Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Sync all the active users of LDAP

hardik_thakkar
Star Contributor
Star Contributor

‎06-15-2020 04:07 AM

Hi Team,

I have configured LDAP using below properties:

### Ldap : Synchronization  ###
ldap.synchronization.active=true

######  LDAP configuration  ############
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@xyz.in
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://<ip adress>:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
synchronization.syncOnStartup=true
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=username
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
synchronization.synchronizeChangesOnly=true
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true

ldap.synchronization.groupQuery=objectclass\=group
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=objectclass\=user
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=dc\=XYZ,dc\=IN

ldap.synchronization.userSearchBase=dc\=XYZ,dc\=IN


ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

As per alfresco.log, i can see all the groups and users are synced in alfresco.
But when i search with '*', in admin tools --> users, i can see only 813 users available. As per my knowledge, organization has more than 15000 active AD users.

In the alfresco.log file, it says :

2020-06-15 11:52:18,428 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Processed 81803 entries out of 81803. 100% complete. Rate: 67216 per second. 0 failures detected.

Questions:
1. How can i sync all the available active users of AD?

2. Getting below mentioned warning for multiple groups and users:

2020-06-15 11:33:17,119 WARN [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Google_Meet_POC_Group' with distinguished name: CN=Gowtham B A 90000054,OU=Users,OU=QMM-Migrated User,OU=XYZ Users,DC=xyz,DC=in

So, how to sync users/groups which has multiple OU?

3. Is there any api available through which we can identify the number of synced users from LDAP?


4. During starting of server, it prints below logs:

2020-06-15 11:42:27,849 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since Apr 15, 2020 2:38:57 PM from user registry 'ldap-ad1'

How to sync with latest data?

Thanks,

Hardik

Labels:
0 Kudos
4 REPLIES 4

heiko_robert
Star Collaborator
Star Collaborator

‎06-15-2020 11:41 AM

Are you sure

ldap.synchronization.userSearchBase=dc\=XYZ,dc\=IN

contains all the users referenced in the groups as member? You could check your query using https://directory.apache.org/studio/

Additionally: are your group names unique?

hardik_thakkar
Star Contributor
Star Contributor
In response to heiko_robert

‎06-15-2020 12:53 PM

Hi @heiko_robert ,

In Apache directory studio, under "Root DSE", i can see 3 differrent 

dc\=XYZ,dc\=IN

 There are unique group name also.

I didn't have much idea about how to run queries in studio.

Thanks,

Hardik

0 Kudos

hardik_thakkar
Star Contributor
Star Contributor
In response to heiko_robert

‎08-30-2020 04:41 AM

Hi @heiko_robert 

I have verified that all the users are part of 

dc\=XYZ,dc\=IN

In the ldap more than 15000 active users are there, but in admin-console --> users section, when i search with *, it provides max. 5000 results.

How to view all the active users list?
During individual search, I can't get result for many users.

Is there any other configuration required?

Thanks,

Hardik

0 Kudos

acsme
Champ in-the-making
Champ in-the-making
In response to hardik_thakkar

‎11-27-2023 05:50 AM

Solved?

0 Kudos
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2024 Khoros, LLC