AnsweredAssumed Answered

Nightmare of a time getting 3.2 to sync LDAP with AD

Question asked by jdalby on Jul 25, 2009
Latest reply on Jul 29, 2009 by dward
I've got passthru auth to work fine, but am having a real problem getting LDAP sync to work with AD (or Novell's eDirectory for that matter).  Currently I'm using the alfresco-globel.properties per the documentation, using configuration examples I've found on this site.    What is happening now is when the sync starts it appears that it is looping over and over through the user creation.  I've tried reinstalling, removing the databases and putting back, going to the latest nightly builds, scarificing a chicken to Zorkon the Space God, but have not had any luck.  I would greatly appreciate any thoughts people may have.

Config is as follows:

ldap.authentication.active=false
ldap.synchronization.active=true
ldap.authentication.userNameFormat=%s@domain.com
ldap.authentication.java.naming.security.authentication=SIMPLE
ldap.authentication.java.naming.provider.url=ldap://<ipofserver>:389
ldap.synchronization.java.naming.security.principal=user@domain.com
ldap.synchronization.java.naming.security.credentials=PASSWORD
ldap.synchronization.userSearchBase=<searchbase>
ldap.synchronization.personQuery=(objectclass\=user)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0}))
ldap.synchronization.groupSearchBase=<group search base>
ldap.synchronization.import.cron=0 0 0 * * ?
ldap.authentication.allowGuestLogin=false
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=true

I've tried various permutations of the above, adding or removing sections.  In a packet trace I do show it doing the LDAP query and recieve a response with a list of users.  on the logs is will start going through that list with the message:

00:15:26,026  INFO  [security.sync.ChainingUserRegistrySynchronizer] Creating user 'username'

which it reapeats for all the users. Then it gets to this error:

00:15:26,443  WARN  [security.sync.ChainingUserRegistrySynchronizer] Recreating
occluded user 'Guest'. This user was previously created manually or through sync
hronization with a lower priority user registry.
00:15:26,770  INFO  [security.sync.ChainingUserRegistrySynchronizer] Synchronizi
ng users and groups with user registry 'ldap1-ad'
00:15:26,770  WARN  [security.sync.ChainingUserRegistrySynchronizer] Forced sync
hronization with user registry 'ldap1-ad'; some users and groups previously crea
ted by synchronization with this user registry may be removed.

After which it starts the sync all over again. Finally after multiple times through it will fail on this error:

00:17:10,574  ERROR [quartz.core.JobRunShell] Job DEFAULT.ldapPeopleJobDetail threw an unhandled Exception:
org.springframework.dao.DataIntegrityViolationException: could not delete: [org.alfresco.repo.domain.hibernate.DbAccessControlEntryImpl#3]; nested exception is org.hibernate.exception.ConstraintViolationException: could not delete: [org.alfresco.repo.domain.hibernate.DbAccessControlEntryImpl#3]
Caused by: org.hibernate.exception.ConstraintViolationException: could not delete: [org.alfresco.repo.domain.hibernate.DbAccessControlEntryImpl#3]
…..
.
.
.
.
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: Cannot delete or update a parent row: a foreign key constraint fails (`alfresco/alf_acl_member`, CONSTRAINT `fk_alf_aclm_ace` FOREIGN KEY (`ace_id`) REFERENCES `alf_access_control_entry` (`id`))


Thanks again for any help.

Outcomes