AnsweredAssumed Answered

[Workaround] LDAP group memberships not synchronized (v3.3)

Question asked by mwildam on Sep 21, 2010
Latest reply on Oct 21, 2014 by jack.chuong
We have a problem with the LDAP integration configuration - Group memberships are not synchronized - all groups are shown empty.

The maybe special situation is that the ldap base/root we are logging into and querying is containing two aliases of other tree nodes containing users and groups:

Structure is:

==> Base/root: ou=users,ou=alfresco,ou=system,o=ffg
|
+—-> Alias 1: dn: ou=active,ou=users,ou=alfresco,ou=system,o=ffg
|
+—-> Alias 2: dn: ou=inactive,ou=users,ou=alfresco,ou=system,o=ffg

LDAP-Configuration:
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
    #
    alfrescoNtlm1
    alfresco.authentication.authenticateCIFS=true
    #
    ldap1
    ldap.authentication.active=true
    #ldap.authentication.java.naming.security.authentication=DIGEST-MD5
    ldap.authentication.java.naming.security.authentication=simple

ldap.authentication.userNameFormat=cn=%s,ou=User,o=ffg,l=vienna,c=at

    ldap.authentication.allowGuestLogin=false

ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

    ldap.authentication.java.naming.provider.url=ldap://10.1.1.1:389
    ldap.authentication.escapeCommasInBind=false
    ldap.authentication.escapeCommasInUid=false
    ldap.authentication.defaultAdministratorUserNames=ldapAlfresco
    ldap.synchronization.active=true

ldap.synchronization.java.naming.security.principal=cn=ldapAlfresco,ou=system,o=ffg
ldap.synchronization.java.naming.security.credentials=SUPERGEHEIM

#ldap.synchronization.groupSearchBase=o=ffg,l=vienna,c=at
ldap.synchronization.groupSearchBase=ou=users,ou=alfresco,ou=system,o=ffg
#    ldap.synchronization.userSearchBase=ou=User,o=ffg,l=vienna,c=at
    ldap.synchronization.userSearchBase=ou=users,ou=alfresco,ou=system,o=ffg
    ldap.synchronization.modifyTimestampAttributeName=midifyTimestamp
    ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
#    ldap.synchronization.userIdAttributeName=uid
    ldap.synchronization.userIdAttributeName=cn
    ldap.synchronization.userFirstNameAttributeName=givenName
    ldap.synchronization.userLastNameAttributeName=sn
    ldap.synchronization.userEmailAttributeName=mail
    ldap.synchronization.userOrganizationalIdAttributeName=o
    #ldap.synchronization.defaultHomeFolderProvider=ndsHomeDirectory
    ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupMemberAttributeName=member
#ldap.synchronization.groupMemberAttributeName=groupMembership
#ldap.synchronization.groupMemberAttributeName=cn
ldap.synchronization.groupType=groupOfNames
#ldap.synchronization.groupType=groupMembership
ldap.synchronization.personType=inetOrgPerson

Sample content with aliases resolved (using ldapsearch):
[…]
USER SAMPLE:

# testuser3, User, ffg, vienna, at
dn: cn=testuser3,ou=User,o=ffg,l=vienna,c=at
uid: testuser3
fullName: testuser3 (c1)
sn: testuser3 (c1)
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
objectClass: Person
objectClass: Top
groupMembership: cn=grEveryone,ou=User,o=ffg,l=vienna,c=at
groupMembership: cn=grSite4D,ou=User,o=ffg,l=vienna,c=at
cn: testuser3

[…]
GROUP SAMPLE:

# grSite4D, User, ffg, vienna, at
dn: cn=grSite4D,ou=User,o=ffg,l=vienna,c=at
objectClass: groupOfNames
objectClass: Top
member: cn=testuser2,ou=User,o=ffg,l=vienna,c=at
member: cn=testuser3,ou=User,o=ffg,l=vienna,c=at
cn: grSite4D
[…]

Notes: That ldap.synchronization.groupSearchBase is the same as ldap.synchronization.userSearchBase is not an error - it is that way - that root contains users and groups.
We get the users and the groups and users can also login - just the group memberships don't get synchronized.
The error we get on startup of Alfresco v3.3g is:
11:01:12,477 WARN  [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] Failed to resolve distinguished name: cn=testuser3,ou=User,o=ffg,l=vienna,c=at
And we get that error for each membership. User and group aliases are correctly resolved I don't have any idea why it does not work for the group memberships. The only idea I have is that probably the base name from the root login is taken (which is a different branch of the LDAP tree) to link groups with users - which then would be a bug probably.

Interestingly, if we use "ou=user,o=ffg,l=vienna,c=at" as base/root then it works with the group memberships - but then we don't see all required users (only the active ones and we need them all).

What are we doing wrong? Or could it be a bug?

Outcomes