Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Synchronization problem between Alfresco and Windows AD

meeko
Champ in-the-making
Champ in-the-making

‎01-18-2010 04:27 PM

I having really weird problem with our Alfresco Installation.  I am trying to synchronize only a few user from our Windows AD to Alfresco.  I don't need any group to be synchronize.  Here what I have inside my configuration right now (tomcat/shared/classes/alfresco-global.properties):


authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad

# CIFS
cifs.domain=domain.org

# AlfrescoNtlm
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
alfresco.authentication.allowGuestLogin=false

# LDAP
ldap.authentication.active=false
ldap.synchronization.active=true

ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.provider.url=ldap://ldap01.domain.org:389
ldap.synchronization.java.naming.security.principal=alfresco@domain.org
ldap.synchronization.java.naming.security.credentials=secretpassword

ldap.authentication.userNameFormat=%s@domain.org
ldap.authentication.allowGuestLogin=false

ldap.synchronization.userSearchBase=DC=domain,DC=org
ldap.synchronization.personQuery=(&(objectclass\=person)(userAccountControl:1.2.840.113556.1.4.803:=512)(memberOf\=CN\=alfresco-user,OU\=Applications,OU\=Security Groups,DC\=domain,DC\=org))
#ldap.synchronization.personDifferentialQuery=(&(objectclass=person)(memberOf\=CN\=alfresco-user,OU\=Applications,OU\=Security Groups,DC\=domain,DC\=org)(!(modifyTimestamp<\={0})))
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.personType=person

ldap.synchronization.groupQuery=(&(objectclass=group)(cn=alfresco-user))
ldap.synchronization.groupSearchBase=OU\=Applications,OU\=Security Groups,DC=domain,DC=org
#ldap.synchronization.groupIdAttributeName=cn
#ldap.synchronization.groupMemberAttributeName=memberOf
ldap.synchronization.groupType=group

ldap.synchronization.queryBatchSize=100

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

# Passthru
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=domain.org\\ldap01.domain.org,ldap01.domain.org
passthru.authentication.authenticateCIFS=true

# Syncronisation
synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 0 * * * ?
synchronization.syncOnStartup=true

We are running version Community - v3.2.0 (r2 2440).  Here some information coming from our log:


15:00:00,040 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
15:00:00,041 User:System WARN  [security.sync.ChainingUserRegistrySynchronizer] Forced synchronization with user registry 'ldap1'; some users and groups previously created by synchronization with this user registry may be removed.
15:00:00,103 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving groups changed since Jan 18, 2010 11:15:19 AM from user registry 'ldap1'
15:00:00,145 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Commencing batch of 0 entries
15:00:00,145 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Completed batch of 0 entries
15:00:00,329 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since Jan 18, 2010 2:49:21 PM from user registry 'ldap1'
15:00:00,377 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Commencing batch of 0 entries
15:00:00,427 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Completed batch of 0 entries
15:00:00,498 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Authority Deletion: Commencing batch of 0 entries
15:00:00,498 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Authority Deletion: Completed batch of 0 entries
15:00:00,499 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1'
15:00:00,499 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed

I am supposed to have one user, and one group.  One hour later I have this:


16:00:00,031 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
16:00:00,032 User:System WARN  [security.sync.ChainingUserRegistrySynchronizer] Forced synchronization with user registry 'ldap1'; some users and groups previously created by synchronization with this user registry may be removed.
16:00:00,038 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving groups changed since Jan 18, 2010 11:15:19 AM from user registry 'ldap1'
16:00:00,073 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Commencing batch of 0 entries
16:00:00,073 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Completed batch of 0 entries
16:00:00,104 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since Jan 18, 2010 2:49:21 PM from user registry 'ldap1'
16:00:00,151 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Commencing batch of 4 entries
16:00:01,761  WARN  [security.sync.ChainingUserRegistrySynchronizer] Updating user 'philippe'. This user will in future be assumed to originate from user registry 'ldap1'.
16:00:02,089 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Processed 4 entries out of 4. 100% complete. Rate: 2 per second. 0 failures detected.
16:00:02,089 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Completed batch of 4 entries
16:00:02,133 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Authority Deletion: Commencing batch of 0 entries
16:00:02,144 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Authority Deletion: Completed batch of 0 entries
16:00:02,144 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1'
16:00:02,144 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] 4 user(s) and 0 group(s) processed

That make no sense at all as only 1 user is part of the group that should be synchronize.  And I am able to log with user that not even synchronise, but, when Alfresco create them, no information is pass on (name, company, email).  Can somebody tell me what wrong with our configuration file?  I try many modification, and each time, the server reach differently.  Thank for helping me.
Labels:
0 Kudos
5 REPLIES 5

meeko
Champ in-the-making
Champ in-the-making

‎01-19-2010 04:50 PM

I now been able to synchronize my user/group correctly.  I now have a new problem, everything work fine except that Alfresco do not respect my ldap.synchronization.personQuery value.  In the first start, and all synchronize, he will add and update user inside Alfresco, but will let every other user that doesn't match the ldap.synchronization.personQuery log in.  And once this user is log in, it create the user locally without copying the information from the LDAP directory.  Here my update configuration:


authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad

# CIFS
cifs.domain=domain.org

# AlfrescoNtlm
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
alfresco.authentication.allowGuestLogin=false

# LDAP
ldap.authentication.active=false
ldap.synchronization.active=true

ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.provider.url=ldap://ldap01.domain.org:389
ldap.synchronization.java.naming.security.principal=alfresco@domain.org
ldap.synchronization.java.naming.security.credentials=secretpassword

ldap.authentication.userNameFormat=%s@domain.org
ldap.authentication.allowGuestLogin=false

ldap.synchronization.userSearchBase=dc=domain,dc=org
ldap.synchronization.personQuery=(&(objectclass=person)(memberOf=cn\=alfresco-user,ou\=Applications,ou\=Security Groups,dc\=domain,dc\=org))
ldap.synchronization.personDifferentialQuery=(&(objectclass=person)(memberOf=cn\=alfresco-user,ou\=Applications,ou\=Security Groups,dc\=domain,dc\=org)(!(modifyTimestamp<\={0})))
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.personType=person

ldap.synchronization.groupQuery=(&(objectclass=group)(cn=alfresco-user))
ldap.synchronization.groupDifferentialQuery=(&(objectclass=group)(cn=alfresco-user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou=Applications,ou=Security Groups,dc=domain,dc=org
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupMemberAttributeName=memberOf
ldap.synchronization.groupType=group

ldap.synchronization.queryBatchSize=100

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# Passthru
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=pslgroup.com\\ldap01.domain.org,ldap02.domain.org
passthru.authentication.authenticateCIFS=true

# Syncronisation
synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 0 * * * ?
synchronization.syncOnStartup=true

That what append in my log when I user that doesn't match the personQuery log in:


16:30:38,433 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
16:30:38,490 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving groups changed since Jan 19, 2010 2:31:19 PM from user registry 'ldap1'
16:30:38,499 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Commencing batch of 0 entries
16:30:38,499 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Completed batch of 0 entries
16:30:38,502 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since Jan 18, 2010 9:47:56 AM from user registry 'ldap1'
16:30:38,506 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Commencing batch of 0 entries
16:30:38,514 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Completed batch of 0 entries
16:30:38,517 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1'
16:30:38,517 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed

And after that, the user is now log in, but all is information have not been copy (email, company, name…).  Can someone tell me what is missing or what is wrong in my configuration?
0 Kudos

sergio1024
Champ in-the-making
Champ in-the-making

‎01-21-2010 07:55 AM

Hi,

I have the same problem.
If I add users in active directory, they are not imported in Alfresco.

I can open a session in Alfresco with a user AD but its properties (ful name, mail) are not sync…

If you find the solution…
0 Kudos

meeko
Champ in-the-making
Champ in-the-making

‎01-21-2010 10:09 AM

Actually, my last configuration synchronize my users and groups, but it giving access to user that doesn't supposed to have access inside the AD (not part of the personQuery).  Just a quick note, make sure you put both personQuery and personDifferencialQuery.  Otherwise, Alfresco doesn't seem to know what to do between the first import and the update following.
0 Kudos

sergio1024
Champ in-the-making
Champ in-the-making

‎01-22-2010 04:13 AM

hi,

Can you post your last config…?

regards.
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎01-25-2010 12:53 PM

You need to set synchronization.autoCreatePeopleOnLogin=false to lock out people who are not returned by the query.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC