Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
LDAP Sync
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-11-2009 11:16 AM
Hi,
After playing with authentication chains etc over the past few days, I've finally got it working how I want it to with the exception of LDAP sync. My properties file is configured as:
If a new user logs into the system alfresco.log shows:
So although no errors are being thrown, the system isn't actually doing any sync of user details. Does anyone know where to start looking? I've also tried amending the ldap.authentication.userNameFormat and ldap.synchronization.java.naming.security.principal without success to:
Thanks in advance!
After playing with authentication chains etc over the past few days, I've finally got it working how I want it to with the exception of LDAP sync. My properties file is configured as:
authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad
#
passthru.authentication.domain=#
passthru.authentication.servers=DOMAIN\\DOMAINCINTROLLERC01,DOMAINCONTROLLER02
passthru.authentication.defaultAdministratorUserNames=administrator,admin
passthru.authentication.authenticateFTP=false
#passthru.authentication.sso.enabled=true
passthru.authentication.authenticateCIFS=true
#ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
ldap.authentication.active=false
ldap.authentication.java.naming.provider.url=ldap://DOMAINCONTROLLER01:389
ldap.authentication.userNameFormat=%s
ldap.synchronization.java.naming.security.principal=ldap.admin
ldap.synchronization.java.naming.security.credentials=secret$
ldap.synchronization.groupSearchBase=ou=Security Groups,ou=domain,dc=co,dc=uk
ldap.synchronization.userSearchBase=ou=User Accounts,ou=domain,dc=co,dc=ukIf a new user logs into the system alfresco.log shows:
15:50:31,588 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
15:50:31,588 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'AUTH.EXT.ldap1'
15:50:31,620 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.ldap1'
15:50:31,620 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'AUTH.EXT.ldap1'
15:50:31,620 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processedSo although no errors are being thrown, the system isn't actually doing any sync of user details. Does anyone know where to start looking? I've also tried amending the ldap.authentication.userNameFormat and ldap.synchronization.java.naming.security.principal without success to:
ldap.authentication.userNameFormat=%s@domain.co.uk
ldap.synchronization.java.naming.security.principal=ldap.admin@domain.co.ukThanks in advance!
Labels:
- Labels:
-
Archive
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2009 12:47 PM
I would double check
ldap.synchronization.groupSearchBase and ldap.synchronization.userSearchBase
by using an LDAP browser such as the one from http://www.ldapbrowser.com
ldap.synchronization.groupSearchBase and ldap.synchronization.userSearchBase
by using an LDAP browser such as the one from http://www.ldapbrowser.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2009 10:04 AM
Thanks for that - That got it sorted.
I've now got users to sync however I'm experiencing the same issue as this post where the Guest user clashes and causes the sync to fail:
http://forums.alfresco.com/en/viewtopic.php?f=9&t=20653&p=67345&hilit=could+not+delete%3A+%5Borg.alf...
As suggested I've amended the queries to try and exlude the Guest user:
However with these two lines included I get the following error when trying to log into Alfresco. Comment them out and everything is fine again (with the exception of the Guest error):
Have I made any obvious errors?
I've now got users to sync however I'm experiencing the same issue as this post where the Guest user clashes and causes the sync to fail:
http://forums.alfresco.com/en/viewtopic.php?f=9&t=20653&p=67345&hilit=could+not+delete%3A+%5Borg.alf...
As suggested I've amended the queries to try and exlude the Guest user:
# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(&(objectclass\=inetOrgPerson)(!(sAMAccountName=Guest)))
# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0}))(!(sAMAccountName=Guest)))However with these two lines included I get the following error when trying to log into Alfresco. Comment them out and everything is fine again (with the exception of the Guest error):
net.sf.acegisecurity.AuthenticationServiceException: General error; nested exception is org.alfresco.error.AlfrescoRuntimeException: 08140002 User and group import failed
Caused by: org.alfresco.error.AlfrescoRuntimeException: 08140002 User and group import failed
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:658)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncGroupsWithPlugin(ChainingUserRegistrySynchronizer.java:399)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:219)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.createMissingPerson(ChainingUserRegistrySynchronizer.java:245)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.alfresco.repo.management.subsystems.SubsystemProxyFactory$1.invoke(SubsystemProxyFactory.java:71)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy53.createMissingPerson(Unknown Source)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback$1.doWork(AbstractAuthenticationComponent.java:431)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback$1.doWork(AbstractAuthenticationComponent.java:429)
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:489)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback.execute(AbstractAuthenticationComponent.java:427)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback.execute(AbstractAuthenticationComponent.java:412)
at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:326)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:193)
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticatePassthru(NTLMAuthenticationComponentImpl.java:873)
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.authenticate(NTLMAuthenticationComponentImpl.java:560)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:304)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy190.authenticate(Unknown Source)
at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.processType3(BaseNTLMAuthenticationFilter.java:606)
at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.doFilter(BaseNTLMAuthenticationFilter.java:338)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:109)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy194.doFilter(Unknown Source)
at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:88)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.naming.InvalidNameException: Invalid name: "ou=User accounts, dc=domain, dc=co, dc=uk"
at javax.naming.ldap.Rfc2253Parser.parseAttrType(Rfc2253Parser.java:130)
at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:83)
at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:45)
at javax.naming.ldap.LdapName.parse(LdapName.java:772)
at javax.naming.ldap.LdapName.<init>(LdapName.java:108)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:488)
… 54 more Have I made any obvious errors?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-14-2009 10:29 AM
For some reason, it thinks your ldap.synchronization.userSearchBase is invalid
I checked out the exception you were getting from the JDK.
Caused by: javax.naming.InvalidNameException: Invalid name: "ou=User accounts, dc=domain, dc=co, dc=uk"
When I go to that line of code, there are no quotes around the name. I would have expected to see
Caused by: javax.naming.InvalidNameException: Invalid name: ou=User accounts, dc=domain, dc=co, dc=uk
So have you really configured ldap.synchronization.userSearchBase with quote characters, or have you just edited the message for anonymity?
Anyway, double check that for weird characters, because there's something wrong with it.
I checked out the exception you were getting from the JDK.
Caused by: javax.naming.InvalidNameException: Invalid name: "ou=User accounts, dc=domain, dc=co, dc=uk"
When I go to that line of code, there are no quotes around the name. I would have expected to see
Caused by: javax.naming.InvalidNameException: Invalid name: ou=User accounts, dc=domain, dc=co, dc=uk
So have you really configured ldap.synchronization.userSearchBase with quote characters, or have you just edited the message for anonymity?
Anyway, double check that for weird characters, because there's something wrong with it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-16-2009 07:09 AM
Sorry, my fault. Old programming habit of quoting strings that have spaces in them.
With those two lines added (to exclude the guest user) it seems to stop the sync from occuring. Without them when I log into Alfresco I can see it scrolling through the AD users in the console until it crashes out at the guest user and when they're added I get the message '0 users and 0 groups processed'
Is my query correct?
With those two lines added (to exclude the guest user) it seems to stop the sync from occuring. Without them when I log into Alfresco I can see it scrolling through the AD users in the console until it crashes out at the guest user and when they're added I get the message '0 users and 0 groups processed'
Is my query correct?
Related Content
- Alfresco Dockerfiles Bakery: Streamlining Container Builds for Alfresco Products in Alfresco Blog
- ldapS configuration for samba-ad in Alfresco Forum
- Mail task Activiti 6.0 in Alfresco Forum
- ldap configuration in alfresco 7.2 in docker in Alfresco Forum
- Authentication and synchronisation of Alfresco 23 with Active Directory in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
