Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- LDAP sync with dynlist (account/group disable)?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
LDAP sync with dynlist (account/group disable)?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2009 05:12 PM
Has anyone had experience with setting up Alfresco to synch with OpenLDAP dynamic groups using the dynlist overlay?
I can integrate with LDAP no problem, but when trying to convert my static groups to dynamic groups it doesn't see the group members. It appears to have something to do with the combination of how the overlay works and how Alfresco is querying LDAP. Apache recognizes the dynamic group members, and you see them when you query LDAP from the command line, but when Alfresco syncs it grabs the group names and no members.
Something I read mentioned the dynlist overlay integrates the dynamic names at the last minute of a search so I'm wondering if the Java library that is querying LDAP performs the query some other way. eg. Maybe it asks for an attribute list and works from that rather than performing the search first? If that's the case it wouldn't find the member attribute since they're added dynamically and therefore might assume there are no members. I haven't had a chance to dissect the Java yet to see how it's querying LDAP. Was hoping someone might have experience with this.
Thanks.
John
I can integrate with LDAP no problem, but when trying to convert my static groups to dynamic groups it doesn't see the group members. It appears to have something to do with the combination of how the overlay works and how Alfresco is querying LDAP. Apache recognizes the dynamic group members, and you see them when you query LDAP from the command line, but when Alfresco syncs it grabs the group names and no members.
Something I read mentioned the dynlist overlay integrates the dynamic names at the last minute of a search so I'm wondering if the Java library that is querying LDAP performs the query some other way. eg. Maybe it asks for an attribute list and works from that rather than performing the search first? If that's the case it wouldn't find the member attribute since they're added dynamically and therefore might assume there are no members. I haven't had a chance to dissect the Java yet to see how it's querying LDAP. Was hoping someone might have experience with this.
Thanks.
John
Labels:
- Labels:
-
Archive
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-26-2009 02:43 PM
Or maybe there's a better way to approach this.
I see potential for doing things at the directory level and then letting Alfresco sync up with what it sees. However, the use case I'm trying to solve is to disable an account in Alfresco. The account would remain in the system, but disabled. This of course would prevent that account from performing any actions in Alfresco, and hopefully would also stop Alfresco from including it in group references. I noticed in the dev guide there's mention of both "enabled" and "accountLocked" fields, and I can see them through the node browser (even though I don't find my LDAP accounts in there), but I don't see a way to edit those in the interface, or sync them from LDAP.
Is it possible to sync them from LDAP? To edit them? How does Alfresco behave when an account is disabled? (eg. does it skip email notifications to that account?)
Thanks.
John
I see potential for doing things at the directory level and then letting Alfresco sync up with what it sees. However, the use case I'm trying to solve is to disable an account in Alfresco. The account would remain in the system, but disabled. This of course would prevent that account from performing any actions in Alfresco, and hopefully would also stop Alfresco from including it in group references. I noticed in the dev guide there's mention of both "enabled" and "accountLocked" fields, and I can see them through the node browser (even though I don't find my LDAP accounts in there), but I don't see a way to edit those in the interface, or sync them from LDAP.
Is it possible to sync them from LDAP? To edit them? How does Alfresco behave when an account is disabled? (eg. does it skip email notifications to that account?)
Thanks.
John
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-26-2009 05:42 PM
Still trying to track down why Alfresco won't sync dynamic groups from OpenLDAP. I apologize in advance if this is way off the mark here, I'm still brand new to Alfresco, but I think I might have tracked down the issue and I'm hoping someone can confirm this.
If I understand ldap-synchronisation-context.xml correctly, it is the bean (bean id="ldapGroupExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource") that is responsible for querying for the groups and group members. Is that a correct assumption?
Assuming it is, I looked up LDAPGroupExportSource.java in the SDK, and it appears that the actual query happens on line 370 (NamingEnumeration searchResults = ctx.search(searchBase, groupQuery, userSearchCtls):smileywink:. Then a loop starts to pull together the pieces and on line 374 the attributes are grabbed (Attributes attributes = result.getAttributes():smileywink:.
I tracked this back through the Javadoc, and it led me to:
* org.alfresco.repo.security.authentication.ldap - public interface LDAPInitialDirContextFactory (getDefaultInitialDirContext())
* javax.naming.directory.InitialDirContext (search())
* javax.naming.directory - public interface DirContext
Where under the class description for DirContext it says this about operational attributes:
** In the getAttributes() and search() methods, you can specify that all attributes associated with the requested objects be returned by supply null as the list of attributes to return. The attributes returned do not include operational attributes. In order to retrieve operational attributes, you must name them explicitly.
I'm not sure, but I believe OpenLDAP dynamic groups (dynlist overlay) is implemented using operational attributes. If that's the case, and the above statement about having to explicitly name operational attributes to retrieve them applies here, then that would explain the behavior I'm experiencing.
In my test case I'm defining a group in LDAP (objectClass=groupOfUniqueNames) with a simple name of "Everyone", and assigning one static member of "uid=placeholder" to satisfy the schema requirement of at least one group member at all times. I then configured dynlist, and set the attribute "labeledURI" to a query that will grab every user as a simple test case ( ldap:///ou=people,dc=someco??one?(objectClass=inetOrgPerson) ). (I realize there are a number of variations on this configuration, and I've tried several now, but this is one example that gives a hint into what's happening.) Then when I watch the log as Alfresco LDAP sync is running I see it grab the group names, which of course are static in the directory, and grab the static uniqueMember entry on each group (uid=placeholder), but it never grabs the dynamic group members. This is the case even though you can perform an anonymous bind search from the command line and see the dynamic members, and you can see them as Manager through Apache Directory Studio (GUI).
If I'm on the right track here, would adding a line to LDAPGroupExportSource.java somewhere around 373-374 to result.setAttributes(…) and explicitly call out the attributes that are needed in the loop fix this? (I'm referring to setAttributes() on javax.naming.directory.SearchResult) Of course one of those attributes that would be called out is the name of the group member attribute (memberAttribute in LDAPGroupExportSource.java).
I haven't had time to test this yet. Just wondering if someone out there who is familiar with this section of code might have an idea if this is correct.
Thanks.
John
If I understand ldap-synchronisation-context.xml correctly, it is the bean (bean id="ldapGroupExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource") that is responsible for querying for the groups and group members. Is that a correct assumption?
Assuming it is, I looked up LDAPGroupExportSource.java in the SDK, and it appears that the actual query happens on line 370 (NamingEnumeration searchResults = ctx.search(searchBase, groupQuery, userSearchCtls):smileywink:. Then a loop starts to pull together the pieces and on line 374 the attributes are grabbed (Attributes attributes = result.getAttributes():smileywink:.
I tracked this back through the Javadoc, and it led me to:
* org.alfresco.repo.security.authentication.ldap - public interface LDAPInitialDirContextFactory (getDefaultInitialDirContext())
* javax.naming.directory.InitialDirContext (search())
* javax.naming.directory - public interface DirContext
Where under the class description for DirContext it says this about operational attributes:
** In the getAttributes() and search() methods, you can specify that all attributes associated with the requested objects be returned by supply null as the list of attributes to return. The attributes returned do not include operational attributes. In order to retrieve operational attributes, you must name them explicitly.
I'm not sure, but I believe OpenLDAP dynamic groups (dynlist overlay) is implemented using operational attributes. If that's the case, and the above statement about having to explicitly name operational attributes to retrieve them applies here, then that would explain the behavior I'm experiencing.
In my test case I'm defining a group in LDAP (objectClass=groupOfUniqueNames) with a simple name of "Everyone", and assigning one static member of "uid=placeholder" to satisfy the schema requirement of at least one group member at all times. I then configured dynlist, and set the attribute "labeledURI" to a query that will grab every user as a simple test case ( ldap:///ou=people,dc=someco??one?(objectClass=inetOrgPerson) ). (I realize there are a number of variations on this configuration, and I've tried several now, but this is one example that gives a hint into what's happening.) Then when I watch the log as Alfresco LDAP sync is running I see it grab the group names, which of course are static in the directory, and grab the static uniqueMember entry on each group (uid=placeholder), but it never grabs the dynamic group members. This is the case even though you can perform an anonymous bind search from the command line and see the dynamic members, and you can see them as Manager through Apache Directory Studio (GUI).
If I'm on the right track here, would adding a line to LDAPGroupExportSource.java somewhere around 373-374 to result.setAttributes(…) and explicitly call out the attributes that are needed in the loop fix this? (I'm referring to setAttributes() on javax.naming.directory.SearchResult) Of course one of those attributes that would be called out is the name of the group member attribute (memberAttribute in LDAPGroupExportSource.java).
I haven't had time to test this yet. Just wondering if someone out there who is familiar with this section of code might have an idea if this is correct.
Thanks.
John
Related Content
- Disable Rename option in Share -( Edit icon while hovering in document library) in Alfresco Forum
- ACS and Share on EKS in Alfresco Forum
- Issue with Refreshing 'My Activities' Dashlet in Alfresco Share in Alfresco Forum
- Bulk Import Alfresco 23 in Alfresco Forum
- Activities Feed on User Dashboard should not show accesed and Downlaoded files in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
