Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Forum
- ldap-ad network configuration - need to specify do...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ldap-ad network configuration - need to specify domain controller ip
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-19-2018 06:46 AM
We have specific installation of Alfresco 5.2.d repository where primary domain controller, identified by domain name is unavailabe by its ip, available is only secondary domain controller host.
So, we have domain some.com.ua and the command telnet some.com.ua 389 results in
telnet some.com.ua 389
Trying 10.36.0.1...
Trying 10.44.0.2...
Connected to some.com.ua.
primary domain controller ip 10.36.0.1 is unavailable from alfresco host . We tried to manage this by putting to parameter ldap.authentication.java.naming.provider.url host ldap.some.com.ua which is resolved as available 10.44.0.2
ldap.authentication.java.naming.provider.url=ldap://ldap.some.com.ua:389
but with no luck, alfresco sometimes (not regurlaly) still gives syncronization error: some.com.ua:389 Connection timed out
If ldap is ldap.some.com.ua:389, why is it connecting to some.com.ua:389 ?
It is possible. that reason of the error is not that I supposed but some other.
The error log is
2018-03-23 22:19:22,007 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-7] Synchronization aborted due to error
org.alfresco.error.AlfrescoRuntimeException: 022365714 Error during LDAP Search. Reason:null
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1326)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:711)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:996)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronizeInternal(ChainingUserRegistrySynchronizer.java:742)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:471)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob$1.doWork(UserRegistrySynchronizerJob.java:53)
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:555)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob.execute(UserRegistrySynchronizerJob.java:49)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: some.com.ua:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]]
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:347)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1307)
... 9 more
Caused by: javax.naming.CommunicationException: some.com.ua:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96)
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:150)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
... 13 more
Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at java.net.Socket.connect(Socket.java:538)
at java.net.Socket.<init>(Socket.java:434)
at java.net.Socket.<init>(Socket.java:211)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:363)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(LdapClientFactory.java:64)
at com.sun.jndi.ldap.pool.Connections.<init>(Connections.java:115)
at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Pool.java:132)
at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(LdapPoolManager.java:329)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1606)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52)
at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601)
at javax.naming.spi.NamingManager.processURL(NamingManager.java:381)
at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:361)
at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:333)
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:119)
... 16 more
Below is part of alfresco-global.properties for AD
#AD
ldap.authentication.active=true
ldap.synchronization.active=true
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
ldap.authentication.allowGuestLogin=false
#OU
ldap.authentication.userNameFormat=
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap.some.com.ua:389
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simpleldap.authentication.defaultAdministratorUserNames=adsedtest
ldap.synchronization.java.naming.security.principal=some_ldap@some.com.ua
ldap.synchronization.java.naming.security.credentials=rfsdf34gfdgd
ldap.synchronization.queryBatchSize=1000ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=webadmin))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0}))(CN\=webadmin))
ldap.synchronization.personQuery=(&(objectclass\=user)(samAccountType=805306368)(!(CN\=admin))(!(CN\=robot))(!(CN\=Guest)))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(samAccountType=805306368)(!(whenChanged<\={0}))(!(CN\=admin))(!(CN\=robot))(!(CN\=Guest)))
ldap.synchronization.groupSearchBase=dc\=some,dc\=com,dc\=ua
ldap.synchronization.userSearchBase=dc\=some,dc\=com,dc\=ua
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.authentication.java.naming.read.timeout=0
ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled
ldap.synchronization.disabledAccountPropertyValue=trueldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=all
synchronization.allowDeletions=false
synchronization.autoCreatePeopleOnLogin=true
synchronization.synchronizeChangesOnly=true
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=truesynchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1# sync every 15 minutes
synchronization.import.cron=0 0/15 * * * ?
Labels:
- Labels:
-
Alfresco Content Services
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-28-2018 09:18 AM
We still suffer from problem with AD synchronization
As I have found, Alfresco during synchronization not only connect domain controller "ldap.authentication.java.naming.provider.url=ldap://ldap.some.com.ua:389", but somehow connect also the domain name "some.com.ua"
And in case when we have a few domain controllers and not all of them are accessible from Alfresco host, we have errors in alfresco.log, which are in start message
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2018 11:53 AM
Hi Sergei:
If you have problems for resolving ldap.some.co.ua server with your config, you can help Alfresco setting IP directly or assigning it /etc/hosts temporally. This should allow to go ahead and to see if the rest of sync configuration is working.
Regards.
--C.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2018 03:45 AM
Thank you for your reply, my problem is that the real cause of the situation is too complicated and not as obvious as can be supposed at first glance.
You see, setting IP directly does not solve the problem, because AD synchronization connects not only host indicated by parameter host ldap.some.com.ua (ldap.some.com.ua), but somehow it also connects domain by name (some.com.ua), which it should not connect.
AD synchronization should connect ldap.some.com.ua but connects also some.com.ua !!!!
This is proved fact, which I observed twice in different network infrastructures.
Resuming, in case when AD configuration has several AD controllers, and only part of them are accessible by Alfresco host, whatever we indicate in parameter ldap.authentication.java.naming.provider.url , host or ip directly, periodically we observe errors in synchronization log:
Caused by: javax.naming.CommunicationException: some.com.ua:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]
It can be solved by adding line in etc/hosts for domain name some.com.ua and accessible IP, but the operating system is not ours and system admin prohibits doing this.
Related Content
- AMPs on Maven 3.9 doesn't build in Alfresco Forum
- Search service is calling transaction API 100 times per second in Alfresco Forum
- System Administrator error in Alfresco Forum
- Alfresco 6.2 doesn't run as expted after Linux/Debian testing upgrade in Alfresco Forum
- Alfresco Dockerfiles Bakery: Streamlining Container Builds for Alfresco Products in Alfresco Blog
Getting started
Explore our Alfresco products with the links below. Use labels to filter content by product module.
