Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Synchronization of User Details

fkeller
Champ in-the-making
Champ in-the-making

‎08-14-2009 07:56 AM

Hello,

we have installed and setup Alfresco CE 3.2 on ubuntu 9.04 using the cononical partner repository. Authentication against ldap (MS AD) works fine with three AD Servers (chaining).
Now we want to sync the User Details from AD (Mail Address, given name, …) to alfresco. what would be the best way to do this?

We tried to get ldap sync up and running but it didn't work.

thanks for help
Labels:
0 Kudos
31 REPLIES 31

dward
Champ on-the-rise
Champ on-the-rise

‎08-14-2009 08:44 AM

My recommendation would be to get LDAP sync up and running! It's worthwhile taking the latest community nightly build, as several performance and stability improvements have been made.

Please paste in your alfresco-global.properties, plus the full errors from alfresco.log that occur when an LDAP sync is triggered.
0 Kudos

fkeller
Champ in-the-making
Champ in-the-making

‎08-14-2009 09:01 AM

thanks for reply, the problem is, that there is nothing in the log files from the sync process.

here are the global.properties file


###############################
## Common Alfresco Properties #
###############################

#
# Sample custom content and index data location
#————-
dir.root=/var/lib/alfresco

#
# Sample database connection properties
#————-
db.name=xxx
db.username=xxx
db.password=xxx
db.host=xxx
db.port=xxx

#
# External locations
#————-
ooo.exe=/usr/bin/soffice
img.root=/usr
swf.exe=/usr/bin/alfresco-pdf2swf

#
# MySQL connection
#————-
db.driver=org.gjt.mm.mysql.Driver
db.url=jdbc:mysql://${db.host}:${db.port}/${db.name}
hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect

#
# Index Recovery Mode
#————-
#index.recovery.mode=Auto

#
# Outbound Email Configuration
#————-
#mail.host=
#mail.port=25
#mail.username=anonymous
#mail.password=
#mail.encoding=UTF-8
#mail.from.default=alfresco@alfresco.org
#mail.smtp.auth=false

#
# Alfresco Email Service and Email Server
#————-

# Enable/Disable the inbound email service. ▒The service could be used by processes other than
# the Email Server (e.g. direct RMI access) so this flag is independent of the Email Service.
#————-
#email.inbound.enabled=true

# Email Server properties
#————-
#email.server.enabled=true
#email.server.port=25
#email.server.domain=alfresco.com
#email.inbound.unknownUser=anonymous

# A comma separated list of email REGEX patterns of allowed senders.
# If there are any values in the list then all sender email addresses
# must match. ▒For example:
# ▒ .*\@alfresco\.com, .*\@alfresco\.org
# Allow anyone:
#————-
#email.server.allowed.senders=.*

#
# The default authentication chain
# To configure external authentication subsystems see:
# http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
#————-
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad

#
# IMAP
#————-
#imap.server.enabled=true
#imap.server.port=143
#imap.server.host=localhost
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎08-14-2009 09:32 AM

You say that you are chaining against three AD servers, but yet you only have a single LDAP server in your authentication chain.

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad

Plus you haven't actually set any of the LDAP properties! How do you expect it to work?

See

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2
0 Kudos

fkeller
Champ in-the-making
Champ in-the-making

‎08-14-2009 09:47 AM

The ldap chaining is setup like in the example zip ( chaining-example.zip ) file with the configs for that.

and the authentication is working for all three ad servers configured there. the ldap.properties are set in the tomcat/shared/classes/alfresco/extensions/ldap-authentication.properties file.

in the config i posted before only one ldap chain is set, because of testing things.

thanks for trying to help
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎08-14-2009 10:34 AM

Please do not use chaining-example.zip. It is not valid for v3.2 and has been removed from HEAD. Please remove your custom spring configuration and tell me what doesn't work when you configure things through alfresco-global.properties.
0 Kudos

fkeller
Champ in-the-making
Champ in-the-making

‎08-14-2009 10:42 AM

thanks for the reply, but know i'm at the end of my knowledge.

can you please give me a hint or a link to a good example how to configure three ldap chains with the global properties file?

thanks
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎08-14-2009 10:49 AM

I've already pointed you at the Wiki, which explains the authentication.chain property and all the other properties you can add to alfresco-global.properties to control your subsystems. I don't know what else I can do. I've added a new advanced example here.

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Example_2:_Advanced_LDAP_Chain

You will need the latest Community nightly build
0 Kudos

fkeller
Champ in-the-making
Champ in-the-making

‎08-14-2009 12:25 PM

okay, i've stup this like your examples, it works fine. i can login with ad users, but the sync doesn't work at the moment.

the error message is:


WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Failed initial synchronize with user registries
org.alfresco.repo.security.authentication.AuthenticationException: 07140000 LDAP authentication failed.
        at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:115)
        at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:90)
        at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$PersonIterator.<init>(LDAPUserRegistry.java:756)
        at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getPersons(LDAPUserRegistry.java:455)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncPersonsWithPlugin(ChainingUserRegistrySynchronizer.java:379)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:270)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer$1$1.execute(ChainingUserRegistrySynchronizer.java:916)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:326)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:233)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer$1.doWork(ChainingUserRegistrySynchronizer.java:908)
        at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:489)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onBootstrap(ChainingUserRegistrySynchronizer.java:904)
        at org.alfresco.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:62)
        at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
        at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
        at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
        at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
        at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:617)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
        at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory.start(ChildApplicationContextFactory.java:460)
        at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.onApplicationEvent(AbstractPropertyBackedBean.java:276)
        at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
        at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
        at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
        at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
        at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:617)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
        at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:246)
        at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:189)
        at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
        at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:69)
        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4338)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:627)
        at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:553)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:488)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
        at org.apache.catalina.core.StandardService.start(StandardService.java:516)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:177)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
        at javax.naming.InitialContext.init(InitialContext.java:223)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
        at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:101)
        … 58 more

we connect to the ad server using port 636.

thanks for help
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎08-17-2009 05:50 AM

Please check the parameters

ldap.synchronization.java.naming.security.principal
ldap.synchronization.java.naming.security.credentials

These must be set to a username and password that you can log in to the LDAP directory with.

OpenLDAP example:

ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=company,dc\=com
ldap.synchronization.java.naming.security.credentials=secret

Active Directory example:

ldap.synchronization.java.naming.security.principal=alfresco@domain
ldap.synchronization.java.naming.security.credentials=secret
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC