I see 0 users and groups being synchronized. I'm wondering if your person and group query are specified correctly.

It is strange that you can see users in the people tab but not in the admin console.

Are you able to authenticate against Alfresco as an LDAP-managed user?

As to your second question, no, the integration is one-way. Any users or groups you add to Alfresco will always remain in Alfresco and will not be written back to LDAP.

Thanks for your swift reply, yes authenticating with an LDAP managed user works fine, and works immediately when a user is added in LDAP. In terms of adding users/groups to sites all works fine, it just seems to be the Admin Tools -> Users area where I can't see any users (I can browse groups fine here).

The user/group query was my initial thought, the lines in question in ldap-authentication.properties look like this:

# The query to select all objects that represent the groups to import.

ldap.synchronization.groupQuery=(objectClass\=groupOfNames)

# The query to select objects that represent the groups to import that have changed since a certain time.

ldap.synchronization.groupDifferentialQuery=(&(objectClass\=groupOfNames)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.

ldap.synchronization.personQuery=(objectClass\=inetOrgPerson)

# The query to select objects that represent the users to import that have changed since a certain time.

ldap.synchronization.personDifferentialQuery=(&(objectClass\=inetOrgPerson)(!(modifyTimestamp<\={0})))

I added a new user and a new group in LDAP to test the sync and it seems to have picked up on them, alfresco sync log now reads:

2017-03-17 09:21:19,577 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Starting 'Synchronization' subsystem, ID: [Synchronization, default]

2017-03-17 09:21:19,823 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'

2017-03-17 09:21:19,889 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since 03-Aug-2015 16:13:45 from user registry 'ldap1'

2017-03-17 09:21:19,936 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 1 entries

2017-03-17 09:21:19,942 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Processed 1 entries out of 1. 100% complete. Rate: 142 per second. 0 failures detected.

2017-03-17 09:21:19,942 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 1 entries

2017-03-17 09:21:20,078 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=3 Group Creation and Association Deletion: Commencing batch of 1 entries

2017-03-17 09:21:20,604 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=3 Group Creation and Association Deletion: Processed 1 entries out of 1. 100% complete. Rate: 1 per second. 0 failures detected.

2017-03-17 09:21:20,604 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=3 Group Creation and Association Deletion: Completed batch of 1 entries

2017-03-17 09:21:20,611 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving users changed since 15-Mar-2017 11:43:57 from user registry 'ldap1'

2017-03-17 09:21:20,618 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Commencing batch of 1 entries

2017-03-17 09:21:21,153 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 1 entries out of 1. 100% complete. Rate: 1 per second. 0 failures detected.

2017-03-17 09:21:21,153 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Completed batch of 1 entries

2017-03-17 09:21:21,186 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Finished synchronizing users and groups with user registry 'ldap1'

2017-03-17 09:21:21,186 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] 1 user(s) and 1 group(s) processed

2017-03-17 09:21:21,248 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Synchronization' subsystem, ID: [Synchronization, default] complete

I did have to pull the ldap-authentication.properties from here community-edition-old/ldap-authentication.properties at master · Alfresco/community-edition-old · Gi... as it was absent from the WEB-INF/classes/alfresco/subsystems folder, LDAP integration was configured according to this guide Configuring LDAP | Alfresco Documentation 

If you can log in as an LDAP user, and you can pick LDAP-managed users in dialogs, you should definitely be able to search for and find users in the admin console users panel as long as you are logged in as an administrator.

I just configured my local 5.2.0 CE install (201702-GA) to authenticate against my local ApacheDS 2.0.0 directory and sync and auth work fine. I am also able to search for users using first name, last name, and user name with no problem.

Is the rest of your Alfresco repository working fine? Can you upload new documents, set properties, search/find documents?

The user search in the people tab works fine, just not in the Admin Tools area, very strange.

Also, on closer inspection I have noticed the Groups are being synced across but not the members of the groups.

I was doing some testing and added a group to a site in alfresco. After adding a user to that group in LDAP, the user couldn't see the site. I checked in the Groups browser in Admin Tools and none of the users added to the groups are showing.

A number of groups have members, which made me think the groups were being synced successfully, but I think these might have been added in alfresco by another user who was doing some testing.

The rest of the repository works fantastically, document upload, properties, search etc. is all fine.

Regarding the group membership, check to see what your LDAP directory uses

for group membership. Some use "member" and some use "uniqueMember". The

ldap.synchronization.groupMemberAttributeName has to be set accordingly.

On Fri, Mar 17, 2017 at 11:38 AM, katie.macintyre <community@alfresco.com>

The Member name attribute was set correctly, the issue was the objectClass of the groups, for some reason this contained groupOfNames and top.  Removing "top" from the objectClass allowed all the group members to sync successfully.

Still not seeing any LDAP users in Admin Tools -> Users, but this is a minor niggle as they can all be searched in the People tab.

Many thanks for your help!

I am facing with the same problem here.

Inspecting the communication between share and alfresco, I noticed the following:

The webscript being called is alfresco/api/people

• When I first access the users management window, all the syncronized users are show in the list, and the json returned by the webscript is like this:

people: [426 items here]
paging Object
maxItems: 426
totalItems: 426
skipCount: 0

No parameters are send to Alfresco in this case.

• If I type anything valid in the search field and click search, then I get:

people [empty array, when it should have 1 item]
paging Object
maxItems: 0
totalItems: 1
skipCount: 0

Parameters are as:

filter "valid-userlogin [hint:useCQ]"
startIndex "0"
pageSize "0"

• If I type % in the search field and click search, then I get:

people [empty array, when it should have 401 items]
paging Object
maxItems: 0
totalItems: 401
skipCount: 0

Parameters are as:

filter "% [hint:useCQ]"
startIndex "0"
pageSize "0"

I am still trying to figure out what is going on here.

By the way, this is an Alfresco 5.2.f, with Share 5.2.f.

The database is PostgreSQL

I had the same issue.

If your alfresco properties file contains the following:

ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn

check to have properly filled in the Active Directory user form specifying the "First" and "Last" name fields. Don't leave them empty.

This worked for me.

Thank you for the tip (and sorry for the late response)

I am going to check that, but you know, the customer is reponsible for the AD, and I have no control over it.