05-31-2017 03:02 AM
Hi,
i am trying to sync with active directory, but keep geting and error on log.
""[org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-5] Synchronization aborted due to error
org.alfresco.error.AlfrescoRuntimeException: 04310025 Error during LDAP Search. Reason:company.com:389""
my alfresco-global properties looks like this :
## LdapSync ##
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=myadmin@mycompany.com
ldap.synchronization.java.naming.security.credentials=pass
ldap.synchronization.personQuery=(objectclass\=user)
ldap.synchronization.personDifferentialQuery=(&(objectclass=user)(!(modifyTimestamp<={0})))
ldap.synchronization.userSearchBase=ou\=Users,dc\=mycompany,dc\=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
#ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
synchronization.synchronizeChangesOnly=false
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.escapeCommasInBind=false
synchronization.autoCreatePeopleOnLogin=true
synchronization.synchronizeChangesOnly=true
ldap.synchronization.enableProgressEstimation=true
###########################
any help would be apreciated.
06-01-2017 04:07 AM
Two suggestions.
1. have you tried to follow Example: authentication and synchronization with one ldap-ad subsystem | Alfresco Documentation ?
2. Does your security principal have access to read all properties in LDAP? You should run a test to make sure that the user can query LDAP properly using a test tool.
What LDAP system/server are you using?
I note you have used "ldap.synchronization.java.naming.security.authentication=simple". This is not recommended.
I am not sure why you have used all the settings that you have. The example provide in point 1 should allow you to synchronise.
I have set up the authentication chain as:
authentication.chain=alfinst:alfrescoNtlm,passthru1assthru,ad1:ldap-ad
The passthru allows users to open office documents without prompting for credentials and therefore I also set ldap.authentication.active=false
The other point I thought looked odd is the domain qualifications. I use ou=People,dc=xyz,dc=abc,dc=mycompany,dc=com as per example.
06-02-2017 04:44 AM
1. i have tried that sugestion and all sort of stuff i found while browsing for hints. But will try agian from the beggining.
2. the user i am using as all the properties on ldap ( after i do it ok i will make a new one just for alfresco )
i am using the Active Directory Users and Computers Version: 5.2.3790.3959 ona windows server 2003 r2 x64
06-03-2017 04:29 AM
OK, let us know how you go. I am using Windows Active Directory and have got it working seamlessly. Happy to help if you need more information.
Please also refer to https://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx
Use the tool LDP included with Windows server 2003. Follow the instructions in the link above to validate your ldap user and password and access.
06-03-2017 05:22 AM
Hi Antonio,
I use the ldap client "apache directory studio" to test my ldap connection and queries.
My ldap configuration differs in
ldap.authentication.java.naming.provider.url=ldap://myad:389
I had to use the fully qualified name in the URL ldap://myad.mydom:389
Created an extra AD user for ldap sync "ldap.alfresco" which is referred to as
ldap.sychronization.java.naming.security.principal=ldap.alfresco@mydom
The user has be in the according groups if your AD is ACLed in some way. Normally it just has to be a Domain user.
Here are the only values I set (changed to example domain dom.local, domaincontroller server is dc).
I use searchbase dc=dom,dc=local because some users are in a special ou and wanted to import only users with email address - you should adapt this
DC is windows 2012, alfresco (5.2.0 r135134-b14) uses ubuntu 16.04.2 LTS
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@dom.local
ldap.authentication.java.naming.provider.url=ldap://dc.dom.local:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=ldap.alfresco@dom.local
ldap.synchronization.java.naming.security.credentials=XXXXXXXX
ldap.synchronization.groupSearchBase=dc=dom,dc=local
ldap.synchronization.userSearchBase=dc=dom,dc=local
#group Type = global groups
ldap.synchronization.groupQuery=(&((objectClass=group)(groupType:1.2.840.113556.1.4.803:=2)))
ldap.synchronization.groupDifferentialQuery=(&((objectClass=group)(groupType:1.2.840.113556.1.4.803:=2)))
#only enabled users with mail address
ldap.synchronisation.personQuery=(&((objectClass=person)(userAccountControl:1.2.840.113556.1.4.803:=512)(mail=*@*)))
ldap.synchronisation.personDifferentialQuery=(&((objectClass=person)(userAccountControl:1.2.840.113556.1.4.803:=512)(mail=*@*)))
### Sync Settings ###
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.import.cron=0 0 * * * ?
This is the setup of my test system. So differential queries are the same as the full queries...
06-06-2017 06:33 AM
Got it working with pass- trough. Thanks all for the help
Explore our Alfresco products with the links below. Use labels to filter content by product module.