Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP-config for mutiple AD queries

jdel23
Champ in-the-making
Champ in-the-making

‎02-12-2014 11:53 AM

Folks, I am at my wits end trying to configure LDAP to query AD using multiple user and group search bases. It would appear that there have been many similar posts in the past on this forum but I cannot see any resolution to the problem. If someone can post a working syntax to support multiple AD paths in the userSearchBase and groupSearchBase then I will be eternally grateful.

Previous suggestions indicated that one could try a separate LDAP component in the authentication chain. However, the Alfresco wiki states that this strategy can lead to a lockout. Even if I did implement the solution this way, I would have to have many LDAP links in the chain and also each synchronisation thread would be fired at the same time from the single CRON job.

My problem must have been solved may many times - there are Alfresco installations supporting thousands of groups and users. Please help.

Thanks in advance.


Labels:
0 Kudos
4 REPLIES 4

afaust
Legendary Innovator
Legendary Innovator

‎02-12-2014 03:12 PM

Hello,

having worked on an Alfresco system with thousands of groups and users in the past I can tell you that the advice to separate the configuration into multiple LDAP configurations / components is a valid one. And it is the only solution I know of to your problem. We have had a customer with users in 3 different LDAP servers (not just search bases, but different LDAP systems alltogether) due to acquisition and integrated these systems in Alfresco using about 4 or 5 LDAP configurations (we had to sort out some overlaps).
I do not know what part of the wiki you are referring to (I could not find something in a cursory search for "lockout").

There is also no problem from what I know with the multiple synchronisations. They will be fired from the same thread but will execute sequentially.

Regards
Axel
0 Kudos

jdel23
Champ in-the-making
Champ in-the-making
In response to afaust

‎02-14-2014 10:37 AM

Hi Axel,

Thank you very much for your reply. I took your advice and set up two LDAP configurations - they import the same group but have different userSearchBases. Unfortunately this does not solve my problem as the group is imported ok with the users from the LDAP1 configuration but the users from the LDAP2 are not imported ( I have validated the serach string).

Regarding my reference to the wiki - here it is: It's not recommended to include the same LDAP server in the chain more than once as it could cause acount locking, see https://issues.alfresco.com/jira/browse/ALF-5444

Regards
0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎02-16-2014 01:23 PM

Hello,

ok - the recommendation refers to the use of LDAP / LDAP-AD to actually authenticate users.
If you do not authenticate users using LDAP - instead using passthru or kerberos - you can have multiple configurations for the same LDAP. I have never used LDAP / LDAP-AD for authentication in Alfresco - our customers typically use passthru or kerberos, or do not synchronize with any directory at all.

Regards
Axel
0 Kudos

mrogers
Star Contributor
Star Contributor

‎02-16-2014 04:38 PM

And Alf-5444 was fixed years ago, its no longer relevant.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC