AnsweredAssumed Answered

Alfresco Community Version 4.2.c and Active Directory

Question asked by glenc2004 on Jun 10, 2013
Latest reply on Jul 7, 2015 by sscbrian
Hello allow. I hope everyone is well. I just started to configure Alfresco 4.2.c and trying to integrate it with Active directory and I'm having issues trying to sync the groups and since I am having issues, I can't seem to get everyone over to Alfresco so they can login, etc. So first off here is what I have:

——————————————————–
AD:

Windows 2008 R2
Users: cn=users,dc=company,dc=com
Groups: cn=users,dc-company,dc=com

Alfresco Server:

CentOS 6.4
Version 4.2.c

——————————————————–

The error I'm receiving:

2013-06-10 13:03:26,773  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'DnsAdmins' with distinguished name: CN=XXXXX XXXXX,OU=Users,OU=Information Systems,OU=City,DC=company,DC=com

——————————————————–

Here is an LDIF of the group:

dn: CN=DnsAdmins,CN=Users,DC=company,DC=com
objectClass: top
objectClass: group
cn: DnsAdmins
description: DNS Administrators Group
member: CN=xxx xxx,OU=Users,OU=Information Systems,OU=City,DC=company,DC=com
member: CN=xxx,OU=Users,OU=City,DC=company,DC=com
member: CN=dnsuser dnsuser,CN=Users,DC=company,DC=com
member: CN=xxx xxx,OU=Users,OU=Information Systems,OU=City,DC=company,DC=com
member: CN=xxx xxx,OU=Users,OU=Information Systems,OU=City,DC=company,DC=com
member: CN=xxx xxx,OU=Users,OU=Information Systems,OU=City,DC=company,DC=com
member: CN=xxx xxx,OU=Users,OU=Information Systems,OU=City,DC=company ,DC=com
member: CN=xxx xxx,OU=Information Systems,OU=Users,OU=City,DC=company,DC =com
member: CN=xxx xxx,OU=Users,OU=Information Systems,OU=City,DC=company,DC=com
distinguishedName: CN=DnsAdmins,CN=Users,DC=company,DC=com
instanceType: 4
whenCreated: xxxx
whenChanged: xxxxxx
uSNCreated: 21016
uSNChanged: 54848339
name: DnsAdmins
objectGUID:: xxxxx
objectSid:: xxxxxx
sAMAccountName: DnsAdmins
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=company,DC=com
dSCorePropagationData: 20110228172317.0Z
dSCorePropagationData: 20110228172311.0Z
dSCorePropagationData: 20110228171706.0Z
dSCorePropagationData: 20110228171633.0Z
dSCorePropagationData: 16010714223649.0Z

——————————————————–

This is my config file I'm using:

<TOP>/alfresco-4.2.c/tomcat/shared/classes/alfresco-global.properties

### LDAP ###
authentication.chain=passthru1:passthru,ldap1:ldap

passthru.authentication.sso.enabled=false
passthru.authentication.allowGuestLogin=false
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=false
passthru.authentication.servers=XX.X.X.13,XX.X.X.14
passthru.authentication.domain=company.com
passthru.authentication.useLocalServer=false
passthru.authentication.defaultAdministratorUserNames=privuser
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NETBIOS

ldap.authentication.active=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://XX.X.X.13:389
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=privuser@company.com
ldap.synchronization.java.naming.security.credentials=secretpw
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupDifferentialQuery=(&(objectclass=nogroup)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(& (objectclass=user)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupSearchBase=cn\=users,dc=company,dc=com
ldap.synchronization.userSearchBase=cn\=users,dc=company,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=msExchALObjectVersion
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=Nogroup
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member

synchronization.synchronizeChangesOnly=true
cifs.enabled=false

——————————————————–

I know it has something to do with the group members and references into other groups/OU's. But I have read so many blogs, forums and such on this subject and I'm just so totally confused now. I'm not an LDAP expert and the search strings and such confuse me so much. I am also not a windows admin. Just a lonely UNIX admin. I'm just looking for someone who would want to share their working configuration. Anyone?

(Of cousre I had to clean up the output as to not put anything out there about the internals of my company)

Thanks!

Glen

Outcomes