AnsweredAssumed Answered

LDAP Group Sync on OpenLDAP and FDS

Question asked by skp on Jul 14, 2009
Latest reply on Aug 13, 2009 by dward
Hi,

Im using Alfresco Community 3.2 Dev Current version 3.2.0 (_dev 1979) schema 2015 - Installed version 3.2.0 (_dev 1979) schema 2015

Group Sync fails with different errors when using OpenLDAP and Fedora(Netscape) Directory Server. Both LDAP groups use 'objectClass: posixGroup'

Differences are
===========

# OpenLDAP #
* Usernames(uid) are letters only (eg., uid=userone)
* Groupnames(cn) are letters only containing attribute 'memberUid: userone'

# FDS #
* Usernames(uid) are numbers only (eg, uid=345678)
* Groupnames(cn) are letters only containing attribute 'memberUid: 345678' and not 'memberUid: uid=346578,ou=finance,ou=people,dc=company,dc=com'

The full DN is not specified in the memberUid for both servers.


ldap-authentication.properties
======================
ldap.synchronization.queryBatchSize=0 (this is for FDS which does not support paged results and it works fine for OpenLDAP too)



# OpenLDAP Snippet #
15:20:47,315 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'userten'
15:20:47,824 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'usereleven'
15:20:48,312 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'usertwelve'
15:20:48,803 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user 'userthirteen'
15:20:49,318 INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.openldap'
15:20:50,959 ERROR [[localhost].[/alfresco].[Faces Servlet]] Servlet.service() for servlet Faces Servlet threw exception
javax.naming.InvalidNameException: Invalid name: userone
        at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:86)
        at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:45)
        at javax.naming.ldap.LdapName.parse(LdapName.java:772)
        at javax.naming.ldap.LdapName.<init>(LdapName.java:108)
        at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:528)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncGroupsWithPlugin(ChainingUserRegistrySynchronizer.java:337)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:188)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback$1.doWork(AbstractAuthenticationCo
mponent.java:460)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback$1.doWork(AbstractAuthenticationCo
mponent.java:449)
        at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:489)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback.execute(AbstractAuthenticationCom
ponent.java:447)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback.execute(AbstractAuthenticationCom
ponent.java:432)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:326)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:213)
        at org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl.authenticateImpl(LDAPAuthenticationComponentImpl.ja
va:102)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:164)
        at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:129)
        at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService
.java:166)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
# End of OpenLDAP snippet #



# FDS Snippet #
17:56:53,154 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user '345678'
17:56:53,812 INFO [security.sync.ChainingUserRegistrySynchronizer] Creating user '345679'
17:56:54,726 INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'AUTH.EXT.fdsldap'
17:56:55,455 ERROR [[localhost].[/alfresco].[Faces Servlet]] Servlet.service() for servlet Faces Servlet threw exception
java.lang.ArrayIndexOutOfBoundsException: -1
        at java.util.ArrayList.get(ArrayList.java:324)
        at javax.naming.ldap.LdapName.getRdn(LdapName.java:220)
        at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:535)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncGroupsWithPlugin(ChainingUserRegistrySynchronizer.java:337)
        at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:188)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback$1.doWork(AbstractAuthenticationCo
mponent.java:460)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback$1.doWork(AbstractAuthenticationCo
mponent.java:449)
        at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:489)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback.execute(AbstractAuthenticationCom
ponent.java:447)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent$SetCurrentUserCallback.execute(AbstractAuthenticationCom
ponent.java:432)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:326)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:213)
        at org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl.authenticateImpl(LDAPAuthenticationComponentImpl.ja
va:102)
        at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:164)
        at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:129)
        at org.alfresco.repo.security.authentication.AbstractChainingAuthenticationService.authenticate(AbstractChainingAuthenticationService
.java:166)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:304)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
        at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:
49)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.alfresco.repo.audit.AuditComponentImpl.audit(AuditComponentImpl.java:275)
        at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:69)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy25.authenticate(Unknown Source)
        at org.alfresco.web.bean.LoginBean.login(LoginBean.java:282)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:132)
        at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:61)
        at javax.faces.component.UICommand.broadcast(UICommand.java:109)
        at javax.faces.component.UIViewRoot._broadcastForPhase(UIViewRoot.java:97)
        at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:171)
        at org.apache.myfaces.lifecycle.InvokeApplicationExecutor.execute(InvokeApplicationExecutor.java:32)
        at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
        at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:139)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.alfresco.web.app.servlet.AuthenticationFilter.doFilter(AuthenticationFilter.java:124)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:122)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy205.doFilter(Unknown Source)
        at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.alfresco.repo.web.filter.beans.NullFilter.doFilter(NullFilter.java:74)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:132)
        at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:61)
        at javax.faces.component.UICommand.broadcast(UICommand.java:109)
        at javax.faces.component.UIViewRoot._broadcastForPhase(UIViewRoot.java:97)
        at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:171)
        at org.apache.myfaces.lifecycle.InvokeApplicationExecutor.execute(InvokeApplicationExecutor.java:32)
        at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
        at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:139)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.alfresco.web.app.servlet.AuthenticationFilter.doFilter(AuthenticationFilter.java:124)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:122)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy205.doFilter(Unknown Source)
        at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.alfresco.repo.web.filter.beans.NullFilter.doFilter(NullFilter.java:74)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:122)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
        at $Proxy205.doFilter(Unknown Source)
        at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:88)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
        at java.lang.Thread.run(Thread.java:619)
# End of FDS snippet #


I also tried: Alfresco started (Community): Current version 3.2.0 (2039) schema 2019 - Installed version 3.2.0 (2039) schema 2019

If ldap.synchronization.active=true, user cannot login because

#snip#
19:38:32,601 INFO [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'fdsldap'
19:38:32,644 INFO [security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'AUTH.EXT.fdsldap'
#/snip#

No other errors show up and nothing else happens.

my ldap-authentication.properties
==========================
ldap.authentication.userNameFormat=uid\=%s,ou\=finance,ou\=people,dc\=company,dc\=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://localhost:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=345678
ldap.synchronization.active=true
ldap.authentication.java.naming.security.principal=uid\=346578,ou\=finance,ou\=people,dc\=company,dc\=com
ldap.authentication.java.naming.security.credentials=password
ldap.synchronization.queryBatchSize=0
ldap.synchronization.groupQuery=(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou\=services,ou\=Groups,dc\=company,dc\=com
ldap.synchronization.userSearchBase=ou\=finance,ou\=People,dc\=company,dc\=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=businessCategory
ldap.synchronization.defaultHomeFolderProvider=personalHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=memberUid

I have also copied /var/lib/tomcat5/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/common-ldap-context.xml -> /usr/share/tomcat5/shared/classes/alfresco/extension/subsystems/Authentication/ldap/fdsldap/ldap-authentication-context.xml

So right now, it doesnt even start a sync.

The user can login if ldap.synchronization.active=false though.

Has anyone else run into this issue?

Outcomes