AnsweredAssumed Answered

mon premier sentiment sur alfresco

Question asked by azertyuiop on Jul 10, 2008
Latest reply on Jul 11, 2008 by michaelh
Bonjour,

je teste actuellement Alfresco (2.9B) ainsi que d'autre produits open source ou non.

Après les quelques jours passés à faire l'installation et a tester, mon sentiment est plus que mitigé sur ce produit , notamment

-La version 2.9B (dernière release stable open source) date de décembre 2007
-il semble que La version 2.9C promise ne sortira jamais (malgré ce qui avait été annoncé)
-la version entreprise (2.2 qui correspond en fait à la 2.9 !!!) contient de nombreux fix qui ne seront donc jamais portés sur la version libre 2.9
-je ne comprend pas le choix d'avoir 2 repositorys SVN distincts dont un privé. les gens autorisés a modifier le code sont uniquement des employés d'alfresco (a confirmer?)
-l'absence de roadmap claire et stable.
-il est difficile de trouver de l'information, la documentation est confuse, légére et parfois contradictoire (on se sait pas forcement quelle version est concernée par le document ou la page wiki)
-L'activité des forums est peu importante (FR et EN), beaucoup de post restent sans réponse.
-il faut donc se résigner à acheter cette version entreprise (je ne parle pas de support mais bien de la version avec les bugs corrigés) ou bien à installer une version non maintenue (2.9b) ou encore une version HEAD complètement instable (3)

On est très loin de la philosophie du logiciel libre et le seul professionnalisme semble se résumer au marketing et à la communication.
Ce constat me fait m'interroger sur le support apporté par Alfresco et ses nombreux partenaires :
- existe-il une documentation entreprise plus complète ?
- le niveau de support est-il convenable ou reflète-t-il celui de la communauté ?
- quel sont les orientations et la stratégie d'Alfresco a long terme ? vendre un produit propriétaire ou faire du service ? cela n'est pas du tout clair.

Sinon, d'un  point de vue technique, le produit semble correct et bien pensé mais pas assez optimisé, en effet il est très gourmand en ressources.
quelques remarques quand même :
-bug avec Firefox 3 (liste de choix d'espace)
-quelle est l'utilité de la synchro LDAP, pourquoi ne pas requêter au besoin directement dans l'annuaire ?
-limitation de la synchro LDAP des users et groupes (paging et nombre de résultats maximum côté serveur)
-authentification LDAP avec search+bind pour des users présents dans plusieurs noeuds du LDAP (trivial a faire, demandé depuis longtemps dans les forums et toujours pas implémenté !)

Je vais maintenant évaluer d'autres produits concurrents: MOSS, nuxeo (qui semble très propre au premier abord) et exoplatform

@+


Ci dessous le code permettant de synchroniser un grand nombre de user (22000 pour moi avec un LDAP active directory qui retourne au maximum 1000 résultats)

LDAPPersonPagingExportSource.java

package org.alfresco.repo.security.authentication.ldap;

import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Map;

import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.PagedResultsControl;
import javax.naming.ldap.PagedResultsResponseControl;

import org.alfresco.model.ContentModel;
import org.alfresco.repo.importer.ExportSource;
import org.alfresco.repo.importer.ExportSourceImporterException;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.namespace.NamespaceService;
import org.alfresco.service.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dom4j.io.XMLWriter;
import org.xml.sax.SAXException;
import org.xml.sax.helpers.AttributesImpl;

// http://forum.java.sun.com/thread.jspa?threadID=578347&tstart=0
public class LDAPPersonPagingExportSource implements ExportSource {
   private static Log s_logger = LogFactory.getLog(LDAPPersonPagingExportSource.class);

   private Map<String, String> initialDirContextEnvironment = Collections.<String, String> emptyMap();

   private String personQuery = "(objectclass=inetOrgPerson)";

   private String searchBase;

   private String userIdAttributeName;

   private PersonService personService;

   private Map<String, String> attributeMapping;

   private NamespaceService namespaceService;

   private Map<String, String> attributeDefaults;

   private boolean errorOnMissingUID;

   public LDAPPersonPagingExportSource() {
      super();
   }

   public void setInitialDirContextEnvironment(Map<String, String> initialDirContextEnvironment){
      this.initialDirContextEnvironment = initialDirContextEnvironment;
   }

   public Map<String, String> getInitialDirContextEnvironment() {
      return initialDirContextEnvironment;
   }

   public void setPersonQuery(String personQuery) {
      this.personQuery = personQuery;
   }

   public void setSearchBase(String searchBase) {
      this.searchBase = searchBase;
   }

   public void setUserIdAttributeName(String userIdAttributeName) {
      this.userIdAttributeName = userIdAttributeName;
   }

   //
   // public void setLDAPInitialDirContextFactory(LDAPContextFactory
   // ldapInitialDirContextFactory) {
   // this.ldapInitialContextFactory = ldapInitialDirContextFactory;
   // }

   public void setPersonService(PersonService personService) {
      this.personService = personService;
   }

   public void setAttributeDefaults(Map<String, String> attributeDefaults) {
      this.attributeDefaults = attributeDefaults;
   }

   public void setNamespaceService(NamespaceService namespaceService) {
      this.namespaceService = namespaceService;
   }

   public void setAttributeMapping(Map<String, String> attributeMapping) {
      this.attributeMapping = attributeMapping;
   }

   public void setErrorOnMissingUID(boolean errorOnMissingUID) {
      this.errorOnMissingUID = errorOnMissingUID;
   }

   public void generateExport(XMLWriter writer) {
      long start = System.currentTimeMillis();
      s_logger.debug("—— Start USER Export —— " );
      
      
      QName nodeUUID = QName.createQName("sys:node-uuid", namespaceService);

      Collection<String> prefixes = namespaceService.getPrefixes();
      QName childQName = QName.createQName(NamespaceService.REPOSITORY_VIEW_PREFIX, "childName", namespaceService);

      try {
         AttributesImpl attrs = new AttributesImpl();
         attrs.addAttribute(NamespaceService.REPOSITORY_VIEW_1_0_URI, childQName.getLocalName(), childQName.toPrefixString(), null, ContentModel.TYPE_PERSON
               .toPrefixString(namespaceService));

         writer.startDocument();

         for (String prefix : prefixes) {
            if (!prefix.equals("xml")) {
               String uri = namespaceService.getNamespaceURI(prefix);
               writer.startPrefixMapping(prefix, uri);
            }
         }

         writer.startElement(NamespaceService.REPOSITORY_VIEW_PREFIX, "view", NamespaceService.REPOSITORY_VIEW_PREFIX + ":" + "view", new AttributesImpl());

         HashSet<String> uids = new HashSet<String>();

         LdapContext ctx = null;//
         try {
            ctx = getLdapContext();//

            // Authentication has been successful.
            // Set the current user, they are now authenticated.

            SearchControls userSearchCtls = new SearchControls();
            userSearchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

            userSearchCtls.setCountLimit(Integer.MAX_VALUE);

            int pageSize = 1000;//
            byte[] cookie = null;//
            Control[] ctls = new Control[] { new PagedResultsControl(pageSize, false) };//
            ctx.setRequestControls(ctls);//
            // int totalResults = 0;//

            do {
               NamingEnumeration results = ctx.search(searchBase, personQuery, userSearchCtls);
               // loop through the results in each page
               RESULT_LOOP: while (results != null && results.hasMoreElements()) {
                  // SearchResult sr = (SearchResult) results.next();
                  // System.out.println("name: " + sr.getName());
                  // totalResults++;
                  SearchResult result = (SearchResult) results.next();
                  Attributes attributes = result.getAttributes();
                  Attribute uidAttribute = attributes.get(userIdAttributeName);
                  if (uidAttribute == null) {
                     if (errorOnMissingUID) {
                        throw new ExportSourceImporterException("User returned by user search does not have mandatory user id attribute " + attributes);
                     } else {
                        s_logger.warn("User returned by user search does not have mandatory user id attribute " + attributes);
                        continue RESULT_LOOP;
                     }
                  }
                  String uid = (String) uidAttribute.get(0);

                  if (uids.contains(uid)) {
                     s_logger.warn("Duplicate uid found - there will be more than one person object for this user - " + uid);
                  }

                  uids.add(uid);

                  if (s_logger.isDebugEnabled()) {
                     s_logger.debug("Adding user for " + uid);
                  }

                  writer.startElement(ContentModel.TYPE_PERSON.getNamespaceURI(), ContentModel.TYPE_PERSON.getLocalName(), ContentModel.TYPE_PERSON
                        .toPrefixString(namespaceService), attrs);

                  // permissions

                  // owner

                  writer.startElement(ContentModel.ASPECT_OWNABLE.getNamespaceURI(), ContentModel.ASPECT_OWNABLE.getLocalName(),
                        ContentModel.ASPECT_OWNABLE.toPrefixString(namespaceService), new AttributesImpl());

                  writer.endElement(ContentModel.ASPECT_OWNABLE.getNamespaceURI(), ContentModel.ASPECT_OWNABLE.getLocalName(),
                        ContentModel.ASPECT_OWNABLE.toPrefixString(namespaceService));

                  writer.startElement(ContentModel.PROP_OWNER.getNamespaceURI(), ContentModel.PROP_OWNER.getLocalName(), ContentModel.PROP_OWNER
                        .toPrefixString(namespaceService), new AttributesImpl());

                  writer.characters(uid.toCharArray(), 0, uid.length());

                  writer.endElement(ContentModel.PROP_OWNER.getNamespaceURI(), ContentModel.PROP_OWNER.getLocalName(), ContentModel.PROP_OWNER
                        .toPrefixString(namespaceService));

                  for (String key : attributeMapping.keySet()) {
                     QName keyQName = QName.createQName(key, namespaceService);

                     writer.startElement(keyQName.getNamespaceURI(), keyQName.getLocalName(), keyQName.toPrefixString(namespaceService),
                           new AttributesImpl());

                     // cater for null
                     String attributeName = attributeMapping.get(key);
                     if (attributeName != null) {
                        Attribute attribute = attributes.get(attributeName);
                        if (attribute != null) {
                           String value = (String) attribute.get(0);
                           if (value != null) {
                              writer.characters(value.toCharArray(), 0, value.length());
                           }
                        } else {
                           String defaultValue = attributeDefaults.get(key);
                           if (defaultValue != null) {
                              writer.characters(defaultValue.toCharArray(), 0, defaultValue.length());
                           }
                        }
                     } else {
                        String defaultValue = attributeDefaults.get(key);
                        if (defaultValue != null) {
                           writer.characters(defaultValue.toCharArray(), 0, defaultValue.length());
                        }
                     }

                     writer.endElement(keyQName.getNamespaceURI(), keyQName.getLocalName(), keyQName.toPrefixString(namespaceService));
                  }

                  if (personService.personExists(uid)) {
                     String uguid = personService.getPerson(uid).getId();

                     writer.startElement(nodeUUID.getNamespaceURI(), nodeUUID.getLocalName(), nodeUUID.toPrefixString(namespaceService),
                           new AttributesImpl());

                     writer.characters(uguid.toCharArray(), 0, uguid.length());

                     writer.endElement(nodeUUID.getNamespaceURI(), nodeUUID.getLocalName(), nodeUUID.toPrefixString(namespaceService));
                  }
                  writer.endElement(ContentModel.TYPE_PERSON.getNamespaceURI(), ContentModel.TYPE_PERSON.getLocalName(), ContentModel.TYPE_PERSON
                        .toPrefixString(namespaceService));

               }

               // examine the response controls
               cookie = parseControls(ctx.getResponseControls());
               // pass the cookie back to the server for the next page
               ctx.setRequestControls(new Control[] { new PagedResultsControl(pageSize, cookie, Control.CRITICAL) });

            } while ((cookie != null) && (cookie.length != 0));

         } catch (NamingException e) {
            throw new ExportSourceImporterException("Failed to import people.", e);
         } catch (java.io.IOException e) {
            throw new ExportSourceImporterException("Failed to import people.", e);
         } finally {
            if (ctx != null) {
               try {
                  ctx.close();
               } catch (NamingException e) {
                  throw new ExportSourceImporterException("Failed to import people.", e);
               }
            }
         }

         for (String prefix : prefixes) {
            if (!prefix.equals("xml")) {
               writer.endPrefixMapping(prefix);
            }
         }

         writer.endElement(NamespaceService.REPOSITORY_VIEW_PREFIX, "view", NamespaceService.REPOSITORY_VIEW_PREFIX + ":" + "view");

         writer.endDocument();
      } catch (SAXException e) {
         
         throw new ExportSourceImporterException("Failed to create file for import.", e);
      }finally{
         s_logger.debug("—— End USER Export —— durée:" + (System.currentTimeMillis()-start));
      }
      
   }
 

   private static byte[] parseControls(Control[] controls) throws NamingException {

      byte[] cookie = null;

      if (controls != null) {

         for (int i = 0; i < controls.length; i++) {
            if (controls[i] instanceof PagedResultsResponseControl) {
               PagedResultsResponseControl prrc = (PagedResultsResponseControl) controls[i];
               cookie = prrc.getCookie();
            }
         }
      }

      return (cookie == null) ? new byte[0] : cookie;
   }
   
   public LdapContext getLdapContext() throws AuthenticationException {
      Hashtable<String, String> env = new Hashtable<String, String>(getInitialDirContextEnvironment().size());
      env.putAll(getInitialDirContextEnvironment());
      env.put("javax.security.auth.useSubjectCredsOnly", "false");
      try {
         return new InitialLdapContext(env, null);
      } catch (javax.naming.AuthenticationException ax) {
         throw new AuthenticationException("LDAP authentication failed.", ax);
      } catch (NamingException nx) {
         throw new AuthenticationException("Unable to connect to LDAP Server; check LDAP configuration", nx);
      }
   }
   
}


ldap-synchronisation-context.xml

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   
   <bean name="ldapSynchronisationPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
       <property name="ignoreUnresolvablePlaceholders">
            <value>true</value>
        </property> 
        <property name="locations">
           <list>   
               <value>classpath:alfresco/extension/ldap-synchronisation.properties</value>
               <value>classpath:alfresco/extension/ldap-authentication.properties</value>
           </list>
   </property>
    </bean>
   
    <!–
      Wire up the same context as used for LDAP authentication. You could use another context: just replace this
       alias with the bean definition
    –>
   
    <alias alias="ldapSyncInitialDirContextFactory" name="ldapInitialDirContextFactory"/>
  



    <!– Ldap Syncronisation support –>
   
    <!–
       
    There can be more than one stack of beans that import users or groups. For example, it may be easier
    to have a version of ldapPeopleExportSource, and associated beans, for each sub-tree of your ldap directory
    from which you want to import users. You could then limit users to be imported from two or more sub tress and ignore
    users found else where. The same applies to the import of groups.
        
    The defaults shown below are for OpenLDAP.   
       
    –>
       
  
    <!– Extract user information from LDAP and transform this to XML –>
    
    <bean id="ldapPeopleExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPPersonPagingExportSource">

    <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>${ldap.authentication.java.naming.factory.initial}</value>
                </entry>

                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                    <value>${ldap.authentication.java.naming.provider.url}</value>
                </entry>

                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>${ldap.authentication.java.naming.security.authentication}</value>
                </entry>

                <!– The id of a user who can read group and user information –>
                <!– This does not go through the pattern substitution defined above and is used "as is" –>
                <entry key="java.naming.security.principal">
                    <value>${ldap.authentication.java.naming.security.principal}</value>
                </entry>

                <!– The password for the user defined above –>
                <entry key="java.naming.security.credentials">
                    <value>${ldap.authentication.java.naming.security.credentials}</value>
                </entry>
            </map>
        </property>




        <!–
        The query to select objects that represent the users to import.
       
        For Open LDAP, using a basic schema, the following is probably what you want:
        (objectclass=inetOrgPerson)
       
        For Active Directory:
        (objectclass=user)
        –>
        <property name="personQuery">
            <value>${ldap.synchronisation.personQuery}</value>
        </property>
       
        <!–
        The seach base restricts the LDAP query to a sub section of tree on the LDAP server.
        –>
        <property name="searchBase">
            <value>${ldap.synchronisation.personSearchBase}</value>
        </property>
       
        <!–
        The unique identifier for the user.
       
        THIS MUST MATCH WHAT THE USER TYPES IN AT THE LOGIN PROMPT   
       
        For simple LDAP authentication this is likely to be "cn" or, less friendly, "distinguishedName"
       
        In OpenLDAP, using other authentication mechanisms "uid", but this depends on how you map
        from the id in the LDAP authentication request to search for the inetOrgPerson against which
        to authenticate.
       
        In Active Directory this is most likely to be "sAMAccountName"
       
        This property is mandatory and must appear on all users found by the query defined above.
       
        –>
        <property name="userIdAttributeName">
            <value>${ldap.synchronisation.userIdAttributeName}</value>
        </property>
       
        <!– Services
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapSyncInitialDirContextFactory"/>
        </property>–>
        <property name="personService">
            <ref bean="personService"></ref>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
       
        <!–
        This property defines a mapping between attributes held on LDAP user objects and
        the properties of user objects held in the repository. The key is the QName of an attribute in
        the repository, the value is the attribute name from the user/inetOrgPerson/.. object in the
        LDAP repository.    
        –>
        <property name="attributeMapping">
            <map>
                <entry key="cm:userName">
                    <!– Must match the same attribute as userIdAttributeName –>
                    <value>${ldap.synchronisation.userIdAttributeName}</value>
                </entry>
                <entry key="cm:firstName">
                    <!– OpenLDAP: "givenName" –>
                    <!– Active Directory: "givenName" –>
                    <value>${ldap.synchronisation.userFirstNameAttributeName}</value>
                </entry>
                <entry key="cm:lastName">
                    <!– OpenLDAP: "sn" –>
                    <!– Active Directory: "sn" –>
                    <value>${ldap.synchronisation.userLastNameAttributeName}</value>
                </entry>
                <entry key="cm:email">
                    <!– OpenLDAP: "mail" –>
                    <!– Active Directory: "???" –>
                    <value>${ldap.synchronisation.userEmailAttributeName}</value>
                </entry>
                <entry key="cm:organizationId">
                    <!– OpenLDAP: "o" –>
                    <!– Active Directory: "???" –>
                    <!– <value>${ldap.synchronisation.userOrganizationalIdAttributeName}</value>–>
                       <value>AAA</value>
                </entry>
                <!– Always use the default –>
                <entry key="cm:homeFolderProvider">
                    <null/>
                </entry>
            </map>
        </property>
        <!– Set a default home folder provider –>
        <!– Defaults only apply for values above –>
        <property name="attributeDefaults">
            <map>
                <entry key="cm:homeFolderProvider">
                    <!–<value>${ldap.synchronisation.defaultHomeFolderProvider}</value>–>
         <null/>
                </entry>
            </map>
        </property>
    </bean>
   
    <!– Extract group information from LDAP and transform this to XML –>
   
    <bean id="ldapGroupExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource">
        <!–
        The query to select objects that represent the groups to import.
       
        For Open LDAP, using a basic schema, the following is probably what you want:
        (objectclass=groupOfNames)
       
        For Active Directory:
        (objectclass=group)
        –>
        <property name="groupQuery">
            <value>${ldap.synchronisation.groupQuery}</value>
        </property>
       
        <!–
        The seach base restricts the LDAP query to a sub section of tree on the LDAP server.
        –>
        <property name="searchBase">
            <value>${ldap.synchronisation.groupSearchBase}</value>
        </property>
       
        <!–
        The unique identifier for the user. This must match the userIdAttributeName on the ldapPeopleExportSource bean above.
        –>
        <property name="userIdAttributeName">
            <value>${ldap.synchronisation.userIdAttributeName}</value>
        </property>
       
        <!–
        An attribute that is a unique identifier for each group found.
        This is also the name of the group with the current group implementation.
        This is mandatory for any groups found.
       
        OpenLDAP: "cn" as it is mandatory on groupOfNames
        Active Directory: "cn"
       
        –>
        <property name="groupIdAttributeName">
            <value>${ldap.synchronisation.groupIdAttributeName}</value>
        </property>
       
        <!–
        The objectClass attribute for group members.
        For each member of a group, the distinguished name is given.
        The object is looked up by its DN. If the object is of this class it is treated as a group.
        –>
        <property name="groupType">
            <value>${ldap.synchronisation.groupType}</value>
        </property>
       
        <!–
        The objectClass attribute for person members.
        For each member of a group, the distinguished name is given.
        The object is looked up by its DN. If the object is of this class it is treated as a person.
        –>
        <property name="personType">
            <value>${ldap.synchronisation.personType}</value>
        </property>
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapSyncInitialDirContextFactory"/>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
       
        <!–
        The repeating attribute on group objects (found by query or as sub groups)
        used to define membership of the group. This is assumed to hold distinguished names of
        other groups or users/people; the above types are used to determine this.
       
        OpenLDAP: "member" as it is mandatory on groupOfNames
        Active Directory: "member"
       
        –>
        <property name="memberAttribute">
            <value>${ldap.synchronisation.groupMemberAttributeName}</value>
        </property>
       
        <property name="authorityDAO">
            <ref bean="authorityDAO"/>
        </property>
    </bean>
   
    <!– Job definitions to import LDAP people and groups –>
    <!– The triggers register themselves with the scheduler –>
    <!– You may comment in the default scheduler to enable these triggers –>
    <!– If a cron base trigger is what you want seee scheduled-jobs-context.xml for examples. –>
   
    <!– Trigger to load poeple –>
    <!– Note you can have more than one initial (context, trigger, import job and export source) set –>
    <!– This would allow you to load people from more than one ldap store –>
   
    <bean id="ldapPeopleTrigger" class="org.alfresco.util.CronTriggerBean">
        <property name="jobDetail">
            <bean id="ldapPeopleJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
                <property name="jobClass">
                    <value>org.alfresco.repo.importer.ImporterJob</value>
                </property>
                <property name="jobDataAsMap">
                    <map>
                        <entry key="bean">
                            <ref bean="ldapPeopleImport"/>
                        </entry>
                    </map>
                </property>
            </bean>
        </property>
        <property name="cronExpression">
         <value>${ldap.synchronisation.import.person.cron}</value>
      </property>
        <property name="scheduler">
            <ref bean="schedulerFactory" />
        </property>
    </bean>
   
    <bean id="ldapGroupTrigger" class="org.alfresco.util.CronTriggerBean">
        <property name="jobDetail">
            <bean id="ldapGroupJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
                <property name="jobClass">
                    <value>org.alfresco.repo.importer.ImporterJob</value>
                </property>
                <property name="jobDataAsMap">
                    <map>
                        <entry key="bean">
                            <ref bean="ldapGroupImport"/>
                        </entry>
                    </map>
                </property>
            </bean>
        </property>
        <property name="cronExpression">
         <value>${ldap.synchronisation.import.group.cron}</value>
      </property>
        <property name="scheduler">
            <ref bean="schedulerFactory" />
        </property>
    </bean>
  
    <!– The bean that imports xml describing people –>
   
    <bean id="ldapPeopleImport" class="org.alfresco.repo.importer.ExportSourceImporter">
        <property name="importerService">
            <ref bean="importerComponentWithBehaviour"/>
        </property>
        <property name="transactionService">
            <ref bean="transactionComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponent"/>
        </property>
        <property name="exportSource">
            <ref bean="ldapPeopleExportSource"/>
        </property>

        <!– The store that contains people - this should not be changed –>
        <property name="storeRef">
            <value>${spaces.store}</value>
        </property>
       
        <!– The location of people nodes within the store defined above - this should not be changed –>
        <property name="path">
            <value>/${system.system_container.childname}/${system.people_container.childname}</value>
        </property>
       
        <!– If true, clear all existing people before import, if false update/add people from the xml –>
        <property name="clearAllChildren">
            <value>false</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="searchService">
            <ref bean="searchService"/>
        </property>
        <property name="namespacePrefixResolver">
            <ref bean="namespaceService"/>
        </property>
       
       
        <property name="caches">
            <set>
                <ref bean="permissionsAccessCache"/>
            </set>
        </property>
    </bean>
   
    <!– The bean that imports xml descibing groups –>
   
    <bean id="ldapGroupImport" class="org.alfresco.repo.importer.ExportSourceImporter">
        <property name="importerService">
            <ref bean="importerComponentWithBehaviour"/>
        </property>
        <property name="transactionService">
            <ref bean="transactionComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponent"/>
        </property>
        <property name="exportSource">
            <ref bean="ldapGroupExportSource"/>
        </property>
        <!– The store that contains group information - this should not be changed –>
        <property name="storeRef">
            <value>${alfresco_user_store.store}</value>
        </property>
       
        <!– The location of group information in the store above - this should not be changed –>
        <property name="path">
            <value>/${alfresco_user_store.system_container.childname}/${alfresco_user_store.authorities_container.childname}</value>
        </property>
       
        <!– If true, clear all existing groups before import, if false update/add groups from the xml –>
        <property name="clearAllChildren">
            <value>${ldap.synchronisation.import.group.clearAllChildren}</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="searchService">
            <ref bean="searchService"/>
        </property>
        <property name="namespacePrefixResolver">
            <ref bean="namespaceService"/>
        </property>
       
        <!– caches to clear on import of groups –>
        <property name="caches">
            <set>
                <ref bean="userToAuthorityCache"/>
                <ref bean="permissionsAccessCache"/>
            </set>
        </property>
       
        <!– userToAuthorityCache –>
    </bean>
   
</beans>

Outcomes