Hyland Connect

fkeller · ‎08-14-2009

Hello,

we have installed and setup Alfresco CE 3.2 on ubuntu 9.04 using the cononical partner repository. Authentication against ldap (MS AD) works fine with three AD Servers (chaining).
Now we want to sync the User Details from AD (Mail Address, given name, …) to alfresco. what would be the best way to do this?

We tried to get ldap sync up and running but it didn't work.

thanks for help

fkeller · ‎08-17-2009

thanks for the reply, fixed this in just this moment. i forgot to set the @domain in username.

I think the sync process can now login on the ad server but it doesn't sync anything.


12:01:30,058 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
12:01:30,063 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'ldap1'
12:01:30,316 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldap1'
12:01:30,532 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Found 0
12:01:30,537 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1'
12:01:30,537 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed
‍‍‍‍‍‍‍‍

this is the output from the logfile. can you please give me a hint where to search to fix this problem? i thing there is an issue withe the sync settings

ldap.synchronization.import.cron=0 0 0 * * ?
ldap.authentication.allowGuestLogin=true
synchronization.synchronizeChangesOnly=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=true
ldap.synchronisation.personQuery=objectClass=user
ldap.synchronisation.userIdAttributeName=sAMAccountName
ldap.synchronisation.userFirstNameAttributeName=givenName
ldap.synchronisation.userLastNameAttributeName=sn
ldap.synchronisation.userEmailAttributeName=mail
ldap.synchronisation.import.group.cron=0 2/5 * * * ?
ldap.synchronisation.import.group.clearAllChildren=false
‍‍‍‍‍‍‍‍‍‍‍‍‍

and the settings for searchbase and username

fkeller · ‎08-17-2009

so now i get a new message after setting


ldap.synchronization.personQuery=(&(objectclass=user)(!(sAMAccountName=Guest)))
‍‍‍

User returned by user search does not have mandatory user id attribute‍

so i think if this is fixed the sync will be up and running.

here is the setting for userid

ldap.synchronisation.userIdAttributeName=sAMAccountName
‍‍

dward · ‎08-17-2009

Please use the default queries which include a bitmask on userAccountControl to only return real users. Or if you insist on excluding the Guest user…

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(sAMAccountName=Guest)))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(sAMAccountName=Guest))(!(modifyTimestamp<\={0})))

fkeller · ‎08-17-2009

i changed the settings, but get the same warn message

User returned by user search does not have mandatory user id attribute‍

thanks for help

dward · ‎08-17-2009

It's only a warning message. It wouldn't stop the sync. So it must mean that your query is returning one (bad) result.

Use an ldap browser tool such as the one on http://www.ldapbrowser.com to connect to the directory and work out where the users are, what type they are and the correct value for ldap.synchronization.userSearchBase

fkeller · ‎08-17-2009

i have fixed the problem, there was a typo

ldap.synchronization. is the right one, not ldap.synchronisation

thanks for all your help!

but i have one last question. which attributes are supported to sync from ad server? is it possible to sync mobile phone number and addresses too?

big thanks

dward · ‎08-18-2009

Currently you would need to override the Spring configuration to expand the list of mapped attributes.

If you copy

%TOMCAT_HOME%\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\common-ldap-context.xml

to the following path (assuming that authentication.chain=ldap1:ldap-ad)

%TOMCAT_HOME%\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad\ldap1\custom-ldap-context.xml

then you can edit the attributeMapping property of the userRegistry bean.

Note this Spring override capability requires that you are using a recent v3.3 nightly build (as it wasn't working in the 3.2 community release).

jriker1 · ‎08-27-2009

Currently you would need to override the Spring configuration to expand the list of mapped attributes.

If you copy

%TOMCAT_HOME%\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\common-ldap-context.xml

to the following path (assuming that authentication.chain=ldap1:ldap-ad)

%TOMCAT_HOME%\shared\classes\alfresco\extension\subsystems\Authentication\ldap-ad\ldap1\custom-ldap-context.xml

then you can edit the attributeMapping property of the userRegistry bean.

Note this Spring override capability requires that you are using a recent v3.3 nightly build (as it wasn't working in the 3.2 community release).

How do you physically get it to use the custom-ldap-context.xml file? The original is under Authentication not in the ldap-ad branch, however that said, should it show in the catalina.out when starting the system?

Thanks.

JR

dward · ‎08-27-2009

You just need to put it in the right directory. It automatically includes everything in the appropriate extension directory with a filename *-context.xml.

telesforos · ‎03-18-2014

Don't you have to modify the ldap-ad-authentication-context.xml file to point to the custom-ldap-context.xml file?

Hyland Connect

LDAP Synchronization of User Details