AnsweredAssumed Answered

Alfresco and Zimbra LDAP - sync

Question asked by jsosic on Nov 30, 2009
Latest reply on Jan 1, 2015 by kmanickam
Hi. Zimbra is Collaboration tool that comes in bundle with mysql, openldap, postfix, amavis, ….

Anyway, I've integrated succesfully Zimbra and samba/posix zimlets (addons) and I've set up Zimbra's LDAP as master LDAP for Samba PDC. So, users are now added only in one place - in Zimbra's administration panel.

Now I want to sync Alfresco with Zimbra LDAP users/groups. I've succeded pretty much with it, with only one problem remaining. I can't connect users to groups. Although they are set OK in LDAP, and in Zimbra, in alfresco I can see all the groups and all the users, but there is no connection between them. Here is my /var/lib/tomcat5/shared/classes/alfresco/extension/subsystems/Authentication/ldap/zimbraldap/ldap-authentication.properties:
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=zimbra,dc=company,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://IP_OF_LDAP:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=jsosic
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=cn=config
ldap.synchronization.java.naming.security.credentials=PASSWORD
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=posixAccount)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=posixAccount)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou=groups,dc=company,dc=com
ldap.synchronization.userSearchBase=ou=people,dc=zimbra,dc=company,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=zimbraId ***
ldap.synchronization.defaultHomeFolderProvider=homeDirectory
ldap.synchronization.groupIdAttributeName=gidNumber
ldap.synchronization.groupType=posixGroup ***
ldap.synchronization.personType=organizationalPerson ***
ldap.synchronization.groupMemberAttributeName=memberUid ***
ldap.synchronization.enableProgressEstimation=true

Now, I've put three asterisks (***) by the configuration options that I don't understand….

So for example, my DC for one person is for example: dn: uid=jsosic,ou=people,dc=zimbra,dc=company,dc=com. So that means that uid=jsosic. In a group description, I have memberUid: jsosic, so I've presumed that connection between groups and people is:
ldap.synchronization.groupMemberAttributeName=memberUid
but that doesn't work in my case. Maybe there should be something else? And what about groupType and personType attributes? How can I be sure I've selected the correct ones? If you want, I may give you a slapcat for user and for a group or something…
I also totaly don't understand userOrganizationalIdAttributeName and how to find it in slapcat's output.

Anyway, one more question. If I restart tomcat, with changed settings in this file, will it update groups just because file changed? Or should I delete some group and then try to sync… I'm afraid if I delete group from Alfresco, that it won't be fetched ever again…

Also is there a way to force the start of sync without restarting whole Tomcat. It takes around 90 seconds for Tomcat5+Alfresco to start, and it's a pain to wait for every configuration change…

Outcomes