cancel
Showing results for 
Search instead for 
Did you mean: 

Synchronization questions

jriker1
Champ in-the-making
Champ in-the-making
I have Synchronization kind of working in 3.2.  I say kind of because if I hard code a name in for the CN it works fine.  Problem and questions:

1. I have fields in AD ADAM for most of the fields in the user form.  Is there a way to add additional attributes to pull from AD/ADAM if I have them?  An example would be the location field in Alfresco I can map to a field in Adam.

2. Is there a way to limit the system to only pull users in a certain group?  Keep in mind I'm in ADAM so only have two branches, Users and Groups.  I have 70k people in my company so do not want to pull all users.

3. If I try pulling everyone, it pulls 1000 users only and eventually errors.  After that I get error 500's in the browser after trying to login with access denied.  It seems to ignore the default admin user in the ldap properties file.  I read of an issue with pulling more than 1000 records and it was fixed in 3.2 but perhaps not.  I know we can only pull 1000 records so not sure if this is a client limitation or a tool one.  After the 1000 I just get a lengthy error in the alfresco log file.

Input would be appreciated.

Thanks.

JR
26 REPLIES 26

dward
Champ on-the-rise
Champ on-the-rise
The first topic you reference makes use of reverse group mapping via the memberof attribute. This is possible on AD, and on Open LDAP if you enable "Reverse Group Membership Maintenance".

http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance

However, it wouldn't work with your example, where you are trying to use multiple organization units, rather than groups.

I don't know what else you are going on about. Didn't you read the wiki?

To be precise: If you had this in alfresco-global.properties:

authentication.chain=ldap1:ldap-ad,ldap2:ldap-ad

Then you could control the properties of your two LDAP instances in

$TOMCAT_HOME/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/custom-ldap.properties

and

$TOMCAT_HOME/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap2/custom-ldap.properties

Note the directory names have to match up with the names and types in your authentication chain.

The second topic concerns custom spring configuration that wouldn't be valid in v3.2.

v3.2 enterprise will have all the necessary fixes, but if you want them now, then try out the v3.3 community nightly build.

_sax
Champ in-the-making
Champ in-the-making
Thanks again for taking your time!
What you described related to subsystems was what I expected. I'll give it a try!
Your comments on the other two approach saved me quite some time, thanks.
So now I've got a clear perspective on this topic.
The most recent nightly is dated August 11th and it does look promising.
Is there any timeframe for 3.3CE?

_sax
Champ in-the-making
Champ in-the-making
I proceeded with 3.3dev (August 11th) and following http://wiki.alfresco.com/wiki/Alfresco_Subsystems#Properties I came to this:

authentication.chain=ldapad1:ldap-ad,ldapad2:ldap-ad

Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad
*ldap-ad-authentication.properties - standard values that came preconfigured
*ldap-ad-authentication-context.xml

Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad/ldapad1
*ldap-ad-authentication.properties - my values for one ldap branch

Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad/ldapad2
*ldap-ad-authentication.properties - my values for another ldap branch

I got

14:37:00,016 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldapad1'
14:37:00,017 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Forced synchronization with user registry 'ldapad1'; some users and groups previously created by synchronization with this user registry may be removed.
14:37:00,017 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'ldapad1'
14:37:00,112 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldapad1'
14:37:00,208 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldapad1'
14:37:00,208 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed
14:37:00,214 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldapad2'
14:37:00,214 WARN  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Forced synchronization with user registry 'ldapad2'; some users and groups previously created by synchronization with this user registry may be removed.
14:37:00,214 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'ldapad2'
14:37:00,298 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldapad2'
14:37:00,358 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldapad2'
14:37:00,359 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed

So in an empty installation nothing gets imported.
If I remove the subfolders ldap-adX and set the default ldap-ad-authentication.properties in …/ldap-ad to the values of one branch, all users in that branch get imported.

dward
Champ on-the-rise
Champ on-the-rise
Please read it more carefully. Why did you use

Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad/ldapad1/ldap-ad-authentication.properties

and

Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad/ldapad2/ldap-ad-authentication.properties

?

That should have been

Alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldapad1/ldap-ad-authentication.properties

and

Alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldapad2/ldap-ad-authentication.properties

You should not be editing anything inside Alfresco/tomcat/webapps as this will be lost the next time you upgrade!

_sax
Champ in-the-making
Champ in-the-making
I overlooked that, sorry.
Having finally followed the actual instruction, I don't get further.

With
/Alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad
ldap-ad-authentication.properties - properties of one ldap-branch

in place and
/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad
ldap-ad-authentication.properties - with standard properties
ldap-ad-authentication-context.xml

the system in the extension area doesn't even get recognized at startup.
If I remove the properties file from the standard location (WEB-INF), Alfresco is not initializing any authentication system:
'Failed initial synchronize with user registries'
If I add the context.xml to the extension area, the situation remains the one described above.
That stays the same when adding the intended subfolders ldapad1 and ldapad2 in extension.

dward
Champ on-the-rise
Champ on-the-rise
READ VERY CAREFULLY! You still haven't got the extension path right.

_sax
Champ in-the-making
Champ in-the-making
I'm really sorry, I missed to apply the change regarding the id to the authentication chain. RIght now, it finally works!
Thank you for your patience.