AnsweredAssumed Answered

LDAP Full Synchronization Problem - Binding to LDAP servers

Question asked by pre on Nov 16, 2010
Latest reply on Nov 19, 2010 by pre
I'm using the community version 3.4.a on Suse 11.3. As a user I'm able to log in and authenticate against the LDAP-Server, but no
group/user synchronization happens (on startup).

Authentication is failing because of:
alfresco.log on server 1 (141.57.26.99):

10:12:49,679 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronizing users and groups with user registry 'ldap1'
10:12:49,687 INFO  [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all groups from user registry 'ldap1'
10:12:49,735 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 10160000 LDAP authentication failed.


ldap.log on server 2 (141.57.26.98):


alfresco starts:
Nov 16 10:10:40 bor slapd[27662]: conn=6524 fd=19 ACCEPT from IP=141.57.26.99:52526 (IP=0.0.0.0:389)
Nov 16 10:10:40 bor slapd[27662]: conn=6524 op=0 BIND dn="cn=Manager,dc=paes,dc=eit,dc=htwk-leipzig,dc=de" method=128
Nov 16 10:10:40 bor slapd[27662]: conn=6524 op=0 BIND dn="cn=Manager,dc=paes,dc=eit,dc=htwk-leipzig,dc=de" mech=SIMPLE ssf=0
Nov 16 10:10:40 bor slapd[27662]: conn=6524 op=0 RESULT tag=97 err=0 text=


alfresco is trying to sync:
Nov 16 10:12:34 bor slapd[27662]: conn=6550 fd=22 ACCEPT from IP=141.57.26.99:52549 (IP=0.0.0.0:389)
Nov 16 10:12:34 bor slapd[27662]: conn=6550 op=0 BIND dn="" method=128
Nov 16 10:12:34 bor slapd[27662]: conn=6550 op=0 RESULT tag=97 err=0 text=
Nov 16 10:12:34 bor slapd[27662]: conn=6551 fd=25 ACCEPT from IP=141.57.26.99:52550 (IP=0.0.0.0:389)
Nov 16 10:12:34 bor slapd[27662]: conn=6551 op=0 do_bind: invalid dn (daftAsABrush)
Nov 16 10:12:34 bor slapd[27662]: conn=6551 op=0 RESULT tag=97 err=34 text=invalid DN
Nov 16 10:12:34 bor slapd[27662]: conn=6551 fd=25 closed (connection lost)
Nov 16 10:12:34 bor slapd[27662]: conn=6552 fd=25 ACCEPT from IP=141.57.26.99:52551 (IP=0.0.0.0:389)
Nov 16 10:12:34 bor slapd[27662]: conn=6552 op=0 BIND dn="cn=daftAsABrush,dc=woof" method=128
Nov 16 10:12:34 bor slapd[27662]: conn=6552 op=0 RESULT tag=97 err=49 text=
Nov 16 10:12:34 bor slapd[27662]: conn=6552 fd=25 closed (connection lost)
Nov 16 10:12:34 bor slapd[27662]: conn=6553 fd=25 ACCEPT from IP=141.57.26.99:52552 (IP=0.0.0.0:389)
Nov 16 10:12:34 bor slapd[27662]: conn=6553 op=0 BIND dn="cn=Manager,dc=paes,dc=eit,dc=htwk-leipzig,dc=de" method=128
Nov 16 10:12:34 bor slapd[27662]: conn=6553 op=0 RESULT tag=97 err=49 text=
Nov 16 10:12:34 bor slapd[27662]: conn=6553 fd=25 closed (connection lost)
Nov 16 10:12:42 bor slapd[27662]: conn=6554 fd=25 ACCEPT from IP=141.57.26.99:52555 (IP=0.0.0.0:389)
Nov 16 10:12:42 bor slapd[27662]: conn=6554 op=0 BIND dn="cn=Manager,dc=paes,dc=eit,dc=htwk-leipzig,dc=de" method=128
Nov 16 10:12:42 bor slapd[27662]: conn=6554 op=0 RESULT tag=97 err=49 text=
Nov 16 10:12:42 bor slapd[27662]: conn=6554 fd=25 closed (connection lost)

The successful user log in looks like that:
ldap.log on server 2:
Nov 16 10:19:20 bor slapd[27662]: conn=6629 fd=22 ACCEPT from IP=141.57.26.99:57580 (IP=0.0.0.0:389)
Nov 16 10:19:20 bor slapd[27662]: conn=6629 op=0 BIND dn="uid=pre,ou=users,dc=paes,dc=eit,dc=htwk-leipzig,dc=de" method=128
Nov 16 10:19:20 bor slapd[27662]: conn=6629 op=0 BIND dn="uid=pre,ou=users,dc=paes,dc=eit,dc=htwk-leipzig,dc=de" mech=SIMPLE ssf=0
Nov 16 10:19:20 bor slapd[27662]: conn=6629 op=0 RESULT tag=97 err=0 text=
Nov 16 10:19:20 bor slapd[27662]: conn=6629 op=1 UNBIND
Nov 16 10:19:20 bor slapd[27662]: conn=6629 fd=22 closed

The principal is able to contact the ldap server (ldapsearch, ldapwhoami ….. is working fine) - BUT no group and user synchronization happens.

At the end my alfresco-global.properties file:

### ldap configuration ###
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.synchronization.active=true
ldap.authentication.userNameFormat=uid=%s,ou=users,dc=paes,dc=eit,dc=htwk-leipzig,dc=de
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://141.57.26.98:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Manager,pre,tpreuss
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=cn=Manager,dc=paes,dc=eit,dc=htwk-leipzig,dc=de
ldap.synchronization.java.naming.security.credentials=<secret password>

ldap.synchronization.queryBatchSize=1000

ldap.synchronization.groupQuery=(objectclass=posixGroup)
ldap.synchronization.groupSearchBase=ou=groups,dc=paes,dc=eit,dc=htwk-leipzig,dc=de
ldap.synchronization.userSearchBase=ou=users,dc=paes,dc=eit,dc=htwk-leipzig,dc=de
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=memberUid
ldap.synchronization.enableProgressEstimation=true

synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true

I've searched the internet, finding the same questions, but no answers. Intersesting is the second entry in the ldap.logfile in case of successful log in:

Nov 16 10:10:40 bor slapd[27662]: conn=6524 op=0 BIND dn="cn=Manager,dc=paes,dc=eit,dc=htwk-leipzig,dc=de" mech=SIMPLE ssf=0

That line does not appear in the phase, when alfresco is trying to sync the groups and users. I assume, that by starting alfresco the connection to the LDAP-Server is done, afterwards alfresco is trying to synchronize without sending the password credentials again, but the LDAP server has lost the early connection?

How can I bind alfresco to the LDAP server during the start procedure of alfresco?

Any help is appreciated!

Outcomes