Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[Workaround] LDAP group memberships not synchronized (v3.3)

mwildam
Champ in-the-making
Champ in-the-making

‎09-21-2010 07:52 AM

We have a problem with the LDAP integration configuration - Group memberships are not synchronized - all groups are shown empty.

The maybe special situation is that the ldap base/root we are logging into and querying is containing two aliases of other tree nodes containing users and groups:

Structure is:

==> Base/root: ou=users,ou=alfresco,ou=system,o=ffg
 |
 +—-> Alias 1: dn: ou=active,ou=users,ou=alfresco,ou=system,o=ffg
 |
 +—-> Alias 2: dn: ou=inactive,ou=users,ou=alfresco,ou=system,o=ffg

LDAP-Configuration:
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
    #
    alfrescoNtlm1
    alfresco.authentication.authenticateCIFS=true
    #
    ldap1
    ldap.authentication.active=true
    #ldap.authentication.java.naming.security.authentication=DIGEST-MD5
    ldap.authentication.java.naming.security.authentication=simple

ldap.authentication.userNameFormat=cn=%s,ou=User,o=ffg,l=vienna,c=at

    ldap.authentication.allowGuestLogin=false

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

    ldap.authentication.java.naming.provider.url=ldap://10.1.1.1:389
    ldap.authentication.escapeCommasInBind=false
    ldap.authentication.escapeCommasInUid=false
    ldap.authentication.defaultAdministratorUserNames=ldapAlfresco
    ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=cn=ldapAlfresco,ou=system,o=ffg
ldap.synchronization.java.naming.security.credentials=SUPERGEHEIM

#ldap.synchronization.groupSearchBase=o=ffg,l=vienna,c=at
ldap.synchronization.groupSearchBase=ou=users,ou=alfresco,ou=system,o=ffg
#    ldap.synchronization.userSearchBase=ou=User,o=ffg,l=vienna,c=at
    ldap.synchronization.userSearchBase=ou=users,ou=alfresco,ou=system,o=ffg
    ldap.synchronization.modifyTimestampAttributeName=midifyTimestamp
    ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
#    ldap.synchronization.userIdAttributeName=uid
    ldap.synchronization.userIdAttributeName=cn
    ldap.synchronization.userFirstNameAttributeName=givenName
    ldap.synchronization.userLastNameAttributeName=sn
    ldap.synchronization.userEmailAttributeName=mail
    ldap.synchronization.userOrganizationalIdAttributeName=o
    #ldap.synchronization.defaultHomeFolderProvider=ndsHomeDirectory
    ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupMemberAttributeName=member
#ldap.synchronization.groupMemberAttributeName=groupMembership
#ldap.synchronization.groupMemberAttributeName=cn
ldap.synchronization.groupType=groupOfNames
#ldap.synchronization.groupType=groupMembership
ldap.synchronization.personType=inetOrgPerson

Sample content with aliases resolved (using ldapsearch):
[…]
USER SAMPLE:

# testuser3, User, ffg, vienna, at
dn: cn=testuser3,ou=User,o=ffg,l=vienna,c=at
uid: testuser3
fullName: testuser3 (c1)
sn: testuser3 (c1)
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
objectClass: Person
objectClass: Top
groupMembership: cn=grEveryone,ou=User,o=ffg,l=vienna,c=at
groupMembership: cn=grSite4D,ou=User,o=ffg,l=vienna,c=at
cn: testuser3

[…]
GROUP SAMPLE:

# grSite4D, User, ffg, vienna, at
dn: cn=grSite4D,ou=User,o=ffg,l=vienna,c=at
objectClass: groupOfNames
objectClass: Top
member: cn=testuser2,ou=User,o=ffg,l=vienna,c=at
member: cn=testuser3,ou=User,o=ffg,l=vienna,c=at
cn: grSite4D
[…]

Notes: That ldap.synchronization.groupSearchBase is the same as ldap.synchronization.userSearchBase is not an error - it is that way - that root contains users and groups.
We get the users and the groups and users can also login - just the group memberships don't get synchronized.
The error we get on startup of Alfresco v3.3g is:
11:01:12,477 WARN  [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Failed to resolve distinguished name: cn=testuser3,ou=User,o=ffg,l=vienna,c=at
And we get that error for each membership. User and group aliases are correctly resolved I don't have any idea why it does not work for the group memberships. The only idea I have is that probably the base name from the root login is taken (which is a different branch of the LDAP tree) to link groups with users - which then would be a bug probably.

Interestingly, if we use "ou=user,o=ffg,l=vienna,c=at" as base/root then it works with the group memberships - but then we don't see all required users (only the active ones and we need them all).

What are we doing wrong? Or could it be a bug?
Labels:
0 Kudos
5 REPLIES 5

vrugginkj
Champ in-the-making
Champ in-the-making

‎09-29-2010 05:08 AM

Hello Martin,

I'm having the same problem in V3.2 so I'm following your thread and searching what I'm doing wrong…

Best regards,
Jaco Vruggink, Alfresco newbie.
0 Kudos

mwildam
Champ in-the-making
Champ in-the-making

‎09-30-2010 04:36 AM

Just to let you know how we solved the problem (customer is using Novell open enterprise server with eDirectory):
Customer is now deactivating users without moving them to a different container - which they did before. So we worked around the problem.
0 Kudos

cpot
Champ in-the-making
Champ in-the-making

‎10-21-2010 11:43 AM

Seems to have the same problem with 3.4a

Any workaround, fix or advice ?
0 Kudos

cpot
Champ in-the-making
Champ in-the-making

‎10-22-2010 11:41 AM

Seems to have the same problem with 3.4a

Any workaround, fix or advice ?

Found that I had to specify the Distinguished Name for the member attribute, ie :

member: uid=admin,ou=people,dc=example,dc=com
and not just the UID
0 Kudos

jack_chuong
Star Contributor
Star Contributor

‎10-21-2014 03:35 AM

Hi all,
I'm using Alfresco 5.0.a Community on Centos 6.4 64 bit, my Active Directory server : Windows Server 2008 R2
I have same problem, this is my alfresco-global.properties

### Active Directory
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=false

ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@mydomain.com
ldap.authentication.java.naming.provider.url=ldap://ad.mydomain.com:389
ldap.authentication.defaultAdministratorUserNames=jack.chuong
ldap.synchronization.java.naming.security.principal=CN=Jack Chuong,OU=Users,OU=ICT,OU=SGN,OU=Central Management,DC=mydomain,DC=com
ldap.synchronization.java.naming.security.credentials=******
ldap.synchronization.groupSearchBase=OU\=Central Management,DC=\mydomain,DC\=com
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.active=true
# Sync
synchronization.synchronizeChangesOnly=false
synchronization.allowDeletions=true
synchronization.import.cron=0 */30 * * * ?

ldap.synchronization.userSearchBase=OU\=Central Management,DC\=mydomain,DC\=com
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.personType=inetOrgPerson

The error we get on startup of Alfresco 5.0.a is:
2014-10-21 14:30:06,301  WARN  [sync.ldap.LDAPUserRegistry] [DefaultScheduler_Worker-6] Failed to resolve member of group 'it@mydomain.com' with distinguished name: CN=Jack Chuong,OU=Users,OU=ICT,OU=SGN,OU=Central Management,DC=mydomain,DC=com
My domain users and groups are synced to Alfresco but group memberships is empty
How could I make it works ?
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC