cancel
Showing results for 
Search instead for 
Did you mean: 

Synchronise users with their groups LDAP AD configuration

yacinezr
Champ on-the-rise
Champ on-the-rise

hello,
I have a problem of synchronisation with LDAP active directory and alfresco.
I can successfully synchronise all the groups and all users but unfortunately all the groups are empty
can you please help me to find a solution to import users in their appropriate groups

alfresco-global.properties : alfresco community 5.2 201701


### authentication.chain=alfinst:alfrescoNtlm,ldap1:lda
authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm

### Ntlm ###
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=false
ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false

### Synchronisation Active Directory ###
synchronization.import.cron=0 0/59 21-23 ? * MON-FRI
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true

ldap-authentication.properties

ldap.authentication.active=true

ntlm.authentication.sso.enabled=false

ldap.authentication.allowGuestLogin=false

ldap.synchronization.java.naming.security.principal=CN=OVDI,OU=System Users,DC=domain,DC=biz


ldap.synchronization.java.naming.security.credentials=123456789

ldap.synchronization.groupSearchBase=dc=domain,dc=biz

ldap.synchronization.userSearchBase=dc=domain,dc=biz

# How to map the user id entered by the user to that passed through to LDAP

ldap.authentication.userNameFormat=%s@domain.biz

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory


ldap.authentication.java.naming.provider.url=ldap://dc01.domain.biz:389


ldap.authentication.java.naming.security.authentication=simple


ldap.authentication.escapeCommasInBind=false


ldap.authentication.escapeCommasInUid=false


ldap.synchronization.queryBatchSize=0


ldap.synchronization.attributeBatchSize=100


ldap.synchronization.groupQuery=(objectclass\=group)


ldap.synchronization.personQuery=(objectclass\=person)


ldap.synchronization.personDifferentialQuery=(objectclass\=person)


ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

ldap.synchronization.userIdAttributeName=sAMAccountName

ldap.synchronization.userFirstNameAttributeName=givenName


ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail


ldap.synchronization.userOrganizationalIdAttributeName=ou


ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider


ldap.synchronization.groupIdAttributeName=cn


ldap.synchronization.groupType=group


ldap.synchronization.personType=person


ldap.synchronization.groupMemberAttributeName=members


ldap.synchronization.enableProgressEstimation=true


ldap.authentication.java.naming.read.timeout=0

synchronization.synchronizeChangesOnly=false

As you can see in these images that I could import groups and users.
but all groups are all empty

1 ACCEPTED ANSWER

yacinezr
Champ on-the-rise
Champ on-the-rise
thank you Mr Axel Faust ,the problem solved and this is my new config.

alfresco-global.properties : alfresco community 5.2 201701

### authentication.chain=alfinst:alfrescoNtlm,ldap1:lda
authentication.chain=ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm

### Ntlm ###
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=false
ntlm.authentication.sso.enabled=false
ntlm.authentication.mapUnknownUserToGuest=false



ldap-authentication.properties


ldap.authentication.active=true

ldap.authentication.userNameFormat=%s@domain.biz

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

ldap.authentication.java.naming.provider.url=ldap://dc01.domain.biz:389

ldap.authentication.java.naming.security.authentication=simple

ldap.authentication.escapeCommasInBind=false

ldap.authentication.escapeCommasInUid=false

ldap.authentication.defaultAdministratorUserNames=administrator



ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=CN=OVDI,OU=System Users,DC=domain,DC=biz

ldap.synchronization.java.naming.security.credentials=*******

ldap.synchronization.queryBatchSize=1000

ldap.synchronization.attributeBatchSize=1000

ldap.synchronization.groupQuery=(objectclass\=group)

ldap.synchronization.personQuery=(&(objectclass\=person)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=dc=domain,dc=biz

ldap.synchronization.userSearchBase=dc=domain,dc=biz




ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider



ldap.synchronization.groupType=group
ldap.synchronization.personType=person
ldap.synchronization.groupMemberAttributeName=member


Alfresco Explorer: Alfresco Authentication and Integration with Active Directory 

View answer in original post

7 REPLIES 7

afaust
Legendary Innovator
Legendary Innovator

I am wondering why you have used the ldap-authentication.properties file for customisation and activated the LDAP subsystem - since you want to integrate with Active Directory you should have used the ldap-ad-authentication.properties file (in tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/) and activated the LDAP-AD subsystem (authentication.chain=ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm)

yacinezr
Champ on-the-rise
Champ on-the-rise

thanks Alex for the response Smiley Happy
I will try to use ldap-ad-authentication.properties 

yacinezr
Champ on-the-rise
Champ on-the-rise
thank you Mr Axel Faust ,the problem solved and this is my new config.

alfresco-global.properties : alfresco community 5.2 201701

### authentication.chain=alfinst:alfrescoNtlm,ldap1:lda
authentication.chain=ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm

### Ntlm ###
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=false
ntlm.authentication.sso.enabled=false
ntlm.authentication.mapUnknownUserToGuest=false



ldap-authentication.properties


ldap.authentication.active=true

ldap.authentication.userNameFormat=%s@domain.biz

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

ldap.authentication.java.naming.provider.url=ldap://dc01.domain.biz:389

ldap.authentication.java.naming.security.authentication=simple

ldap.authentication.escapeCommasInBind=false

ldap.authentication.escapeCommasInUid=false

ldap.authentication.defaultAdministratorUserNames=administrator



ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=CN=OVDI,OU=System Users,DC=domain,DC=biz

ldap.synchronization.java.naming.security.credentials=*******

ldap.synchronization.queryBatchSize=1000

ldap.synchronization.attributeBatchSize=1000

ldap.synchronization.groupQuery=(objectclass\=group)

ldap.synchronization.personQuery=(&(objectclass\=person)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=dc=domain,dc=biz

ldap.synchronization.userSearchBase=dc=domain,dc=biz




ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider



ldap.synchronization.groupType=group
ldap.synchronization.personType=person
ldap.synchronization.groupMemberAttributeName=member


Alfresco Explorer: Alfresco Authentication and Integration with Active Directory 

ilyass
Champ in-the-making
Champ in-the-making

Salut Yacine,

j'ai essayé ta config finale et elle ne marche pas chez moi (j'ai la version 5.0.d)

je ne trouve toujours pas mes utilisateurs quand je consulte mes groupes AD depuis Alfresco!!

t'as une idée? faut il adopter une structure spécifique à mon AD pour que la synchronisation marche correctement?

je te donne une idée sur ma structure actuelle:

Alfresco (OU)

      -- groups (OU)

              -- groupe_rabat (CN)

              -- groupe_casa (CN)

      -- people (OU)

              -- user_rabat (CN)

              -- user_casa (CN)

j'arrive bien à me connecter avec mes utilisateurs LDAP depuis Alfresco et je trouve bien mes groupes mais le lien entre utilisateur et groupe n'est pas synchronisé même si je l'ai bien sur mon LDAP (user_rabat membre de groupe_rabat et user_casa membre de groupe_casa)

Merci bien

afaust
Legendary Innovator
Legendary Innovator

It would be polite to join a conversation in the language that has been used so far. Now people may have to use Google Translate (as I am doing right now) just to understand your message and respond to you - with all the potentiall translation errors....
You do not need a specific user / group structure in AD to be able to synchronise, as long as you have one root tree that contains all users and one that contains all groups (it actually can be the same root). Synchronisation of the link between users and groups depends on the ldap.synchronization.groupMemberAttributeName setting which by default is set to "member".

Il serait judicieux de participer à une conversation dans la langue utilisée jusqu'ici. Maintenant, les gens devront utiliser Google Translate (comme je le fais maintenant) pour comprendre votre message et répondre à vous - avec toutes les erreurs de traduction potentiall ....
Vous n'avez pas besoin d'une structure utilisateur / groupe spécifique dans AD pour pouvoir synchroniser, pourvu que vous disposiez d'une arborescence racine qui contient tous les utilisateurs et qui contient tous les groupes (il peut en être même). La synchronisation du lien entre les utilisateurs et les groupes dépend du paramètre ldap.synchronization.groupMemberAttributeName qui, par défaut, est défini sur "member".

ilyass
Champ in-the-making
Champ in-the-making

OK i'm really sorry,
I spoke to yassine because i thought he speaks my mother tongue and that it would be easy to explain exactly and easly the problem
I apologize once again
So what do you think about the value of this parameter? should i keep the default one (="Member")?

afaust
Legendary Innovator
Legendary Innovator

Most certainly unless your LDAP / AD uses a completely different directory schema. If you pick a different value and the LDAP / AD uses the default schema, you will end up not synchronizing (and even loosing) user-group relationships..