Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Forum
- Re: LDAP sync stopped working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2022 11:33 AM
One of our users moved from one branch to other. We have tracked this as usual in the AD. The user reported that she see the old branch's documents but not the new one's. We double checked the AD (AD1 and AD2 in sync), still not working. After office hours we have changed the way of synchronization to full sync ( ldap.synchronization.active=false ) , not only the changes. Log here:
Spoiler
2022-03-17 19:15:00,221 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronizing users and groups with user registry 'ldap-ad1' 2022-03-17 19:15:00,221 WARN [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Some users and groups previously created by synchronization with this user registry may be removed. 2022-03-17 19:15:00,269 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Retrieving all groups from user registry 'ldap-ad1' 2022-03-17 19:15:00,790 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Commencing batch of 40 entries 2022-03-17 19:15:01,350 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Processed 40 entries out of 40. 1 2022-03-17 19:15:01,350 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Completed batch of 40 entries 2022-03-17 19:15:01,408 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Commenci 2022-03-17 19:15:01,409 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Processe 2022-03-17 19:15:01,409 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Complete 2022-03-17 19:15:01,409 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Retrieving all users from user registry 'ldap-ad1' 2022-03-17 19:15:01,436 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Commencing batch o 2022-03-17 19:15:01,545 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 100 entr 2022-03-17 19:15:01,602 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 200 entr 2022-03-17 19:15:01,663 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 300 entr 2022-03-17 19:15:01,718 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 400 entr 2022-03-17 19:15:01,773 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 500 entr 2022-03-17 19:15:01,831 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 600 entr 2022-03-17 19:15:02,017 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 700 entr 2022-03-17 19:15:02,017 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Completed batch of 2022-03-17 19:15:02,025 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Finished synchronizing users and groups with user registry 'ldap-ad1' 2022-03-17 19:15:02,025 INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] 700 user(s) and 40 group(s) processed
So 700 users and 40 groups force synched.
If I look at the user in the AD manager, I see 2 Alfresco groups set for her.
I I ask Alfresco about her via
https://**********.intra:8443/alfresco/service/api/people/*****?groups=true
Alfresco says she is a member of 5 groups,
0th : Group 1 from AD
1st: Group 2 from AD
2nd: not in the AD, but exists in the database table public.alf_authority
3rd: not in the AD, but exists in the database table public.alf_authority
4th: All Alfresco users group, Group 1 and Group 2 is a member of this group
5th: not in the AD, but exists in the database table public.alf_authority
How to make Alfresco to delete the unused groups? Kinda like starting AD sync with a blank page.
How can I get from the database what Alfresco thinks is a membership of a group? Where the group-people relationship stored?
Version:
Alfresco Share v6.2.0
(r7791ffba8f0b22f1ef9fa25ba17400c4657068e3-b9, Aikau 1.0.101.19, Spring Surf 6.2.0, Spring WebScripts 7.10, Freemarker 2.3.28, Rhino 1.7.11, Yui 2.9.0-alfresco-20141223)
Alfresco Community v6.2.0
(r05dbaf43-b368) schema 13001
Relevant part of the config ( alfresco-6.2.0/tomcat/shared/classes/alfresco-global.properties ) :
### Authentication subsystem
authentication.chain=ldap-ad1:ldap-ad
authentication.allowGuestLogin=false
authentication.ticket.ticketsExpire=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@*************.intra
ldap.authentication.java.naming.provider.url=ldap://*************.intra:389
ldap.authentication.java.naming.read.timeout=0
ldap.authentication.defaultAdministratorUserNames=*************,*************,*************
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=alfresco@*************
ldap.synchronization.java.naming.security.credentials=*************
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.groupSearchBase=ou\=Alfresco,ou\=_Groups,ou\=*************,dc\=sb,dc\=intra
ldap.synchronization.userSearchBase=ou\=*************,dc\=sb,dc\=intra
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
synchronization.synchronizeChangesOnly=true
synchronization.import.cron=0 0/5 * * * ?
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.SyncOnStartup=true
synchronization.autoCreatePeopleOnLogin=false
synchronization.loggingInterval=100
synchronization.workerThreads=1
synchronization.allowDeletions=true
synchronization.syncDelete=true
synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap-ad1
Labels:
- Labels:
-
Alfresco Content Services
1 ACCEPTED ANSWER
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2022 09:58 AM
SOLVED: ad sync synchronized group names with space differently, originally space omitted, now replaced with underscore.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2022 09:58 AM
SOLVED: ad sync synchronized group names with space differently, originally space omitted, now replaced with underscore.
Related Content
- Issues installing ACS Community edition with Helm in Alfresco Forum
- Alfresco Community Edition 23.2 Release Notes in Alfresco Blog
- Activiti Explorer not started on Azure. in Alfresco Forum
- How to redesign custom model in a correct manner? in Alfresco Forum
- ACS 7.3 CE Kerberos SSO not working, always shows login page in Alfresco Forum
Getting started
Explore our Alfresco products with the links below. Use labels to filter content by product module.
