AnsweredAssumed Answered

Synchronization problem between Alfresco and Windows AD

Question asked by meeko on Jan 18, 2010
Latest reply on Jan 25, 2010 by dward
I having really weird problem with our Alfresco Installation.  I am trying to synchronize only a few user from our Windows AD to Alfresco.  I don't need any group to be synchronize.  Here what I have inside my configuration right now (tomcat/shared/classes/alfresco-global.properties):


authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad

# CIFS
cifs.domain=domain.org

# AlfrescoNtlm
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
alfresco.authentication.allowGuestLogin=false

# LDAP
ldap.authentication.active=false
ldap.synchronization.active=true

ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.provider.url=ldap://ldap01.domain.org:389
ldap.synchronization.java.naming.security.principal=alfresco@domain.org
ldap.synchronization.java.naming.security.credentials=secretpassword

ldap.authentication.userNameFormat=%s@domain.org
ldap.authentication.allowGuestLogin=false

ldap.synchronization.userSearchBase=DC=domain,DC=org
ldap.synchronization.personQuery=(&(objectclass\=person)(userAccountControl:1.2.840.113556.1.4.803:=512)(memberOf\=CN\=alfresco-user,OU\=Applications,OU\=Security Groups,DC\=domain,DC\=org))
#ldap.synchronization.personDifferentialQuery=(&(objectclass=person)(memberOf\=CN\=alfresco-user,OU\=Applications,OU\=Security Groups,DC\=domain,DC\=org)(!(modifyTimestamp<\={0})))
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.personType=person

ldap.synchronization.groupQuery=(&(objectclass=group)(cn=alfresco-user))
ldap.synchronization.groupSearchBase=OU\=Applications,OU\=Security Groups,DC=domain,DC=org
#ldap.synchronization.groupIdAttributeName=cn
#ldap.synchronization.groupMemberAttributeName=memberOf
ldap.synchronization.groupType=group

ldap.synchronization.queryBatchSize=100

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

# Passthru
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=domain.org\\ldap01.domain.org,ldap01.domain.org
passthru.authentication.authenticateCIFS=true

# Syncronisation
synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 0 * * * ?
synchronization.syncOnStartup=true

We are running version Community - v3.2.0 (r2 2440).  Here some information coming from our log:


15:00:00,040 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
15:00:00,041 User:System WARN  [security.sync.ChainingUserRegistrySynchronizer] Forced synchronization with user registry 'ldap1'; some users and groups previously created by synchronization with this user registry may be removed.
15:00:00,103 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving groups changed since Jan 18, 2010 11:15:19 AM from user registry 'ldap1'
15:00:00,145 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Commencing batch of 0 entries
15:00:00,145 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Completed batch of 0 entries
15:00:00,329 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since Jan 18, 2010 2:49:21 PM from user registry 'ldap1'
15:00:00,377 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Commencing batch of 0 entries
15:00:00,427 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Completed batch of 0 entries
15:00:00,498 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Authority Deletion: Commencing batch of 0 entries
15:00:00,498 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Authority Deletion: Completed batch of 0 entries
15:00:00,499 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1'
15:00:00,499 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] 0 user(s) and 0 group(s) processed

I am supposed to have one user, and one group.  One hour later I have this:


16:00:00,031 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
16:00:00,032 User:System WARN  [security.sync.ChainingUserRegistrySynchronizer] Forced synchronization with user registry 'ldap1'; some users and groups previously created by synchronization with this user registry may be removed.
16:00:00,038 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving groups changed since Jan 18, 2010 11:15:19 AM from user registry 'ldap1'
16:00:00,073 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Commencing batch of 0 entries
16:00:00,073 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Completed batch of 0 entries
16:00:00,104 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since Jan 18, 2010 2:49:21 PM from user registry 'ldap1'
16:00:00,151 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Commencing batch of 4 entries
16:00:01,761  WARN  [security.sync.ChainingUserRegistrySynchronizer] Updating user 'philippe'. This user will in future be assumed to originate from user registry 'ldap1'.
16:00:02,089 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Processed 4 entries out of 4. 100% complete. Rate: 2 per second. 0 failures detected.
16:00:02,089 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Completed batch of 4 entries
16:00:02,133 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Authority Deletion: Commencing batch of 0 entries
16:00:02,144 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] ldap1 Authority Deletion: Completed batch of 0 entries
16:00:02,144 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1'
16:00:02,144 User:System INFO  [security.sync.ChainingUserRegistrySynchronizer] 4 user(s) and 0 group(s) processed

That make no sense at all as only 1 user is part of the group that should be synchronize.  And I am able to log with user that not even synchronise, but, when Alfresco create them, no information is pass on (name, company, email).  Can somebody tell me what wrong with our configuration file?  I try many modification, and each time, the server reach differently.  Thank for helping me.

Outcomes