Hyland Connect

sburke2 · ‎12-01-2009

Hello All,

We're using Alfresco 3.2r here and are running into a problem synchronizing against large groups served up by active directory. If a group has more than 1500 members (on versions after win2000), AD wants to serve up the member list in a paged manner (see http://msdn.microsoft.com/en-us/library/aa367017%28VS.85%29.aspx). Alfresco doesn't seem to support this, and our large groups are coming up empty. We have no problem synchronizing the users themselves or populating groups with less than 1500 members.

So my question is, does Alfresco support the AD member;range style paging on the group members attribute? It seems to me that would be a common requirement and there must be some bit of configuration we just haven't turned up yet. If it isn't supported, does anyone have any idea how we might work around this – it's a crucial feature for us. Searching the forums turns up nothing about this, so I am really hoping we have just overlooked something here.

Thank you!

sburke2 · ‎12-10-2009

Still haven't found a solution to this. I'm finding it hard to believe that Alfresco does not support this setup – surely there are plenty of groups out there backing Alfresco with AD where the groups have more than 1500 members? If it works for you (or not) please let me know.

dward · ‎12-10-2009

Alfresco does support this. The default setting for the ldap-ad subsystem in v3.2 is a page size of 1000. So not a problem. Just use v3.2.

dward · ‎12-10-2009

It's controlled by ldap.synchronization.queryBatchSize

See

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2

sburke2 · ‎12-10-2009

Thanks for the reply. We're using 3.2(r) here and I have looked at the queryBatchSize setting. From my understanding this setting is used to limit the results of, for example, the personQuery used to synchronize users. Our personQuery looks like:

ldap.synchronization.personQuery=(&(objectClass=user) (memberOf=CN=Employees,OU=Groups,DC=XXX,DC=XXX,DC=XXX) (cn=*))‍

and it works great; all of the members of our Employees group (about 4000) get synced just fine. Furthermore, our group query works fine – all of our groups get synchronized over and all groups which have < 1500 members have their members set correctly. The trouble is that groups with over 1500 members come up empty (have no members at all). I thought this might have something to do with the way AD serves up multi-valued attributes (see http://msdn.microsoft.com/en-us/library/aa367017%28VS.85%29.aspx); I'm not sure queryBatchSize would have any effect on this. I take it AD's paging of multi-valued attributes (the ;range) is non-standard?

Oh, here is a post where someone using a name service resolver against AD is experiencing the same problem. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476454 . I know the software is unrelated, but the behavior he is experiencing looks the same to me. In that case, libnss was not coded to handle AD's paging of multivalued attributes. To me it looks very much like Alfresco is running into the same problem. I hope I am wrong and that there is a simple solution that I'm overlooking. What do you think?

dward · ‎12-10-2009

Thanks for the link. This is news to us. We are using RFC 2696 paged results to overcome the limit on the number of individual results returned by a search. But we were not aware that AD also limits the number of values returned for a multi-valued attribute. Luckily there is an example of doing this in Java here

http://forums.sun.com/thread.jspa?threadID=578347

I have logged this bug and hope to fix it soon

https://issues.alfresco.com/jira/browse/ETHREEOH-3770

dward · ‎01-19-2010

FYI this is now fixed on HEAD.

Hyland Connect

LDAP Sync against large Active Directory groups