Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco syncs LDAP groups, but doesn't populate them

przem
Champ in-the-making
Champ in-the-making

‎07-19-2023 08:41 AM

Hi everyone,

I'm running the newest Alfresco Community Edition using the alfresco-docker-installer. I have modified the alfresco-global.properties file to add support for LDAP synchronization and authentication. I wanted only users in the 'alfresco-users' group to be able to log in, and create other LDAP groups to limit access to sites. Right now we've managed to make Alfresco only allow users in the group to log in. However, when I go to Admin Tools -> Groups, I can see all the LDAP groups, but they're all empty - Alfresco syncs the groups but fails to populate them with users. I'm using FreeIPA LDAP and Alfresco CE 7.4. Below is my alfresco-global.properties file.

sample.site.disabled=false
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=uid=%s,cn=users,cn=accounts,dc=domain,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://freeipa.domain.com:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=administrator
create.missing.people=false
synchronization.synchronizeChangesOnly=false
ldap.synchronization.active=true
ldap.synchronization.allowDeletions=true
ldap.synchronization.autoCreatePeopleOnLogin=false
ldap.synchronization.syncWhenMissingPeopleLogin=false
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=uid=read-access-user,cn=users,cn=accounts,dc=domain,dc=com
ldap.synchronization.java.naming.security.credentials=<secret>
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=groupofnames)
ldap.synchronization.personQuery=(&(objectclass\=inetorgperson)(memberOf\=cn=alfresco-users,cn\=groups,cn\=accounts,dc\=domain,dc\=com))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupofnames)(!(modifyTimestamp<\={0})))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetorgperson)(memberOf\=cn\=alfresco-users,cn\=groups,cn\=accounts,dc\=domain,dc\=com)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=cn=groups,cn=accounts,dc=domain,dc=com
ldap.synchronization.userSearchBase=cn=users,cn=accounts,dc=domain,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.groupMemberAttributeName=memberOf
synchronization.import.cron=0 * * * * ?

Thanks for the help.

Labels:
0 Kudos
1 REPLY 1

openpj
Elite Collaborator
Elite Collaborator

‎07-19-2023 06:52 PM

You should try to change the ldap.synchronization.groupQuery in a similar way:

ldap.synchronization.groupQuery=(&(objectclass=groupOfNames)(|(CN=alfresco-users))

Consider that I think that the objectclass, if I'm not wrong, it should be case sensitive.

Hope this helps.

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2025 Khoros, LLC