cancel
Showing results for 
Search instead for 
Did you mean: 

Ldap and afresco 5.2 synchronization

fatma19
Confirmed Champ
Confirmed Champ
 

I am currently configuring alfresco to use ldap server for authentication. I followed the offecial documentation and i updated alfresco-global.properties file, but unfortuantely synchronization with ldap users is not done  . i am using alfresco 5.2  and apache LDAP and this is my alfresco-global.properties file and the ldap hiarchy.


###############################
## Common Alfresco Properties #
###############################
dir.root=C:/ALFRES~1/alf_data
alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=8080
alfresco.protocol=http
share.context=share
share.host=127.0.0.1
share.port=8080
share.protocol=http
### database connection properties ###
db.driver=org.postgresql.Driver
db.username=alfresco
db.password=admin
db.name=alfresco
db.url=jdbcSmiley Tongueostgresql://localhost:5432/${db.name}
# Note: your database must also be able to accept at least this many connections. Please see your database documentation for instructions on how to configure this.
db.pool.max=275
db.pool.validate.query=SELECT 1
# The server mode. Set value here
# UNKNOWN | TEST | BACKUP | PRODUCTION
system.serverMode=UNKNOWN
### FTP Server Configuration ###
ftp.port=21
### RMI registry port for JMX ###
alfresco.rmi.services.port=50500
### External executable locations ###
ooo.exe=C:/ALFRES~1/LIBREO~1/App/libreoffice/program/soffice.exe
ooo.enabled=true
ooo.port=8100
img.root=C:\\alfresco-community\\imagemagick
img.coders=${img.root}\\modules\\coders
img.config=${img.root}
img.gslib=${img.root}\\lib
img.exe=${img.root}\\convert.exe
jodconverter.enabled=false
jodconverter.officeHome=C:/ALFRES~1/LIBREO~1/App/libreoffice
jodconverter.portNumbers=8100
### Initial admin password ###
alfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634
### E-mail site invitation setting ###
notification.email.siteinvite=false
### License location ###
dir.license.external=C:/ALFRES~1
### Solr indexing ###
index.subsystem.name=solr4
dir.keystore=${dir.root}/keystore
solr.host=localhost
solr.port.ssl=8443
### Allow extended ResultSet processing
security.anyDenyDenies=false
### Smart Folders Config Properties ###
smart.folders.enabled=false
### Remote JMX (Default: disabled) ###
alfresco.jmx.connector.enabled=false

### Use Alfresco authentication for admin accounts and LDAP for users ###
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
## When TESTING, set synchronizeChangesOnly to false
## - this will give FULL synchronization for scheduled synchs
synchronization.synchronizeChangesOnly=false
## Set up regular synchronization with the LDAP server ##
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true
# When TESTING, synchronise every 5 minutes
# secs min hour dom mon dow
### Synchronisation Active Directory ###ldap.synchronization.timestampFormat=yyyyMMddHHmmss
ldap.synchronization.timestampFormat=yyyyMMddHHmmss
create.missing.people=true

                                              *********************ldap-authentification.properties**********************

# User name format ..
ldap.authentication.active=true
ldap.authentication.userNameFormat=cn\=%s,ou\=users,o\=mojo

# IP address or name of your LDAP server - (port 389 is the default for LDAP)
ldap.authentication.java.naming.provider.url=ldap://localhost:8389

# Enable synchronisation ..
ldap.synchronization.active=true
synchronization.syncOnStartup=true
# Security ..
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=uid=admin,ou=system
ldap.synchronization.java.naming.security.credentials=secret

# Object class names, OUs ..
ldap.synchronization.groupQuery=(objectclass\=groupOfUniqueNames)
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.groupSearchBase=cn\=%s,ou\=groups,o\=mojo
ldap.synchronization.userSearchBase=cn\=%s,ou\=users,o\=mojo

# The attribute name on people objects to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=uid
# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=cn
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
# The attribute on group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
# The attribute on group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=cn
# The group type
ldap.synchronization.groupType=groupOfUniqueNames
# The person type
ldap.synchronization.personType=inetOrgPerson
# The attribute on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=uniqueMember

1 ACCEPTED ANSWER

mehe
Elite Collaborator
Elite Collaborator

A parameter like the normal queries: 

ldap.synchronization.groupDifferentialQuery
ldap.synchronization.personDifferentialQuery

Just set them according to you existing 
ldap.synchronization.groupQuery / personQuery


View answer in original post

11 REPLIES 11

mehe
Elite Collaborator
Elite Collaborator

I just looked shortly on your config and was missing the group and person differential queries. You should set them to the same value as your full queries for a first try. Alfresco uses the differential queries for example, on startup

fatma19
Confirmed Champ
Confirmed Champ

what is the differential queries ? 

mehe
Elite Collaborator
Elite Collaborator

A parameter like the normal queries: 

ldap.synchronization.groupDifferentialQuery
ldap.synchronization.personDifferentialQuery

Just set them according to you existing 
ldap.synchronization.groupQuery / personQuery


fatma19
Confirmed Champ
Confirmed Champ

in my case do i have to add  

##differential Group Query
ldap.synchronization.groupDifferentialQuery=(objectclass\=groupOfUniqueNames)
ldap.synchronization.personDifferentialQuery=(objectclass\=inetOrgPerson)

is that right ? 

mehe
Elite Collaborator
Elite Collaborator

Yes, that should do the Job 

fatma19
Confirmed Champ
Confirmed Champ

2017-05-17 10:44:40,484 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'
2017-05-17 10:44:40,665 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since 28 mars 2017 11:04:17 from user registry 'ldap1'
2017-05-17 10:44:41,307 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 0 entries
2017-05-17 10:44:41,310 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 0 entries
2017-05-17 10:44:41,323 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving users changed since 8 avr. 2017 18:50:34 from user registry 'ldap1'
2017-05-17 10:44:41,344 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Commencing batch of 0 entries
2017-05-17 10:44:41,345 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Completed batch of 0 entries
2017-05-17 10:44:41,386 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Finished synchronizing users and groups with user registry 'ldap1'
2017-05-17 10:44:41,386 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] 0 utilisateur(s) et 0 groupe(s) traité(s)

thank you Mr Martin it was already solved and this is my new config 

###############################
## Common Alfresco Properties #
###############################
dir.root=C:/ALFRES~1/alf_data
alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=8080
alfresco.protocol=http
share.context=share
share.host=127.0.0.1
share.port=8080
share.protocol=http
### database connection properties ###
db.driver=org.postgresql.Driver
db.username=alfresco
db.password=admin
db.name=alfresco
db.url=jdbcSmiley Tongueostgresql://localhost:5432/${db.name}
# Note: your database must also be able to accept at least this many connections. Please see your database documentation for instructions on how to configure this.
db.pool.max=275
db.pool.validate.query=SELECT 1
# The server mode. Set value here
# UNKNOWN | TEST | BACKUP | PRODUCTION
system.serverMode=UNKNOWN
### FTP Server Configuration ###
ftp.port=21
### RMI registry port for JMX ###
alfresco.rmi.services.port=50500
### External executable locations ###
ooo.exe=C:/ALFRES~1/LIBREO~1/App/libreoffice/program/soffice.exe
ooo.enabled=true
ooo.port=8100
img.root=C:\\alfresco-community\\imagemagick
img.coders=${img.root}\\modules\\coders
img.config=${img.root}
img.gslib=${img.root}\\lib
img.exe=${img.root}\\convert.exe
jodconverter.enabled=false
jodconverter.officeHome=C:/ALFRES~1/LIBREO~1/App/libreoffice
jodconverter.portNumbers=8100
### Initial admin password ###
alfresco_user_store.adminpassword=209c6174da490caeb422f3fa5a7ae634
### E-mail site invitation setting ###
notification.email.siteinvite=false
### License location ###
dir.license.external=C:/ALFRES~1
### Solr indexing ###
index.subsystem.name=solr4
dir.keystore=${dir.root}/keystore
solr.host=localhost
solr.port.ssl=8443
### Allow extended ResultSet processing
security.anyDenyDenies=false
### Smart Folders Config Properties ###
smart.folders.enabled=false
### Remote JMX (Default: disabled) ###
alfresco.jmx.connector.enabled=false
### Use Alfresco authentication for admin accounts and LDAP for users ###
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
## When TESTING, set synchronizeChangesOnly to false
## - this will give FULL synchronization for scheduled synchs
synchronization.synchronizeChangesOnly=false
## Set up regular synchronization with the LDAP server ##
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true
# When TESTING, synchronise every 5 minutes
# secs min hour dom mon dow
### Synchronisation Active Directory ###ldap.synchronization.timestampFormat=yyyyMMddHHmmss
ldap.synchronization.timestampFormat=yyyyMMddHHmmss

# User name format ..
ldap.authentication.active=true
ldap.authentication.userNameFormat=cn\=%s,ou\=users,o\=mojo
# IP address or name of your LDAP server - (port 389 is the default for LDAP)
ldap.authentication.java.naming.provider.url=ldap://localhost:8389
# Enable synchronisation ..
ldap.synchronization.active=true
synchronization.syncOnStartup=true
# Security ..
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=uid=admin,ou=system
ldap.synchronization.java.naming.security.credentials=secret
# Object class names, OUs ..
ldap.synchronization.groupQuery=(objectclass\=groupOfUniqueNames)
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.groupSearchBase=ou\=groups,o\=mojo
ldap.synchronization.userSearchBase=ou\=users,o\=mojo

ldap.synchronization.groupDifferentialQuery=(objectclass\=groupOfUniqueNames)
ldap.synchronization.personDifferentialQuery=(objectclass\=inetOrgPerson)


# The attribute name on people objects to use as the uid in Alfresco

ldap.synchronization.userIdAttributeName=uid

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=cn
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail
# The attribute on group objects to map to the authority name property in Alfresco
ldap.synchronization.groupIdAttributeName=cn
# The attribute on group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=cn
# The group type
ldap.synchronization.groupType=groupOfUniqueNames
# The person type
ldap.synchronization.personType=inetOrgPerson
# The attribute on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=uniqueMember

mehe
Elite Collaborator
Elite Collaborator

Ok, let's try to get rid of the cn\=%s in your Group and Person searchbase

And it should be possible to comment out group and person type.

leblexx
Champ in-the-making
Champ in-the-making

Hello. Maybe it's off-topic, but were you able to synchronize alfresco users to LDAP? As far as I know, alfresco can only pull users from LDAP, but not push.