AnsweredAssumed Answered

[Resolved]alfresco and AD : synchronisation

Question asked by boiss007 on Oct 29, 2012
Hello all!
So we have a alfresco community 4 in production for a small number of people, and everything was fine. we used a group grpAlfresco in the AD to limit the access during testing but now we are "ready" so we added 800 people to the group and waited for the massive synchronisation… that didnt happened. we see little batch of 2 to 80 users being synchronized.
Now i dont have access to the AD servers (administered by another company) but i wonder if it could be the AD server configuration that is putting a limit to the synchro.

Heres some of my alfresco-global.properties

########################################
## Alfresco Authentification Settings ##
########################################

ldap.authentication.java.naming.security.authentification=simple


ldap.authentication.java.naming.provider.url=ldap://192.168.1.247:389

ldap.authentication.userNameFormat=%s@domain

# The default authentication chain

authentication.chain=alfrescoNtlm:alfrescoNtlm,myldap-ad:ldap-ad

#alfrescoNtlm1

ntlm.authentication.sso.enabled=false

alfresco.authentication.authenticateCIFS=true

alfresco.authentication.allowGuestLogin=true

#ldap1

ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco

ldap.authentication.active=true

ldap.synchronization.active=true


#######################################
## Alfresco Synchronization Settings ##
#######################################

ldap.synchronization.java.naming.security.principal=alfresco@domain

ldap.synchronization.java.naming.security.credentials=password

# The query to select all objects that represent the groups to import.

#ldap.synchronization.groupQuery=(&(objectclass\=group))
ldap.synchronization.groupQuery=(&(objectclass\=group)(memberOf\=CN\=grpAlfresco,OU\=AGENCE,DC\=domain,DC\=local))

# The query to select objects that represent the groups to import that have changed since a certain time.

#ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(\(memberOf\=CN\=grpAlfresco,OU\=AGENCE,DC\=domain,DC\=local))(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.

#ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personQuery=(&(objectclass\=user)(\(memberOf\=CN=grpAlfresco,OU\=AGENCE,DC\=domain,DC\=local))(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

#ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp&lt;\={0})))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(\(memberOf\=CN=grpAlfresco,OU\=AGENCE,DC\=domain,DC\=local))(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))


# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.

ldap.synchronization.groupSearchBase=ou\=agence,dc\=domain,dc\=local
#ldap.synchronization.groupSearchBase=dc\=domain,dc\=local
# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.

ldap.synchronization.userSearchBase=ou=\agence,dc\=domain,dc\=local
#ldap.synchronization.userSearchBase=dc\=domain,dc\=local

# The name of the operational attribute recording the last update time for a group or user.

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco

ldap.synchronization.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco

ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco

ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco

ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id property in Alfresco

ldap.synchronization.userOrganizationalIdAttributeName=company

# The default home folder provider to use for people created via LDAP import

ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The attribute on LDAP group objects to map to the gid property in Alfrecso

ldap.synchronization.groupIdAttributeName=cn

# The group type in LDAP

ldap.synchronization.groupType=group

# The person type in LDAP

ldap.synchronization.personType=user

# The attribute in LDAP on group objects that defines the DN for its members

ldap.synchronization.groupMemberAttributeName=member

synchronization.synchronizeChangesOnly=false


and some of my webapps/alfresco/WEB-INF/classes/alfresco/subsystem/Synchronisation/default/default-synchronization.properties

#
# This properties file is used to configure user registry syncronisation (e.g. LDAP)
#

# Should the scheduled sync job use differential or full queries on the user
# registries to determine the set of local users to be updated? When true,
# each user registry is only queried for those users and groups modified since
# the most recent modification date of all the objects last queried from that
# same source. When false then <i>all</i> users and groups are
# queried from the user registry and updated locally. Nevertheless, a separate
# query will be run by the scheduled sync job to determine deletions.
synchronization.synchronizeChangesOnly=false

# The cron expression defining when imports should take place
synchronization.import.cron=0 0 0 * * ?


# Should we trigger a differential sync when missing people log in?
synchronization.syncWhenMissingPeopleLogIn=true

# Should we trigger a differential sync on startup?
synchronization.syncOnStartup=true

# Should we auto create a missing person on log in?
synchronization.autoCreatePeopleOnLogin=true

# The number of entries to process before logging progress
synchronization.loggingInterval=100

# The number of threads to use when doing a batch (scheduled or startup) sync
synchronization.workerThreads=6

Anyone ever had that problem?  Or a hint to fix it?

Here's the relevant part of my /alfresco.log (theres no error or exception in it).

14:07:30,091 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Synchronization' subsystem, ID: [Synchronization, default]
14:07:30,225 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'myldap-ad'
14:07:30,249 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'myldap-ad'
14:07:30,339 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Found 0
14:07:30,351 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] myldap-ad Group Analysis: Commencing batch of 0 entries
14:07:30,353 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] myldap-ad Group Analysis: Completed batch of 0 entries
14:07:30,368 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving users changed since 29 oct. 2012 14:02:24 from user registry 'myldap-ad'
14:07:30,408 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] myldap-ad User Creation and Association: Commencing batch of 2 entries
14:07:30,446 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for **********
14:07:30,447 DEBUG [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Adding user for **********
14:07:30,454 DEBUG [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] RETRY TXNS: []
14:07:30,466 DEBUG [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] myldap-ad User Creation and Association1 ready to execute
14:07:30,476 DEBUG [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Creating user '********'
14:07:30,774 DEBUG [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Creating user '********'
14:07:31,053 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] myldap-ad User Creation and Association: Processed 2 entries out of 2. 100 % complete. Rate: 3 per second. 0 failures detected.
14:07:31,054 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] myldap-ad User Creation and Association: Completed batch of 2 entries
14:07:31,082 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'myldap-ad'
14:07:31,082 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 2 user(s) and 0 group(s) processed
14:07:31,094 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Synchronization' subsystem, ID: [Synchronization, default] complete

Update : Dunno why or how, but after 10 synchro where it only treated 10 users max it went for the full 840 batch…
So nothing more to add, ill mark the post Resolved

Outcomes