cancel
Showing results for 
Search instead for 
Did you mean: 

LDAP and people synchronisation not working

simon
Champ in-the-making
Champ in-the-making
Hi Alfresco,

We are trying to enable people (and group) synchronisation with LDAP. It's not working as expected, but you have probably guessed that by now. First we woul like to enable people synchronisation, group support will follow later but lets keep it as simple as possible for now.

The configuration is based on the documentation we found in the WIKI.

1. The Alfresco system is not available when all the configuration references for group synchro are commented out. There are no errors in the log and the even the login page is not available. This problem is solved when I uncomment the group configuration parameters, strange…

2.  Changed the ldap-authentication-context.xml file (the other sections in this file are left alone) like this:

<bean id="ldapPeopleExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource">
        <property name="personQuery">
            <value>(objectclass=Person)</value>
        </property>
        <property name="searchBase">
            <value>dc=company,dc=be</value>
        </property>
        <property name="userIdAttributeName">
            <value>cn</value>
        </property>
         <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory" />
        </property>
        <property name="personService">
            <ref bean="personService"></ref>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService" />
        </property>
        <property name="defaultHomeFolder">
            <value>/app:company_home</value>
        </property>
        <property name="attributeMapping">
            <map>
                <entry key="cm:userName">
                    <value>cn</value>
                </entry>
                <entry key="cm:firstName">
                    <value>givenName</value>
                </entry>
                <entry key="cm:lastName">
                    <value>sn</value>
                </entry>
                <entry key="cm:email">
                    <value>mail</value>
                </entry>
                <entry key="cm:organizationId">
                    <value>cn</value>
                </entry>
            </map>
        </property>
    </bean>

3. Uncommented the relevant part in the scheduled-jobs-context.xml. Remember the "leave the group support for now":

<ref bean="ldapPeopleTrigger" />

4. Reboot the server and wait (startDelay parameter does its job).

5. Job starts running and outputs the following error:

15:42:30,371 ERROR [org.quartz.core.JobRunShell] Job DEFAULT.ldapPeopleJobDetail threw an unhandled Exception:
org.alfresco.repo.importer.ExportSourceImporterException: Failed to import
        at org.alfresco.repo.importer.ExportSourceImporter.doImport(ExportSourceImporter.java:165)
        at org.alfresco.repo.importer.ImporterJob.execute(ImporterJob.java:36)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:191)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:516)
Caused by: java.lang.NullPointerException
        at org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource.generateExport(Unknown Source)
        at org.alfresco.repo.importer.ExportSourceImporter.doImport(ExportSourceImporter.java:149)
        … 3 more
15:42:30,371 ERROR [org.quartz.core.ErrorLogger] Job (DEFAULT.ldapPeopleJobDetail threw an exception.
org.quartz.SchedulerException: Job threw an unhandled exception. [See nested exception: org.alfresco.repo.importer.ExportSourceImporterException: Failed to import]
        at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:516)
* Nested Exception (Underlying Cause) —————
org.alfresco.repo.importer.ExportSourceImporterException: Failed to import
        at org.alfresco.repo.importer.ExportSourceImporter.doImport(ExportSourceImporter.java:165)
        at org.alfresco.repo.importer.ImporterJob.execute(ImporterJob.java:36)
        at org.quartz.core.JobRunShell.run(JobRunShell.java:191)
        at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:516)
Caused by: java.lang.NullPointerException
        at org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource.generateExport(Unknown Source)
        at org.alfresco.repo.importer.ExportSourceImporter.doImport(ExportSourceImporter.java:149)
        … 3 more

We traced the connections between the Alfresco server and Active Directory with tcpdump and could see "some" activity so there is "a" connection. Don't know what's transfered and if this is relevant or not.

Could the NullPointerException have anything to do with these settings in the ldap-authentication-context.xml file?
<property name="storeRef">
<value>${alfresco_user_store.store}</value>
</property>
<property name="path">
<value>/${alfresco_user_store.system_container.childname}/${alfresco_user_store.authorities_container.childname}</value>
</property>

Anyone experienced the same problems? We use the Enterprise 1.2 version on Linux.

Thanks!
24 REPLIES 24

andy
Champ on-the-rise
Champ on-the-rise
Hi

1.2.0 has an issue with groups that contain no member attributes ? which you have found. 1.2.1 fixes this.

The error occurs while extracting the ldap group information and before the xml file is constructed.

There are two fixes:
1)       Upgrade to 1.2.1
2)       Remove the groups that do not have members
3)       Extend the ldap query so it does not find groups that do not have members ? as soon as they have members they will start to appear



<property name="groupQuery">
            <value>(objectclass=group)</value>

</property>

becomes:
 

<property name="groupQuery">
       <value>(&(objectclass=group) (member=*))</value>
</property>

This should return groups that have members defined

(member=*) is a presence filter that requires any value for the member attribute

(&()()) ?ands? multiple filters together


Option 3 should be easiest.

Regards

Andy

andy
Champ on-the-rise
Champ on-the-rise
Hi

1.2.0 has an issue with groups that contain no member attributes ? which you have found. 1.2.1 fixes this.

The error occurs while extracting the ldap group information and before the xml file is constructed.

There are two fixes:
1)       Upgrade to 1.2.1
2)       Remove the groups that do not have members
3)       Extend the ldap query so it does not find groups that do not have members ? as soon as they have members they will start to appear



<property name="groupQuery">
            <value>(objectclass=group)</value>

</property>

becomes:
 

<property name="groupQuery">
       <value>(&(objectclass=group) (member=*))</value>
</property>

This should return groups that have members defined

(member=*) is a presence filter that requires any value for the member attribute

(&()()) ands multiple filters together


Option 3 should be easiest.

Regards

Andy

simon
Champ in-the-making
Champ in-the-making
Oeps, something went wrong when you posted the message…

Our only way out is to upgrade to 1.2.1. It may sound strange but we need these empty groups. We have empty groups to store externals who join our teams for a few months or years so when I create a space I add the internal and external group. This external group maybe empty at the moment but is filled when someone joins the team (e.g. an external consultant). The group will be empty again when he/she leaves the company. In this way we don't have to change any of the security settings when the teams changes over time.

Filtering out these groups is not an option but it's interesting to know that we can restrict the query with this attribute parameter…

andy
Champ on-the-rise
Champ on-the-rise
Hi Simon

It is possible that a group that contains a member which is an invalid DN will be a work around. This should be handled correctly - produce only a warning if the DN is missing (if the errorOnMissingMembers attribute on the LDAPGroupExportSource is set to false, as it is by default)


This should give you the empty groups.
Again, I do not have time to test it.

Regards

Andy

andy
Champ on-the-rise
Champ on-the-rise
Hi

This will be a limit on the AD LDAP result set size (or may be the query time). Paging is on the todo list. Solutions have been posted on the forums before if you need paging today.

Andy