AnsweredAssumed Answered

Selective group synchronization failure using OpenLDAP

Question asked by lcandido on Aug 22, 2012
Hi everyone!

We have several Alfresco Community  3.4.d installed on RHEL platform with OpenLDAP authorization for people and groups. It was supposed that everything worked fine, but when configuring access groups to some spaces, we checked out that several groups on OpenLDAP was not listed on Alfresco and it wasn't possible to find then by searching on "Manager Space Users" of any space.

The most astonishing fact is that groups belonging to same directory branch can synchronize with Alfresco or not. At least this is a regular situation: those that synchronize do it always and those that don't never does it. An exemple:"cn=operrj,ou=CPRJ,ou=Unix,ou=Global,dc=gov,dc=br" and "cn=monrj,ou=CPRJ,ou=Unix,ou=Global,dc=gov,dc=br": the fist one is listed in Groups Management "Show All" and is retrieved when searched  and the second does'n.

The file ldap-authentication.properties seems to be OK (it's shown bellow) and we have even re-deployed the alfresco.war file to replace webapps/alfresco folder and make an all-new OpenLDAP synchronization, but it was not successful.

Does anyone have any suggestion about this phenomenon?

Thanks,


ldap-authentication.properties


ldap.authentication.active=true

ldap.authentication.allowGuestLogin=false

#ldap.authentication.userNameFormat=

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

ldap.authentication.java.naming.provider.url=ldap://mmldap.prevnet:389

ldap.authentication.java.naming.security.authentication=simple

ldap.authentication.escapeCommasInBind=false

ldap.authentication.escapeCommasInUid=false

ldap.authentication.defaultAdministratorUserNames=candido.borges

ldap.synchronization.active=true

ldap.synchronization.java.naming.security.authentication=simple

ldap.synchronization.java.naming.security.principal=uid\=alfrescoadmin,ou\=Users,ou\=Global,dc\=gov,dc\=br

ldap.synchronization.java.naming.security.credentials=<secret>

ldap.synchronization.queryBatchSize=30
   
#ldap.synchronization.attributeBatchSize=0

ldap.synchronization.groupQuery=(objectclass\=posixGroup)

ldap.synchronization.groupDifferentialQuery=(&(objectclass\=posixGroup)(phpgwAccountType=g)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)

ldap.synchronization.personDifferentialQuery=(&(objectclass\=posixAccount)(phpgwAcconutType=u)(accountStatus=active)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=dc\=gov,dc\=br

ldap.synchronization.userSearchBase=dc\=gov,dc\=br

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'

ldap.synchronization.userIdAttributeName=uid

ldap.synchronization.userFirstNameAttributeName=givenName

ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.userOrganizationalIdAttributeName=o

ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupDisplayNameAttributeName=description

ldap.synchronization.groupType=posixGroup

ldap.synchronization.personType=inetOrgPerson

ldap.synchronization.groupMemberAttributeName=memberUid

ldap.synchronization.enableProgressEstimation=false

Outcomes