP serverldap.authentication.java.naming.provider.url=ldap://di002.edv.uniovi.es:389 # The authentication mechanism to useldap.authentication.java.naming.security.authentication=DIGEST-MD5 # The default principal to use (only used for LDAP sync)ldap.authentication.java.naming.security.principal="" # The password for the default principal (only used for LDAP sync)ldap.authentication.java.naming.security.credentials="" # Escape commas entered by the user at bind time# Useful when using simple authentication and the CN is part of the DN and contains commasldap.authentication.escapeCommasInBind=false # Escape commas entered by the user when setting the authenticated user# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is# pulled in as part of an LDAP sync# If this option is set to true it will break the default home folder provider as space names can not contain \ldap.authentication.escapeCommasInUid=false ## This properties file is used to configure LDAP syncronisation# # The LDAP user to connect as to do the export operation.ldap.synchronization.java.naming.security.principal="" # The password for this user, if requiredldap.synchronization.java.naming.security.credentials="" # The timestamp formatldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z' # The query to find the people to importldap.synchronization.personQuery=(objectclass=inetOrgPerson) # The search base of the query to find people to importldap.synchronization.personSearchBase=ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=esldap.synchronization.userSearchBase=ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es # The attribute name on people objects found in LDAP to use as the uid in Alfrescoldap.synchronization.userIdAttributeName=uid # The attribute on person objects in LDAP to map to the first name property in Alfrescoldap.synchronization.userFirstNameAttributeName=givenName # The attribute on person objects in LDAP to map to the last name property in Alfrescoldap.synchronization.userLastNameAttributeName=sn # The attribute on person objects in LDAP to map to the email property in Alfrescoldap.synchronization.userEmailAttributeName=mail # The attribute on person objects in LDAP to map to the organizational id property in Alfrescoldap.synchronization.userOrganizationalIdAttributeName=o # The default home folder provider to use for people created via LDAP importldap.synchronization.defaultHomeFolderProvider=personalHomeFolderProvider # The query to find group objectsldap.synchronization.groupQuery=(objectclass=groupOfUniqueNames) # The search base to use to find group objectsldap.synchronization.groupSearchBase=ou=Group,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es # The attribute on LDAP group objects to map to the gid property in Alfrecsoldap.synchronization.groupIdAttributeName=cn # The group type in LDAPldap.synchronization.groupType=groupOfUniqueNames # The person type in LDAPldap.synchronization.personType=inetOrgPerson # The attribute in LDAP on group objects that defines the DN for its membersldap.synchronization.groupMemberAttributeName=uniqueMember # The cron expression defining when people imports should take placeldap.synchronization.import.person.cron=0 */10 * * * ? # The cron expression defining when group imports should take placeldap.synchronization.import.group.cron=0 30 * * * ? # Should all groups be cleared out at import time?# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)# - setting this to true means old group definitions will be tidied up.ldap.synchronization.import.group.clearAllChildren=true# MODIFICACION_FIN‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Hope you can help me, I need to finish this project yesterday!.

Thanks.

nguser1 · ‎07-06-2010

Its probably too late to help you now but I think the following blog post should cover most of the instructions you need:

http://www.anotherstrangerme.com/alfresco-3-3g-integration-with-active-directory-and-google-docs/

aique · ‎07-10-2010

Thanks NGUser1, I have read your reply right now and I can't test the conf in that blog, but I'll try it.

Now a days the authentication process is working, but the synchronization process is not working. Here is the log about it:

Synchronizing users and groups with user registry 'ldap1'
Retrieving all groups from user registry 'ldap1'
ldap1 Group Analysis: Commencing batch of 0 entries
ldap1 Group Analysis: Completed batch of 0 entries
Retrieving all users from user registry 'ldap1'
ldap1 User Creation and Association: Commencing batch of 0 entries
ldap1 User Creation and Association: Completed batch of 0 entries
Finished synchronizing users and groups with user registry 'ldap1'
0 user(s) and 0 group(s) processed

My ldap properties file is:

ldap.authentication.active=trueldap.authentication.allowGuestLogin=falseldap.authentication.userNameFormat=uid=%s,ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=esldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactoryldap.authentication.java.naming.provider.url=<url>ldap.authentication.java.naming.security.authentication=SIMPLEldap.authentication.escapeCommasInBind=falseldap.authentication.escapeCommasInUid=falseldap.authentication.defaultAdministratorUserNames=ldap.synchronization.active=trueldap.synchronization.java.naming.security.principal=<ldap admin user>ldap.synchronization.java.naming.security.credentials=<pass>ldap.synchronization.queryBatchSize=1000ldap.synchronization.attributeBatchSize=1000ldap.synchronization.groupQuery=ou=Group,ou=Departamento de Informatica,o=Universidad de Oviedo,c=esldap.synchronization.groupDifferentialQuery=(objectclass=posixGroup)ldap.synchronization.personQuery=ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=esldap.synchronization.personDifferentialQuery=(objectclass=inetOrgPerson)ldap.synchronization.groupSearchBase=ou=Group,ou=Departamento de Informatica,o=Universidad de Oviedo,c=esldap.synchronization.userSearchBase=ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=esldap.synchronization.modifyTimestampAttributeName=ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'ldap.synchronization.userIdAttributeName=uidldap.synchronization.userFirstNameAttributeName=givenNameldap.synchronization.userLastNameAttributeName=snldap.synchronization.userEmailAttributeName=mailldap.synchronization.userOrganizationalIdAttributeName=oldap.synchronization.defaultHomeFolderProvider=homeDirectoryldap.synchronization.groupIdAttributeName=cnldap.synchronization.groupDisplayNameAttributeName=descriptionldap.synchronization.groupType=posixGroupldap.synchronization.personType=inetOrgPersonldap.synchronization.groupMemberAttributeName=memberUidldap.synchronization.enableProgressEstimation=true‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Here are some images from my LDAP, to check my parameters in the config file:

[img]http://ubuntuone.com/p/9Hz/[/img]

[img]http://ubuntuone.com/p/9Hx/[/img]

[img]http://ubuntuone.com/p/9Hy/[/img]

If some one find errors in my conf to help me in the synchronization process, I'll appreciate it very much

.

dward · ‎07-12-2010

We can't see the images. And please do not cross-post.

Just check you've got your group search base, person search base, and attribute names correct with an LDAP browser such as the one from http://ldapbrowser.com.

dward · ‎07-12-2010

I can see one problem. You've set personQuery and groupQuery to be DNs rather than LDAP queries!

See http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2

And your differential queries don't contain modifyTimestamp so the differential sync won't work.

It's best just to use the default parameters from $TOMCAT_HOME/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/*.properties

as a starting point (in your own extension properties file or alfresco-global.properties).

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))

aique · ‎07-12-2010

Thanks for your reply.

I'll try this conf tomorrow and I'll post the result here.

In other forum, someone post that could be a problem in the mapping between users and groups.

In the LDAP, groups must have an attribute with:

memberUid ——- uid=pepito, ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es
memberUid ——- uid=juanito, ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es
memberUid ——- uid=luis, ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es

And I have:

memberUid ——- pepito
memberUid ——- juanito
memberUid ——- luis

And users must have an attribute with:

o ———— cn=PAS, ou=Group .. etc.

And I don't have this attribute in the users, they are into an organizational structure ou=People, ou=PAS, ou=pepito.

Could be a problem with that?

And finally, I don't have any attribute called modifyTimestamp in the users or groups in my LDAP, ¿I have to create it or is an attribute created automatically by the LDAP?.

Thanks a lot.

dward · ‎07-12-2010

No that's not a problem. The sync supports posixGroup where members are UIDs rather than DNs. See http://forums.alfresco.com/en/viewtopic.php?f=9&t=20408&p=66718#p66718

Just make sure you set ldap.synchronization.groupType, ldap.synchronization.groupMemberAttributeName, ldap.synchronization.groupQuery and ldap.synchronization.groupDifferentialQuery to use posixGroup

dward · ‎07-12-2010

I'll spell it out to save some time.

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=posixGroup)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))

# The group type in LDAP
ldap.synchronization.groupType=posixGroup

# The attribute in LDAP on group objects that defines the DN or UID for its members
ldap.synchronization.groupMemberAttributeName=memberUid

aique · ‎07-13-2010

It Works!.

Finally here is my ldap-authentication.properties file:

# This flag enables use of this LDAP subsystem for authentication. It may be# that this subsytem should only be used for synchronization, in which case# this flag should be set to false.ldap.authentication.active=true## This properties file brings together the common options for LDAP authentication rather than editing the bean definitions#ldap.authentication.allowGuestLogin=false# How to map the user id entered by the user to that passed through to LDAP# - simple #    - this must be a DN and would be something like#      uid=%s,ou=People,dc=company,dc=com# - digest#    - usually pass through what is entered#      %s# If not set, an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will # be performed to resolve the DN dynamically. This allows directories to be structured and doesn't require the user ID to# appear in the DN.ldap.authentication.userNameFormat=uid=%s,ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es# The LDAP context factory to useldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory# The URL to connect to the LDAP server ldap.authentication.java.naming.provider.url=<ldap url># The authentication mechanism to useldap.authentication.java.naming.security.authentication=SIMPLE# Escape commas entered by the user at bind time# Useful when using simple authentication and the CN is part of the DN and contains commasldap.authentication.escapeCommasInBind=false# Escape commas entered by the user when setting the authenticated user# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is # pulled in as part of an LDAP sync# If this option is set to true it will break the default home folder provider as space names can not contain \ldap.authentication.escapeCommasInUid=false# Comma separated list of user names who should be considered administrators by defaultldap.authentication.defaultAdministratorUserNames=# This flag enables use of this LDAP subsystem for user and group# synchronization. It may be that this subsytem should only be used for # authentication, in which case this flag should be set to false.ldap.synchronization.active=true# The default principal to use (only used for LDAP sync)ldap.synchronization.java.naming.security.principal=<admin user uid># The password for the default principal (only used for LDAP sync)ldap.synchronization.java.naming.security.credentials=<admin user uid pass># If positive, this property indicates that RFC 2696 paged results should be# used to split query results into batches of the specified size. This# overcomes any size limits imposed by the LDAP server.ldap.synchronization.queryBatchSize=1000# If positive, this property indicates that range retrieval should be used to fetch# multi-valued attributes (such as member) in batches of the specified size.# Overcomes any size limits imposed by Active Directory.        ldap.synchronization.attributeBatchSize=1000# The query to select all objects that represent the groups to import.ldap.synchronization.groupQuery=(objectclass\=posixGroup)# The query to select objects that represent the groups to import that have changed since a certain time.ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))# The query to select all objects that represent the users to import.ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)# The query to select objects that represent the users to import that have changed since a certain time.ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.ldap.synchronization.groupSearchBase=ou=Group,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.ldap.synchronization.userSearchBase=ou=People,ou=Departamento de Informatica,o=Universidad de Oviedo,c=es# The name of the operational attribute recording the last update time for a group or user.ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp# The timestamp format. Unfortunately, this varies between directory servers.ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'# The attribute name on people objects found in LDAP to use as the uid in Alfrescoldap.synchronization.userIdAttributeName=uid# The attribute on person objects in LDAP to map to the first name property in Alfrescoldap.synchronization.userFirstNameAttributeName=givenName# The attribute on person objects in LDAP to map to the last name property in Alfrescoldap.synchronization.userLastNameAttributeName=sn# The attribute on person objects in LDAP to map to the email property in Alfrescoldap.synchronization.userEmailAttributeName=mail# The attribute on person objects in LDAP to map to the organizational id  property in Alfrescoldap.synchronization.userOrganizationalIdAttributeName=o# The default home folder provider to use for people created via LDAP importldap.synchronization.defaultHomeFolderProvider=homeDirectory# The attribute on LDAP group objects to map to the authority name property in Alfrescoldap.synchronization.groupIdAttributeName=cn# The attribute on LDAP group objects to map to the authority display name property in Alfrescoldap.synchronization.groupDisplayNameAttributeName=description# The group type in LDAPldap.synchronization.groupType=posixGroup# The person type in LDAPldap.synchronization.personType=inetOrgPerson# The attribute in LDAP on group objects that defines the DN for its membersldap.synchronization.groupMemberAttributeName=memberUid# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.ldap.synchronization.enableProgressEstimation=true‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Thanks a lot dward, you save my life. Congrats for the Alfresco program and for your work helping people in the forums. One point to your post

.

zydoon · ‎08-22-2010

It Works!.

Finally here is my ldap-authentication.properties file:
…….

Thanks a lot dward, you save my life. Congrats for the Alfresco program and for your work helping people in the forums. One point to your post .

Even users<–>group mapping works too ?

Hyland Connect

LDAP Auth and Synch in Alfresco 3.3