Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Timezone issue with LDAP Differential Sync

warren_mcdonald
Champ in-the-making
Champ in-the-making

‎11-11-2010 09:14 AM

Hello everyone,

we have uncovered an interesting problem with LDAP Sync in Differential mode.

In a nutshell, our Alfresco application sees the last Sync datetime in local time but the LDAP server modifyTimestamp value is always in UTC, which is pretty standard.

This may not be so much of a problem for sites west of UK to the Cook Islands but for those in front of UTC by 10 hours it poses an interesting challenge. This especially frustrating when trying to do frequently scheduled sync runs. Nothing is returned from the LDAP server as the timestamp sent in the query is always later than the UTC timestamps. 

I am not a Java environment expert, but it seems we would have to either set the whole server to be running on UTC or somehow set the timezone in JVM to accommodate the timezone offset. Either way would likely change all logging output and cron jobs in alfresco to be in UTC. Which we don't want either 

I have searched extensively for similar problems but found no relevant solutions. Hopefully I am just missing something very basic and will be happy to be enlightened. 

Thanks in advance

Warren
Labels:
0 Kudos
5 REPLIES 5

warren_mcdonald
Champ in-the-making
Champ in-the-making

‎11-11-2010 08:43 PM

Looks like I was looking in the wrong domain.

The answer should be to add the offset to the LDAP query.

(!(modifyTimestamp<={0}+1000)

I don't know if i need to escape the + for this expression to be valid in a properties file.

I will try and see what happens

Warren
0 Kudos

warren_mcdonald
Champ in-the-making
Champ in-the-making

‎11-13-2010 04:32 AM

Well the answer to being a valid syntax seems to be no

I tried to include the  offset in the config as above but get bad results returned.

I will have to trace the LDAP calls to see what is actually being sent to the LDAP server.

Any other ideas?

Warren
0 Kudos

sasquatch58
Champ in-the-making
Champ in-the-making

‎11-14-2010 02:30 AM

Hello Warren,
Perhaps the problem is a client time zone not correctly set. Important to  keep time in sync with NTP server and user locale to satisfy the user.
If Alfresco server is also set the same way, all server/ user times are synched to UTC.Ldap shouldn't be as fussy with time as is Kerberos or AD.
Mind you I'm still tying down Ldap on our servers and also separate dev/ test system so might have to change my comments later.
Cheers, Sasquatch
0 Kudos

warren_mcdonald
Champ in-the-making
Champ in-the-making

‎11-14-2010 06:23 AM

Hi Sasquatch,

there is no user client in involved in these transactions. The LDAP entries are updated by other systems. Then Alfresco sync runs to get the entries modified since last sync.

Alfresco server sends last sync date in LDAP query as local time. The LDAP server (with an expressed offset) expects this to be UTC time. In our situation we are 10 hours ahead of UTC so no entries are ever  returned if we sync within 10 hours. If we sync every 24 hours we still lose LDAP modifications for 11 hours of the day. Our members can update personal details online, so changes could occur any time.

My specific issue is how to put the time offset expression in to the alfresco ldap subsystem properties file so they will work. If I include the offset the LDAP sync process complains about invalid results. So I am assuming including the offset is not working as expected. I can use the modifyTimetamp offset in an ldapsearch command line and get results returned as expected.

I am  assuming in the expression (!(modifyTimestamp<={0}))  that {0} is something like arg0 supplied to the query. So I have used (!(modifyTimestamp<\={0}+1000)) to include the offset. I have also tried (!(modifyTimestamp<\={0}\+1000)). 


Cheers,

Warren
0 Kudos

bopolissimus
Confirmed Champ
Confirmed Champ

‎03-11-2013 11:25 PM

This is an old post so Warren has probably resolved his issue in the meantime.  I ran into this recently though (I'm in NZ, even further past UTC than Warren ;-).

Using alfresco 4.2.c community and an LDAP that returns modifyTimestamp in

ldap.synchronization.timestampFormat=yyyyMMddHHmmss.SSSSSS

format. 

In my own case, new users (even those created weeks previously) were not being synced.

Setting the following (adding +1300 [or whatever your timezone offset is] now allows differential sync to work (although I'm not clear on what will happen if I forget to change the offset when NZDT changes to NZST and back again).

ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0}+1300)))

I didn't test with old version of alfresco, but the above works with 4.2.c Community.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC