Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Nightmare of a time getting 3.2 to sync LDAP with AD

jdalby
Champ in-the-making
Champ in-the-making

‎07-24-2009 08:52 PM

I've got passthru auth to work fine, but am having a real problem getting LDAP sync to work with AD (or Novell's eDirectory for that matter).  Currently I'm using the alfresco-globel.properties per the documentation, using configuration examples I've found on this site.    What is happening now is when the sync starts it appears that it is looping over and over through the user creation.  I've tried reinstalling, removing the databases and putting back, going to the latest nightly builds, scarificing a chicken to Zorkon the Space God, but have not had any luck.  I would greatly appreciate any thoughts people may have.

Config is as follows:

ldap.authentication.active=false
ldap.synchronization.active=true
ldap.authentication.userNameFormat=%s@domain.com
ldap.authentication.java.naming.security.authentication=SIMPLE
ldap.authentication.java.naming.provider.url=ldap://<ipofserver>:389
ldap.synchronization.java.naming.security.principal=user@domain.com
ldap.synchronization.java.naming.security.credentials=PASSWORD
ldap.synchronization.userSearchBase=<searchbase>
ldap.synchronization.personQuery=(objectclass\=user)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0}))
ldap.synchronization.groupSearchBase=<group search base>
ldap.synchronization.import.cron=0 0 0 * * ?
ldap.authentication.allowGuestLogin=false
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=true

I've tried various permutations of the above, adding or removing sections.  In a packet trace I do show it doing the LDAP query and recieve a response with a list of users.  on the logs is will start going through that list with the message:

00:15:26,026  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'username'

which it reapeats for all the users. Then it gets to this error:

00:15:26,443  WARN  [security.sync.ChainingUserRegistrySynchronizer] Recreating
occluded user 'Guest'. This user was previously created manually or through sync
hronization with a lower priority user registry.
00:15:26,770  INFO  [security.sync.ChainingUserRegistrySynchronizer] Synchronizi
ng users and groups with user registry 'ldap1-ad'
00:15:26,770  WARN  [security.sync.ChainingUserRegistrySynchronizer] Forced sync
hronization with user registry 'ldap1-ad'; some users and groups previously crea
ted by synchronization with this user registry may be removed.

After which it starts the sync all over again. Finally after multiple times through it will fail on this error:

00:17:10,574  ERROR [quartz.core.JobRunShell] Job DEFAULT.ldapPeopleJobDetail threw an unhandled Exception:
org.springframework.dao.DataIntegrityViolationException: could not delete: [org.alfresco.repo.domain.hibernate.DbAccessControlEntryImpl#3]; nested exception is org.hibernate.exception.ConstraintViolationException: could not delete: [org.alfresco.repo.domain.hibernate.DbAccessControlEntryImpl#3]
Caused by: org.hibernate.exception.ConstraintViolationException: could not delete: [org.alfresco.repo.domain.hibernate.DbAccessControlEntryImpl#3]
…..
.
.
.
.
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: Cannot delete or update a parent row: a foreign key constraint fails (`alfresco/alf_acl_member`, CONSTRAINT `fk_alf_aclm_ace` FOREIGN KEY (`ace_id`) REFERENCES `alf_access_control_entry` (`id`))


Thanks again for any help.
Labels:
0 Kudos
9 REPLIES 9

dward
Champ on-the-rise
Champ on-the-rise

‎07-27-2009 05:42 AM

I'm sorry Zorkon wasn't able to help.

There appears to be an issue when your LDAP query returns a user called Guest. In this case, Alfresco attempts to delete its own internal Guest user and create a new one. But something is going wrong due to some ACLs referencing this user (shouldn't be a problem). This needs investigating. I have logged a JIRA issue.

https://issues.alfresco.com/jira/browse/ETHREEOH-2574

I noticed you have changed personQuery so that it no longer includes the userAccountControl bitmask that only includes 'real' users. Does it work with the default setting?

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

I also noticed you have mangled personDifferentialQuery so that it doesn't contain enough matching brackets. Again, I would recommend the default query

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

If this doesn't work, then you could add on a condition that excludes the Guest user. E.g.:

ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(sAMAccountName=Guest)))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0}))(!(sAMAccountName=Guest)))
0 Kudos

lchoonch
Champ in-the-making
Champ in-the-making

‎07-27-2009 01:12 PM

Had the same problem except mine has no error messages.  it syncs with "creating XYZ users" and restarts again but I don't have any error messages.  After a ridiculouly long time (6 hours), it stops with no sync complete message.  Checked the users database and no users were imported.  Any one else have this problem ?  A workaround ?
0 Kudos

pbkoob
Champ in-the-making
Champ in-the-making

‎07-27-2009 05:18 PM

Had the same problem except mine has no error messages.  it syncs with "creating XYZ users" and restarts again but I don't have any error messages.  After a ridiculouly long time (6 hours), it stops with no sync complete message.  Checked the users database and no users were imported.  Any one else have this problem ?  A workaround ?

Follow the instructions here referring to syncing users but not syncing groups.
http://forums.alfresco.com/en/viewtopic.php?f=9&t=20389&p=67191&hilit=ldap#p67191

I am a little fuzzy on how to get the groups syncing, but this will get you your users.
0 Kudos

jdalby
Champ in-the-making
Champ in-the-making

‎07-27-2009 10:34 PM

Thank you all for the help!   By using the query that excludes guest, and following the instructions that disable the group sync I now have my users syncing, much appreciated.
0 Kudos

lchoonch
Champ in-the-making
Champ in-the-making

‎07-27-2009 10:35 PM

Great ! everything works now.  Looks like it is the Guest user thats causing the problem.  Excluding it will fix the sync.  However, my groups are still not syncing properly.  Getting a warn message that says it cannot resolve the distinguished name.  I think its my ldap properties / filter for my group query.  Not syncing the groups allowed my sync to complete at least.

Thanks guys !
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎07-28-2009 06:24 AM

Due to popular demand, I have committed our latest LDAP performance and diagnostics improvements into HEAD. You can pick these up by checking out the latest code and using the "ant incremental-tomcat" command to build Alfresco as documented here.

http://wiki.alfresco.com/wiki/Development_Environment

Or you could wait for a new community nightly build…

Here's the change comment for revision 15439:

Merged V3.2 to HEAD
   15388: ETHREEOH-1872: Better debug logging in authentication components
      - Now each authentication component logs every step of the authentication process (including reason for failure) if you switch on debug logging for that component or the entire org.alfresco.repo.security.authentication package. E.g.
      log4j.logger.org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl=debug
      log4j.logger.org.alfresco.repo.security.authentication.AuthenticationComponentImpl=debug
      log4j.logger.org.alfresco.repo.security.authentication=debug
   15196: Further LDAP sync performance improvements
      - Bunch user and group creations into small transactions (except for differential sync on login)
      - Run a differential sync on startup (so that bulk of users are not brought over on first login)
      - Can be disabled by synchronization.syncOnStartup property
   15135: Node creation / ACL performance improvements
      - When an ACL was set on a leaf node such as a person, redundant 'shared' ACLs were created for child nodes with getInheritedAccessControlList(), even though no child nodes existed.
      - Now setInheritanceForChildren() makes a 'lazy' call to getInheritedAccessControlList(), only when it realises there are child nodes
   15133: Changes to datasource definition for improved performance
      - Enable caching and reuse of prepared statements (by default 40 for each connection)
      - Removed custom-connection-pool-context.xml.sample and instead introduced complete property set into repository.properties
      - Updated v3.2 Wiki docs http://wiki.alfresco.com/wiki/Database_Configuration#Overriding_the_Database_Connection_Properties
0 Kudos

pbkoob
Champ in-the-making
Champ in-the-making

‎07-28-2009 09:49 AM

Where is the Nightly Community Build?
0 Kudos

mikeh
Star Contributor
Star Contributor

‎07-28-2009 10:17 AM

http://dev.alfresco.com/downloads/nightly/dist/

Thanks,
Mike
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎07-29-2009 12:25 PM

FYI the problem with deleting and recreating "Guest" turned out to be one of case sensitivity. A fix for this is now available in HEAD.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC