AnsweredAssumed Answered

Yet another LDAP-AD sync issue

Question asked by docjay on Apr 27, 2012
Latest reply on May 21, 2012 by legaulois
version:  4.0d Community Edition
OS:  Server 2008 x64
Syncing to MS LDAP-AD

background:  I can successfully login to the 'share' site with my domain info, so my passthru is working correctly, but our AD is setup so that users are in different OUs and there is no way to ask for all of the users from multiple OUs.  I was able to ask our admin to create a group and let me drop all of the users who will need access to alfresco into this group.  My problem is that I cannot get my alfresco-global.properties file configured to sync with the global group created, 'WVUser'.  It doe successfully sync  the groups from 'ldap.synchronization.groupsearchbase', but will not sync with 'ldap.synchronizatioin.usersearchbase' which is a CN not an OU.  If I point the 'usersearchbase' to an 'OU' with a few people in it, it works correctly then.  My question:  is there a way to get 'userSearchBase' to synch from a CN?  My CN is a global group with members inside.

I am also having problems trying to debug ldap from the log4j.properties file. I am posting my alfresco log below, but there are only INFO items in it so it won't be much help.  Maybe somebody could help me turn on debugging in my log4j.properties file?  I think this would help shed some light on my problem perhaps.

my alfresco.log file:

11:06:31,592 INFO  [org.springframework.extensions.webscripts.TemplateProcessorRegistry] Registered template processor freemarker for extension ftl
11:06:31,687 INFO  [org.springframework.extensions.webscripts.ScriptProcessorRegistry] Registered script processor javascript for extension js
11:06:31,688 INFO  [org.springframework.extensions.webscripts.TemplateProcessorRegistry] Registered template processor freemarker for extension ftl
11:06:31,694 INFO  [org.springframework.extensions.webscripts.ScriptProcessorRegistry] Registered script processor javascript for extension js
11:06:33,412 INFO  [org.springframework.extensions.webscripts.DeclarativeRegistry] Registered 312 Web Scripts (+0 failed), 322 URLs
11:06:33,413 INFO  [org.springframework.extensions.webscripts.DeclarativeRegistry] Registered 8 Package Description Documents (+0 failed)
11:06:33,413 INFO  [org.springframework.extensions.webscripts.DeclarativeRegistry] Registered 0 Schema Description Documents (+0 failed)
11:06:33,746 INFO  [org.springframework.extensions.webscripts.AbstractRuntimeContainer] Initialised Spring Surf Container Web Script Container (in 2046.5143ms)
11:06:33,752 INFO  [org.springframework.extensions.webscripts.TemplateProcessorRegistry] Registered template processor freemarker for extension ftl
11:06:33,756 INFO  [org.springframework.extensions.webscripts.ScriptProcessorRegistry] Registered script processor javascript for extension js
11:27:02,197 INFO  [org.springframework.extensions.webscripts.TemplateProcessorRegistry] Registered template processor freemarker for extension ftl
11:27:02,271 INFO  [org.springframework.extensions.webscripts.ScriptProcessorRegistry] Registered script processor javascript for extension js
11:27:02,272 INFO  [org.springframework.extensions.webscripts.TemplateProcessorRegistry] Registered template processor freemarker for extension ftl
11:27:02,276 INFO  [org.springframework.extensions.webscripts.ScriptProcessorRegistry] Registered script processor javascript for extension js
11:27:04,012 INFO  [org.springframework.extensions.webscripts.DeclarativeRegistry] Registered 312 Web Scripts (+0 failed), 322 URLs
11:27:04,012 INFO  [org.springframework.extensions.webscripts.DeclarativeRegistry] Registered 8 Package Description Documents (+0 failed)
11:27:04,012 INFO  [org.springframework.extensions.webscripts.DeclarativeRegistry] Registered 0 Schema Description Documents (+0 failed)
11:27:05,384 INFO  [org.springframework.extensions.webscripts.AbstractRuntimeContainer] Initialised Spring Surf Container Web Script Container (in 3103.3765ms)
11:27:05,391 INFO  [org.springframework.extensions.webscripts.TemplateProcessorRegistry] Registered template processor freemarker for extension ftl
11:27:05,397 INFO  [org.springframework.extensions.webscripts.ScriptProcessorRegistry] Registered script processor javascript for extension js
11:33:53,076 INFO  [org.alfresco.web.site.EditionInterceptor] Unable to retrieve License information from Alfresco: 500
11:42:17,439 INFO  [org.alfresco.web.site.EditionInterceptor] Successfully retrieved license information from Alfresco.

My log4j file:

# Set root logger level to error
#log4j.rootLogger=error, Console, File
log4j.rootLogger=error, File

###### Console appender definition #######

# All outputs currently set to be a ConsoleAppender.
log4j.appender.Console=org.apache.log4j.ConsoleAppender
log4j.appender.Console.layout=org.apache.log4j.PatternLayout

# use log4j NDC to replace %x with tenant domain / username
log4j.appender.Console.layout.ConversionPattern=%d{ISO8601} %x %-5p [%c{3}] [%t] %m%n
#log4j.appender.Console.layout.ConversionPattern=%d{ABSOLUTE} %-5p [%c] %m%n

###### File appender definition #######
log4j.appender.File=org.apache.log4j.DailyRollingFileAppender
log4j.appender.File.File=d:\alfresco.log
log4j.appender.File.Append=true
log4j.appender.File.DatePattern='.'yyyy-MM-dd
log4j.appender.File.layout=org.apache.log4j.PatternLayout
log4j.appender.File.layout.ConversionPattern=%d{ABSOLUTE} %-5p [%c] %m%n

###### Hibernate specific appender definition #######
#log4j.appender.file=org.apache.log4j.FileAppender
#log4j.appender.file.File=hibernate.log
#log4j.appender.file.layout=org.apache.log4j.PatternLayout
#log4j.appender.file.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n

###### Log level overrides #######

# Commented-in loggers will be exposed as JMX MBeans (refer to org.alfresco.repo.admin.Log4JHierarchyInit)
# Hence, generally useful loggers should be listed with at least ERROR level to allow simple runtime
# control of the level via a suitable JMX Console. Also, any other loggers can be added transiently via
# Log4j addLoggerMBean as long as the logger exists and has been loaded.

# Hibernate
log4j.logger.org.hibernate=error
log4j.logger.org.hibernate.util.JDBCExceptionReporter=fatal
log4j.logger.org.hibernate.event.def.AbstractFlushingEventListener=fatal
log4j.logger.org.hibernate.type=warn
log4j.logger.org.hibernate.cfg.SettingsFactory=warn

# Spring
log4j.logger.org.springframework=warn
# Turn off Spring remoting warnings that should really be info or debug.
log4j.logger.org.springframework.remoting.support=error
log4j.logger.org.springframework.util=error

# Axis/WSS4J
log4j.logger.org.apache.axis=info
log4j.logger.org.apache.ws=info

# CXF
log4j.logger.org.apache.cxf=error

# MyFaces
log4j.logger.org.apache.myfaces.util.DebugUtils=info
log4j.logger.org.apache.myfaces.el.VariableResolverImpl=error
log4j.logger.org.apache.myfaces.application.jsp.JspViewHandlerImpl=error
log4j.logger.org.apache.myfaces.taglib=error

# OpenOfficeConnection
log4j.logger.net.sf.jooreports.openoffice.connection=fatal

# log prepared statement cache activity ###
log4j.logger.org.hibernate.ps.PreparedStatementCache=info

# Alfresco
log4j.logger.org.alfresco=debug
log4j.logger.org.alfresco.repo.admin=info
log4j.logger.org.alfresco.repo.cache.TransactionalCache=warn
log4j.logger.org.alfresco.repo.model.filefolder=warn
log4j.logger.org.alfresco.repo.tenant=info
log4j.logger.org.alfresco.repo.avm=info
log4j.logger.org.alfresco.config=warn
log4j.logger.org.alfresco.config.JndiObjectFactoryBean=warn
log4j.logger.org.alfresco.config.JBossEnabledWebApplicationContext=warn
log4j.logger.org.alfresco.repo.management.subsystems=warn
log4j.logger.org.alfresco.repo.management.subsystems.ChildApplicationContextFactory=info
log4j.logger.org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ChildApplicationContext=warn
log4j.logger.org.alfresco.repo.security.sync=info
log4j.logger.org.alfresco.repo.security.person=info
#log4j.logger.org.alfresco.repo.security.authentication.ldap=debug
#log4j.logger.org.alfresco.repo.importer.view.ViewParser=DEBUG
log4j.logger.org.alfresco.repo.security.sync=debug

log4j.logger.org.alfresco.repo.module=debug

log4j.logger.org.alfresco.sample=info
log4j.logger.org.alfresco.web=info
#log4j.logger.org.alfresco.web.app.AlfrescoNavigationHandler=debug
#log4j.logger.org.alfresco.web.ui.repo.component.UIActions=debug
#log4j.logger.org.alfresco.web.ui.repo.tag.PageTag=debug
#log4j.logger.org.alfresco.web.bean.clipboard=debug
log4j.logger.org.alfresco.repo.webservice=info
log4j.logger.org.alfresco.service.descriptor.DescriptorService=info
#log4j.logger.org.alfresco.web.page=debug

log4j.logger.org.alfresco.repo.importer.ImporterBootstrap=error
#log4j.logger.org.alfresco.repo.importer.ImporterBootstrap=info

log4j.logger.org.alfresco.web.ui.common.Utils=error
#log4j.logger.org.alfresco.web.ui.common.Utils=info

log4j.logger.org.alfresco.repo.admin.patch.PatchExecuter=info
log4j.logger.org.alfresco.repo.domain.patch.ibatis.PatchDAOImpl=info

# Specific patches
log4j.logger.org.alfresco.repo.admin.patch.impl.DeploymentMigrationPatch=info
log4j.logger.org.alfresco.repo.version.VersionMigrator=info
log4j.logger.org.alfresco.repo.admin.patch.impl.ResetWCMToGroupBasedPermissionsPatch=info

log4j.logger.org.alfresco.repo.module.ModuleServiceImpl=info
log4j.logger.org.alfresco.repo.domain.schema.SchemaBootstrap=info
log4j.logger.org.alfresco.repo.admin.ConfigurationChecker=info
log4j.logger.org.alfresco.repo.node.index.AbstractReindexComponent=warn
log4j.logger.org.alfresco.repo.node.index.IndexTransactionTracker=warn
log4j.logger.org.alfresco.repo.node.index.FullIndexRecoveryComponent=info
log4j.logger.org.alfresco.repo.node.index.AVMFullIndexRecoveryComponent=info
log4j.logger.org.alfresco.util.OpenOfficeConnectionTester=info
log4j.logger.org.alfresco.repo.node.db.hibernate.HibernateNodeDaoServiceImpl=warn
log4j.logger.org.alfresco.repo.domain.hibernate.DirtySessionMethodInterceptor=warn
log4j.logger.org.alfresco.repo.transaction.RetryingTransactionHelper=warn
log4j.logger.org.alfresco.util.transaction.SpringAwareUserTransaction.trace=warn
log4j.logger.org.alfresco.util.AbstractTriggerBean=warn
log4j.logger.org.alfresco.repo.jgroups.AlfrescoJGroupsChannelFactory=info
log4j.logger.org.alfresco.enterprise.repo.cache.jgroups.JGroupsKeepAliveHeartbeatReceiver=info
log4j.logger.org.alfresco.repo.version.Version2ServiceImpl=warn

#log4j.logger.org.alfresco.web.app.DebugPhaseListener=debug
#log4j.logger.org.alfresco.repo.cache.EhCacheTracerJob=debug

log4j.logger.org.alfresco.repo.workflow=info

# CIFS server debugging
log4j.logger.org.alfresco.smb.protocol=error
#log4j.logger.org.alfresco.smb.protocol.auth=debug
#log4j.logger.org.alfresco.acegi=debug

# FTP server debugging
log4j.logger.org.alfresco.ftp.protocol=error
#log4j.logger.org.alfresco.ftp.server=debug

# WebDAV debugging
#log4j.logger.org.alfresco.webdav.protocol=debug
log4j.logger.org.alfresco.webdav.protocol=error

# NTLM servlet filters
#log4j.logger.org.alfresco.web.app.servlet.NTLMAuthenticationFilter=debug
#log4j.logger.org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter=debug

# Kerberos servlet filters
#log4j.logger.org.alfresco.web.app.servlet.KerberosAuthenticationFilter=debug
#log4j.logger.org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter=debug

# File servers
log4j.logger.org.alfresco.fileserver=warn

# Repo filesystem debug logging
#log4j.logger.org.alfresco.filesys.repo.ContentDiskDriver=debug

# AVM filesystem debug logging
#log4j.logger.org.alfresco.filesys.avm.AVMDiskDriver=debug

# Integrity message threshold - if 'failOnViolation' is off, then WARNINGS are generated
log4j.logger.org.alfresco.repo.node.integrity=ERROR

# Indexer debugging
log4j.logger.org.alfresco.repo.search.Indexer=error
#log4j.logger.org.alfresco.repo.search.Indexer=debug

log4j.logger.org.alfresco.repo.search.impl.lucene.index=error
log4j.logger.org.alfresco.repo.search.impl.lucene.fts.FullTextSearchIndexerImpl=warn
#log4j.logger.org.alfresco.repo.search.impl.lucene.index=DEBUG

# Audit debugging
# log4j.logger.org.alfresco.repo.audit=DEBUG
# log4j.logger.org.alfresco.repo.audit.model=DEBUG

# Forms debugging
# log4j.logger.org.alfresco.web.forms=debug
# log4j.logger.org.chiba.xml.xforms=debug
log4j.logger.org.alfresco.web.forms.xforms.XFormsBean=error
log4j.logger.org.alfresco.web.forms.XSLTRenderingEngine=error

# Property sheet and modelling debugging
# change to error to hide the warnings about missing properties and associations
log4j.logger.alfresco.missingProperties=warn
log4j.logger.org.alfresco.web.ui.repo.component.property.UIChildAssociation=warn
log4j.logger.org.alfresco.web.ui.repo.component.property.UIAssociation=warn
#log4j.logger.org.alfresco.web.ui.repo.component.property=debug

# Dictionary/Model debugging
log4j.logger.org.alfresco.repo.dictionary=warn
log4j.logger.org.alfresco.repo.dictionary.types.period=warn

# Virtualization Server Registry
log4j.logger.org.alfresco.mbeans.VirtServerRegistry=error

# Spring context runtime property setter
log4j.logger.org.alfresco.util.RuntimeSystemPropertiesSetter=info

# Debugging options for clustering
log4j.logger.org.alfresco.repo.content.ReplicatingContentStore=error
log4j.logger.org.alfresco.repo.content.replication=error

#log4j.logger.org.alfresco.repo.deploy.DeploymentServiceImpl=debug

# Activity service
log4j.logger.org.alfresco.repo.activities=warn

# User usage tracking
log4j.logger.org.alfresco.repo.usage=info

# Sharepoint
log4j.logger.org.alfresco.module.vti=info

# Forms Engine
log4j.logger.org.alfresco.repo.forms=info
log4j.logger.org.alfresco.web.config.forms=info
log4j.logger.org.alfresco.web.scripts.forms=info

# CMIS
log4j.logger.org.alfresco.opencmis=error
log4j.logger.org.alfresco.opencmis.AlfrescoCmisServiceInterceptor=error
log4j.logger.org.alfresco.cmis=error
log4j.logger.org.alfresco.cmis.dictionary=warn
log4j.logger.org.apache.chemistry.opencmis=info

# IMAP
log4j.logger.org.alfresco.repo.imap=info

# JBPM
# Note: non-fatal errors (eg. logged during job execution) should be handled by Alfresco's retrying transaction handler
log4j.logger.org.jbpm.graph.def.GraphElement=fatal

#log4j.logger.org.alfresco.repo.googledocs=debug

###### Scripting #######

# Web Framework
log4j.logger.org.springframework.extensions.webscripts=info
log4j.logger.org.springframework.extensions.webscripts.ScriptLogger=warn
log4j.logger.org.springframework.extensions.webscripts.ScriptDebugger=off

# Repository
log4j.logger.org.alfresco.repo.web.scripts=warn
log4j.logger.org.alfresco.repo.web.scripts.BaseWebScriptTest=info
log4j.logger.org.alfresco.repo.web.scripts.AlfrescoRhinoScriptDebugger=off
log4j.logger.org.alfresco.repo.jscript=error
log4j.logger.org.alfresco.repo.jscript.ScriptLogger=warn
log4j.logger.org.alfresco.repo.cmis.rest.CMISTest=info

log4j.logger.org.alfresco.repo.avm.actions=info

# Freemarker
# Note the freemarker.runtime logger is used to log non-fatal errors that are handled by Alfresco's retrying transaction handler
log4j.logger.freemarker.runtime=

# Metadata extraction
log4j.logger.org.alfresco.repo.content.metadata.AbstractMappingMetadataExtracter=warn

# Reduces PDFont error level due to ALF-7105
log4j.logger.org.apache.pdfbox.pdmodel.font.PDSimpleFont=fatal
log4j.logger.org.apache.pdfbox.pdmodel.font.PDFont=fatal
log4j.logger.org.apache.pdfbox.pdmodel.font.PDCIDFont=fatal

# no index support
log4j.logger.org.alfresco.repo.search.impl.noindex.NoIndexIndexer=fatal
log4j.logger.org.alfresco.repo.search.impl.noindex.NoIndexSearchService=fatal

my alfresco-global.properties file:


###############################
## Common Alfresco Properties #
###############################

dir.root=D:/Alfresco/alf_data

alfresco.context=alfresco
alfresco.host=127.0.0.1
alfresco.port=8080
alfresco.protocol=http

share.context=share
share.host=127.0.0.1
share.port=8080
share.protocol=http

### database connection properties ###
db.driver=org.postgresql.Driver
db.username=alfresco
db.password=badrad
db.name=alfresco
db.url=jdbc:postgresql://localhost:5432/${db.name}

### FTP Server Configuration ###
ftp.enabled=false
ftp.port=21
ftp.ipv6.enabled=false

### RMI service ports ###
alfresco.rmi.services.port=50500
avm.rmi.service.port=0
avmsync.rmi.service.port=0
attribute.rmi.service.port=0
authentication.rmi.service.port=0
repo.rmi.service.port=0
action.rmi.service.port=0
deployment.rmi.service.port=0

### External executable locations ###
ooo.exe=D:/Alfresco/openoffice/App/openoffice/program/soffice.exe
ooo.enabled=true
ooo.port=8100
ooo.port=8100
img.root=D:/Alfresco/imagemagick
img.dyn=${img.root}/lib
img.exe=${img.root}/convert
swf.exe=D:/Alfresco/swftools/pdf2swf.exe
jodconverter.enabled=false
jodconverter.officeHome=D:/Alfresco/openoffice/App/openoffice
jodconverter.portNumbers=8100

### Initial admin password ###
alfresco_user_store.adminpassword=22fcc53f3b6898fdfe5014575e66b9bf

### E-mail site invitation setting ###
notification.email.siteinvite=false

### File Protocol Root ###
protocols.rootPath=/${spaces.company_home.childname}/${spaces.sites.childname}

### License location ###
dir.license.external=D:/Alfresco

### Solr indexing ###
index.subsystem.name=solr
dir.keystore=${dir.root}/keystore
solr.port.ssl=8443

### BPM Engine ###
system.workflow.engine.jbpm.enabled=false

### Authentication ###
authentication.chain=passthru1:passthru,ldap-ad1:ldap-ad

### Passthru Config ###
passthru.authentication.useLocalServer=false
passthru.authentication.domain=mydomain
passthru.authentication.servers=mydomain\\myserver1.mydomain.org,myserver2.mydomain.org
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=administrator,admin,e453595
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true
ntlm.uthentication.sso.enabled=false
ntlm.authentication.mapUnknownUserToGuest=false

### LDAP-AD Auth ###
ldap.authentication.active=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@domain
#ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://myserver.mydomain.org:389
ldap.authentication.java.naming.security.authentication=simple
#ldap.authentication.escapeCommasInBind=false
#ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator,admin,e453595

### LDAP-AD Synch ###
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=e453595@mydomain.org
ldap.synchronization.java.naming.security.credentials=********
#ldap.synchronization.queryBatchSize=1000
#ldap.synchronization.attributeBatchSize=1000
#ldap.synchronization.groupQuery=(objectclass\=6000 - Radiology Global Groups,OU=2010 RADIOLOGY DEPARTMENT - Dept Managed)
#ldap.synchronization.groupDifferentialQuery=(&(objectclass\=6000 - Radiology Global Groups)(!(modifyTimestamp<\={0})))
#ldap.synchronization.personQuery=(&(objectclass\=2010 RADIOLOGY DEPARTMENT - Dept Managed,)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
#ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou\=6000 - Radiology Global Groups,OU\=2010 RADIOLOGY DEPARTMENT - Dept Managed,DC=mydomain,DC=org
ldap.synchronization.userSearchBase=CN=WVUser,OU=6000 - Radiology Global Groups,OU=2010 RADIOLOGY DEPARTMENT - Dept Managed,DC=mydomain,DC=org
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=stProcessLevel
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

Outcomes