cancel
Showing results for 
Search instead for 
Did you mean: 

Active Directory Configuration

makram_baaziz
Champ in-the-making
Champ in-the-making

Hello All,

I have alfresco process services 1.8.1 and wanted to activate the LDAP (active directory) authentication, but I'm facing the following error and don't know what to do:

2018-03-28 09:57:59,578 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] rangeEnabled = false
2018-03-28 09:57:59,578 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] rangeSize = 1500
2018-03-28 09:57:59,578 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] userSearchBase = OU=User Accounts,OU=Alfresco,DC=pgi,DC=com
2018-03-28 09:57:59,578 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] userQuery = (&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=512))
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] userDifferentialQuery = (&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(whenChanged<={0})))
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] userIdAttributeName = uid
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] userFirstNameAttributeName = givenName
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] userLastNameAttributeName = sn
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] userEmailAttributeName = 'mail'
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] userType = 'user'
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] groupSearchBase = 'OU=Security Groups,OU=Alfresco,DC=pgi,DC=com'
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] groupQuery = '(objectclass=group)'
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] groupDifferentialQuery = '(&(objectclass=group)(!(whenChanged<={0})))'
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] groupIdAttributeName = 'cn'
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] groupMemberAttributeName = member
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] groupType = group
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] distinguishedNameAttributeName = dn
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] createTimestampAttributeName = whenCreated
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] modifyTimestampAttributeName = 'whenChanged'
2018-03-28 09:57:59,594 INFO [com.activti.idm.ldap.service.LdapSettingsManager] [localhost-startStop-1] timeStampFormat = yyyyMMddHHmmss'.0Z', locale = (en,GB), timezone = GMT
2018-03-28 09:58:00,764 WARN [org.hibernate.hql.internal.ast.HqlSqlWalker] [localhost-startStop-1] [DEPRECATION] Encountered positional parameter near line 1, column 88. Positional parameter are considered deprecated; use named parameters or JPA-style positional parameters instead.
2018-03-28 09:58:00,779 WARN [org.hibernate.hql.internal.ast.HqlSqlWalker] [localhost-startStop-1] [DEPRECATION] Encountered positional parameter near line 1, column 77. Positional parameter are considered deprecated; use named parameters or JPA-style positional parameters instead.
2018-03-28 09:58:04,180 INFO [com.activiti.service.idm.UserCacheImpl] [activiti-app-rest-Executor-2] User cache statistics: CacheStats{hitCount=0, missCount=0, loadSuccessCount=0, loadExceptionCount=0, totalLoadTime=0, evictionCount=0}
2018-03-28 09:58:04,180 INFO [com.activiti.service.idm.UserCacheImpl] [activiti-app-rest-Executor-2] The size of this cache is determined by the 'cache.users.max.size' and 'cache.users.max.age' property.
2018-03-28 09:58:04,180 INFO [com.activiti.service.idm.GroupHierarchyCacheImpl] [activiti-app-rest-Executor-2] Group cache statistics: CacheStats{hitCount=0, missCount=0, loadSuccessCount=0, loadExceptionCount=0, totalLoadTime=0, evictionCount=0}
2018-03-28 09:58:04,180 INFO [com.activiti.service.idm.GroupHierarchyCacheImpl] [activiti-app-rest-Executor-2] The size of this cache is determined by the 'cache.groups.max.size' and 'cache.groups.max.age' property.
2018-03-28 09:58:04,196 INFO [com.activiti.service.runtime.FormStoreServiceImpl] [activiti-app-rest-Executor-2] Form cache statistics: CacheStats{hitCount=0, missCount=0, loadSuccessCount=0, loadExceptionCount=0, totalLoadTime=0, evictionCount=0}
2018-03-28 09:58:04,196 INFO [com.activiti.service.runtime.FormStoreServiceImpl] [activiti-app-rest-Executor-2] The size of this cache is determined by the 'cache.forms.max.size' property
2018-03-28 09:58:04,196 INFO [com.activiti.service.runtime.integration.alfresco.AlfrescoOnPremiseTicketService] [activiti-app-rest-Executor-1] Alfresco ticket cache statistics: CacheStats{hitCount=0, missCount=0, loadSuccessCount=0, loadExceptionCount=0, totalLoadTime=0, evictionCount=0}
2018-03-28 09:58:04,196 INFO [com.activiti.service.runtime.integration.alfresco.AlfrescoOnPremiseTicketService] [activiti-app-rest-Executor-1] The size of this cache is determined by the 'cache.alfresco-tickets.max.size' and 'cache.alfresco-tickets.max.age' property.
2018-03-28 09:58:04,196 INFO [com.activiti.service.license.LicenseService] [pool-4-thread-4] Note! License is about to expire in the near future 20180415
2018-03-28 09:58:04,196 INFO [com.activiti.service.runtime.ScriptFileControllerCacheImpl] [activiti-app-rest-Executor-1] Script file cache statistics: CacheStats{hitCount=0, missCount=0, loadSuccessCount=0, loadExceptionCount=0, totalLoadTime=0, evictionCount=0}
2018-03-28 09:58:04,196 INFO [com.activiti.service.idm.PersistentTokenServiceImpl] [activiti-app-rest-Executor-2] Token cache statistics: CacheStats{hitCount=0, missCount=0, loadSuccessCount=0, loadExceptionCount=0, totalLoadTime=0, evictionCount=0}
2018-03-28 09:58:04,196 INFO [com.activiti.service.idm.PersistentTokenServiceImpl] [activiti-app-rest-Executor-2] The size of this cache is determined by the 'cache.login-tokens.max.size' and 'cache.login-tokens.max.age' property.
2018-03-28 09:58:04,196 INFO [com.activiti.service.runtime.ScriptFileLibraryCacheImpl] [activiti-app-rest-Executor-1] Script file cache statistics: CacheStats{hitCount=0, missCount=0, loadSuccessCount=0, loadExceptionCount=0, totalLoadTime=0, evictionCount=0}
2018-03-28 09:58:04,242 INFO [com.activiti.ActivitiApplication] [localhost-startStop-1] Started ActivitiApplication in 42.541 seconds (JVM running for 71.388)
2018-03-28 09:58:04,274 INFO [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [activiti-app-rest-Executor-2] No initial LDAP sync info found. Executing full synchronization.
2018-03-28 09:58:04,274 INFO [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [activiti-app-rest-Executor-2] Starting full LDAP synchronization
2018-03-28 09:58:04,274 INFO [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [activiti-app-rest-Executor-2] Starting to process the LDAP users and groups.
2018-03-28 09:58:04,320 INFO [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [activiti-app-rest-Executor-2] Found 0 groups and 2 users in LDAP
2018-03-28 09:58:04,383 INFO [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [activiti-app-rest-Executor-2] Error while handling user. Could not handle user correctly, user might not have been created.
javax.persistence.NonUniqueResultException: result returns more than one elements
at org.hibernate.ejb.QueryImpl.getSingleResult(QueryImpl.java:297)
at org.hibernate.ejb.criteria.CriteriaQueryCompiler$3.getSingleResult(CriteriaQueryCompiler.java:258)
at org.springframework.data.jpa.repository.query.JpaQueryExecution$SingleEntityExecution.doExecute(JpaQueryExecution.java:208)
at org.springframework.data.jpa.repository.query.JpaQueryExecution.execute(JpaQueryExecution.java:87)
at org.springframework.data.jpa.repository.query.AbstractJpaQuery.doExecute(AbstractJpaQuery.java:116)
at org.springframework.data.jpa.repository.query.AbstractJpaQuery.execute(AbstractJpaQuery.java:106)
at org.springframework.data.repository.core.support.RepositoryFactorySupport$QueryExecutorMethodInterceptor.doInvoke(RepositoryFactorySupport.java:492)
at org.springframework.data.repository.core.support.RepositoryFactorySupport$QueryExecutorMethodInterceptor.invoke(RepositoryFactorySupport.java:475)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.data.projection.DefaultMethodInvokingMethodInterceptor.invoke(DefaultMethodInvokingMethodInterceptor.java:56)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:136)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.data.jpa.repository.support.CrudMethodMetadataPostProcessor$CrudMethodMetadataPopulatingMethodInterceptor.invoke(CrudMethodMetadataPostProcessor.java:133)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.data.repository.core.support.SurroundingTransactionDetectorMethodInterceptor.invoke(SurroundingTransactionDetectorMethodInterceptor.java:57)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy248.findByExternalId(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:52)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy249.findByExternalId(Unknown Source)
at com.activiti.service.idm.UserServiceImpl.findUserByExternalId(UserServiceImpl.java:527)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy243.findUserByExternalId(Unknown Source)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.handleUser(AbstractExternalIdmSourceSyncService.java:498)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService$6.doInTransaction(AbstractExternalIdmSourceSyncService.java:476)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService$6.doInTransaction(AbstractExternalIdmSourceSyncService.java:469)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:133)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.insertBatchOfUsers(AbstractExternalIdmSourceSyncService.java:469)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.handleUsers(AbstractExternalIdmSourceSyncService.java:462)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.fullSync(AbstractExternalIdmSourceSyncService.java:391)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.internalExecuteFullSynchronization(AbstractExternalIdmSourceSyncService.java:298)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService$4.run(AbstractExternalIdmSourceSyncService.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2018-03-28 09:58:04,414 INFO [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [activiti-app-rest-Executor-2] Error while handling user. Could not handle user correctly, user might not have been created.
javax.persistence.NonUniqueResultException: result returns more than one elements
at org.hibernate.ejb.QueryImpl.getSingleResult(QueryImpl.java:297)
at org.hibernate.ejb.criteria.CriteriaQueryCompiler$3.getSingleResult(CriteriaQueryCompiler.java:258)
at org.springframework.data.jpa.repository.query.JpaQueryExecution$SingleEntityExecution.doExecute(JpaQueryExecution.java:208)
at org.springframework.data.jpa.repository.query.JpaQueryExecution.execute(JpaQueryExecution.java:87)
at org.springframework.data.jpa.repository.query.AbstractJpaQuery.doExecute(AbstractJpaQuery.java:116)
at org.springframework.data.jpa.repository.query.AbstractJpaQuery.execute(AbstractJpaQuery.java:106)
at org.springframework.data.repository.core.support.RepositoryFactorySupport$QueryExecutorMethodInterceptor.doInvoke(RepositoryFactorySupport.java:492)
at org.springframework.data.repository.core.support.RepositoryFactorySupport$QueryExecutorMethodInterceptor.invoke(RepositoryFactorySupport.java:475)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.data.projection.DefaultMethodInvokingMethodInterceptor.invoke(DefaultMethodInvokingMethodInterceptor.java:56)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:136)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.data.jpa.repository.support.CrudMethodMetadataPostProcessor$CrudMethodMetadataPopulatingMethodInterceptor.invoke(CrudMethodMetadataPostProcessor.java:133)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.data.repository.core.support.SurroundingTransactionDetectorMethodInterceptor.invoke(SurroundingTransactionDetectorMethodInterceptor.java:57)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy248.findByExternalId(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.aop.framework.adapter.MethodBeforeAdviceInterceptor.invoke(MethodBeforeAdviceInterceptor.java:52)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:92)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy249.findByExternalId(Unknown Source)
at com.activiti.service.idm.UserServiceImpl.findUserByExternalId(UserServiceImpl.java:527)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.transaction.interceptor.TransactionInterceptor$1.proceedWithInvocation(TransactionInterceptor.java:99)
at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:282)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213)
at com.sun.proxy.$Proxy243.findUserByExternalId(Unknown Source)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.handleUser(AbstractExternalIdmSourceSyncService.java:498)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService$6.doInTransaction(AbstractExternalIdmSourceSyncService.java:476)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService$6.doInTransaction(AbstractExternalIdmSourceSyncService.java:469)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:133)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.insertBatchOfUsers(AbstractExternalIdmSourceSyncService.java:469)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.handleUsers(AbstractExternalIdmSourceSyncService.java:462)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.fullSync(AbstractExternalIdmSourceSyncService.java:391)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.internalExecuteFullSynchronization(AbstractExternalIdmSourceSyncService.java:298)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService$4.run(AbstractExternalIdmSourceSyncService.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2018-03-28 09:58:04,414 ERROR [com.activiti.api.idm.AbstractExternalIdmSourceSyncService] [activiti-app-rest-Executor-2] Exception while executing full LDAP sync
org.springframework.transaction.TransactionSystemException: Could not commit JPA transaction; nested exception is javax.persistence.RollbackException: Transaction marked as rollbackOnly
at org.springframework.orm.jpa.JpaTransactionManager.doCommit(JpaTransactionManager.java:526)
at org.springframework.transaction.support.AbstractPlatformTransactionManager.processCommit(AbstractPlatformTransactionManager.java:761)
at org.springframework.transaction.support.AbstractPlatformTransactionManager.commit(AbstractPlatformTransactionManager.java:730)
at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:150)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.insertBatchOfUsers(AbstractExternalIdmSourceSyncService.java:469)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.handleUsers(AbstractExternalIdmSourceSyncService.java:462)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.fullSync(AbstractExternalIdmSourceSyncService.java:391)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService.internalExecuteFullSynchronization(AbstractExternalIdmSourceSyncService.java:298)
at com.activiti.api.idm.AbstractExternalIdmSourceSyncService$4.run(AbstractExternalIdmSourceSyncService.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.persistence.RollbackException: Transaction marked as rollbackOnly
at org.hibernate.ejb.TransactionImpl.commit(TransactionImpl.java:72)
at org.springframework.orm.jpa.JpaTransactionManager.doCommit(JpaTransactionManager.java:517)
... 11 more

Bellow is \tomcat\lib\activiti-ldap.properties

# --------------------------
# LDAP AUTHENTICATION CONFIG
# --------------------------
# Note that this is AUTHENTICATION only, not synchronization.
# For this to work properly, the LDAP synchronization (see below), needs to be
# enabled and configured correctly (on one node).
ldap.authentication.enabled=true
# Set to false to allow for case insensitive logins. By default true if omitted or commented out.
ldap.authentication.casesensitive=true
# Set this property to 'true' to allow for a fallback to database authentication (default is false).
# This can be useful to have a 'system' user for example which does not represent
# a real user (and is not in the LDAP user store), but can be used to eg. call the REST API.
ldap.allow.database.authenticaion.fallback=false

# Property to map the user id entered by the user in the login field to that passed through to LDAP.
#
# If the users are in a flat list (eg one organizational unit), it's easy, simply set the property
# to a value, eg. uid={0},ou=users,dc=alfresco,dc=com
# This is also the most performant way, as the LDAP bind can be done directly.
#
# However, if the users are in structured folders (organizational units for example), a direct pattern cannot be used.
# In this case, leave the property either empty or comment it.
# A query will be done using the ldap.synchronization.personQuery with the ldap.synchronization.userIdAttributeName
# to find the user, and find it's dn. That dn will then be used to login.
ldap.authentication.dnPattern=
# Uncomment when using Active directory
ldap.authentication.active-directory.enabled=true
ldap.authentication.active-directory.domain=pgi.com
ldap.authentication.active-directory.rootDn=DC=pgi,DC=com
ldap.authentication.active-directory.searchFilter=(&(objectClass=user)(sAMAccountName={0}))

# ----------------------------
# LDAP SYNCHRONIZATION CONFIG
# ----------------------------
# Enables full synchronization. With full sync, all user/groups will be checked whether they are valid or not.
# By default, runs at midnight, since this is quite a heavy operation.
# Full synchronization is needed because a partial synchronization cannot detect deletes of groups/users.
ldap.synchronization.full.enabled=true
ldap.synchronization.full.cronExpression=0 0 0 * * ?
# Enabled differential synchronization. This will only check the users/groups which are changes since last sync.
# A differential sync cannot detect deletes of users/groups. This is done by the full sync.
ldap.synchronization.differential.enabled=false
ldap.synchronization.differential.cronExpression=0 0 */4 * * ?
# Paging (default = no paging).
# If enabled, default page size is 100
ldap.synchronization.paging.enabled=false
ldap.synchronization.paging.size=500
# Db batch sizes
ldap.synchronization.db.insert.batch.size=100
ldap.synchronization.db.query.batch.size=100

# ----------------------
# LDAP CONNECTION CONFIG
# ----------------------
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://ActiveDirectory.pgi.com:389
# The default principal to use (only used for LDAP sync)
ldap.synchronization.java.naming.security.principal=CN\=Alfresco,OU\=User Accounts,OU\=Alfresco,DC\=pgi,DC\=com
# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=Start123
# The authentication mechanism to use for synchronization
ldap.synchronization.java.naming.security.authentication=simple
# LDAPS truststore configuration properties
#ldap.authentication.truststore.path=
#ldap.authentication.truststore.passphrase=
#ldap.authentication.truststore.type=
# Set to 'ssl' to enable truststore configuration via subsystem's properties
#ldap.authentication.java.naming.security.protocol=ssl
# The LDAP context factory to use
#ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# Requests timeout, in miliseconds, use 0 for none (default)
#ldap.authentication.java.naming.read.timeout=0
# See http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
#ldap.synchronization.java.naming.referral=follow

# -----------
# USER CONFIG
# -----------
# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=OU=User Accounts,OU=Alfresco,DC=pgi,DC=com
# The query to select all objects that represent the users to import.
# Active Directory example: (&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
# The query to select objects that represent the users to import that have changed since a certain time.
# Active Directory example: (&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
# The attribute name on people objects found in LDAP to use as the login id in Activiti. Needs to be unique and cannot change!
ldap.synchronization.userIdAttributeName=uid
# The attribute on person objects in LDAP to map to the first name property of a user
ldap.synchronization.userFirstNameAttributeName=givenName
# The attribute on person objects in LDAP to map to the last name property of a user
ldap.synchronization.userLastNameAttributeName=sn
# The attribute on person objects in LDAP to map to the email property of a user
ldap.synchronization.userEmailAttributeName=mail
# The person type in LDAP
# Active Directory: user
ldap.synchronization.userType=user
# Set the dn of the people that need to be made tenant admin (one tenant). Delimit multiple entries with ;, cause we can't use a comma of course. Note: no trimming of spaces will be applied
##ldap.synchronization.tenantAdminDn=uid=admin,ou=users,dc=alfresco,dc=com
# Set the dn of the people that need to be made tenant manager (multiple tenants). Delimit multiple entries with ;, cause we can't use a comma of course. Note: no trimming of spaces will be applied
##ldap.synchronization.tenantManagerDn=uid=admin,ou=users,dc=alfresco,dc=com
# ------------
# GROUP CONFIG
# ------------
# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=OU=Security Groups,OU=Alfresco,DC=pgi,DC=com
# The query to select all objects that represent the groups to import.
# Active Directory example: (objectclass\=group)
ldap.synchronization.groupQuery=(objectclass\=group)
# The query to select objects that represent the groups to import that have changed since a certain time.
# Active Directory example: (&(objectclass\=group)(!(whenChanged<\={0})))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
# The attribute on LDAP group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member
# LDAP Range (default = no range).
# If enabled, default range size is 1000.
# This is an Active Directory attribute
# and should be used when there are groups with more than
# 1000 members for AD on Windows Server 2000 or
# 1500 members for AD on Windows Server 2003+
# see https://msdn.microsoft.com/en-us/library/ms676302(VS.85).aspx
ldap.synchronization.groupMemberRangeEnabled=false
ldap.synchronization.groupMemberRangeSize=1500
# The group type in LDAP
# Active Directory: group
ldap.synchronization.groupType=group

# ------------------------
# GENERIC ATTRIBUTE CONFIG
# ------------------------
# The dn of an entry.
ldap.synchronization.distinguishedNameAttributeName=dn
# The name of the operational attribute recording the last update time for a group or user.
# Active Directory: whenChanged
ldap.synchronization.modifyTimestampAttributeName=whenChanged
# The name of the operational attribute recording the create time for a group or user.
# Active Directory: whenCreated
ldap.synchronization.createTimestampAttributeName=whenCreated
# The timestamp format. Unfortunately, this varies between directory servers.
# Active Directory: yyyyMMddHHmmss'.0Z'
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
# The timestamp format locale language. 'en' by default. Follows the java.util.Locale semantics.
ldap.synchronization.timestampFormat.locale.language=en
# The timestamp format locale country. 'GB' by default. Follows the java.util.Locale semantics.
ldap.synchronization.timestampFormat.locale.country=GB
# The timestamp format timezone. 'GMT' by default. Folloez the java.text.SimpleDateFormat semantics.
ldap.synchronization.timestampFormat.timezone=GMT

# -----------------------
# LDAP CONNECTION POOLING
# -----------------------
# Options=
# nothing filled in: no connection pooling
# 'jdk': use the default jdk pooling mechanism
# 'spring': use the spring ldap connection pooling facilities. These can be configured further below
#ldap.synchronization.pooling.type=spring
# Following settings follow the semantics of org.springframework.ldap.pool.factory.PoolingContextSource
#ldap.synchronization.pooling.minIdle=0
#ldap.synchronization.pooling.maxIdle=8
#ldap.synchronization.pooling.maxActive=0
#ldap.synchronization.pooling.maxTotal=-1
#ldap.synchronization.pooling.maxWait=-1
# Options for exhausted action: fail | block | grow
#ldap.synchronization.pooling.whenExhaustedAction=block
#ldap.synchronization.pooling.testOnBorrow=false
#ldap.synchronization.pooling.testOnReturn=false
#ldap.synchronization.pooling.testWhileIdle=false
#ldap.synchronization.pooling.timeBetweenEvictionRunsMillis=-1
#ldap.synchronization.pooling.minEvictableIdleTimeMillis=1800000
#ldap.synchronization.pooling.numTestsPerEvictionRun=3
# Connection pool validation (see http://docs.spring.io/spring-ldap/docs/2.0.2.RELEASE/reference/#pooling for semantics)
# Used when any of the testXXX above are set to true
#ldap.synchronization.pooling.validation.base=
#ldap.synchronization.pooling.validation.filter=
# Search control: object, oneLevel, subTree
#ldap.synchronization.pooling.validation.searchControlsRefs=
#---------------------------
# KERBEROS SSO CONFIGURATION
#---------------------------
kerberos.authentication.enabled=false
#kerberos.authentication.principal=HTTP/test.alfresco.local
#kerberos.authentication.keytab=C:/alfresco/alfrescohttp.keytab
kerberos.authentication.krb5.conf=C:/Windows/krb5.ini
#kerberos.allow.ldap.authentication.fallback=false
#kerberos.allow.database.authentication.fallback=false
# Set to true if you use the short form (samAccountName) of your AD username to log in to Windows rather than the full UPN
#kerberos.allow.samAccountName.authentication=true
# Following line must be set to true when Kerberos enabled
#security.authentication.use-externalid=true

Any idea ??

Thanks in advance,

Makram

1 REPLY 1

keith_bailey
Champ on-the-rise
Champ on-the-rise

Hi Makram, 

Appreciate that it has been a while since you asked your question, but I found it whilst trying to problem solve a different issue myself.

Did you get this resolved in the end ?

I notice that you have 

ldap.synchronization.userIdAttributeName=uid

Although 'uid' is an attribute in AD, i'm not sure what it gets populated with. That might be why you are getting non-unique results for a specific user. 

See User Naming Attributes (Windows) 

You might be better off using 

ldap.synchronization.userIdAttributeName=sAMAccountName

- we've had some success with this setting & AD, although my current problem is that disabled AD accounts are not making active users 'inactive'

Caution : Note that this contradicts the example-activiti-ldap-for-ad.properties file which suggests you use 'cn' together as does numerous other examples i've found in google searches.  However, that gives us the users full name in 'external_id' within APS, which is not correct.

See [MNT-18209] AD ldap.authentication.active-directory.* configuration properties cause auth failure - ... 

I also note that there is an open JIRA to improve the documentation.

HTH

Keith