AnsweredAssumed Answered

Alfresco 4, AD 2008 R2, user import fails

Question asked by rocketrog on Apr 4, 2012
Latest reply on Apr 18, 2012 by ashex
I have read a lot about this and found many similar posts but no answers. I have alfresco community v4. I am trying to synchronize users and groups with our 2008 R2 Active Directory domain. The import fails with LDAP error code 12. From what I have read, alfresco works well with AD 2003. The paged results problem only shows up with AD 2008 R2. Does anyone have a fix?

Here is LDAP error 12
2012-04-03 13:55:06,330  WARN  [security.sync.ChainingUserRegistrySynchronizer] [Thread-1] Failed initial synchronize with user registries
org.alfresco.error.AlfrescoRuntimeException: 03030000 User and group import failed
   at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1141)
   at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.access$2500(LDAPUserRegistry.java:77)
[snip]
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00002040: SvcErr: DSID-031401E7, problem 5010 (UNAVAIL_EXTENSION), data 0
]; remaining name 'OU=NIDs,OU=WSU Accounts,DC=ad,DC=wsu,DC=edu'

I tried setting queryBatchSize=0. That was interesting; it changed the LDAP error code to 4. I also changed my userSearchBase and was able to import fewer than 1000 users. LDAP error 12 shows up whenever I try to import all users.

This is what I get if I set queryBatchSize=0
 2012-04-03 12:49:53,609  ERROR [security.sync.ChainingUserRegistrySynchronizer] [Thread-1] Synchronization aborted due to error
org.alfresco.error.AlfrescoRuntimeException: 03030000 User and group import failed
   at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1141)
   at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.access$2500(LDAPUserRegistry.java:77)
[snip]
Caused by: javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'OU=NIDs,OU=WSU Accounts,DC=ad,DC=wsu,DC=edu'
   at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3093)

There are web pages about this problem in AD 2008 R2 and the pagedResultsControl, specifically here http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/183a8f2c-0cf7-4081-9110-4cf41b91dcbf/

Can I work around LDAP error 12 by changing the properties file or is it a problem with AD 2008 R2?

Groups are imported BTW, but there are only a few dozen of them.
Authentication also works.

Outcomes