AnsweredAssumed Answered

How to configure full synchronization instead of incremental?

Question asked by Aleksey Bykov on Mar 7, 2017
Latest reply on Mar 10, 2017 by cesarista

AFAIK Alfresco CE at startup performs only incremental synchronization with LDAP-AD. When I installed Alfresco and configured synchronization with LDAP-AD was performed a full synchronization. All the fields that I declared was displayed in the user profile. Now, I decided to add a few more fields. For example, skype and companyfax.

 

But they are not displayed.

 

Part of the alfresco-global.properties (similarly, in /alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-ad-authentication.properties):

 

...
ldap.authentication.active=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@...
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://...:389
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=Alfresco@...
ldap.synchronization.java.naming.security.credentials=...
ldap.synchronization.queryBatchSize=0
ldap.synchronization.attributeBatchSize=0

ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))

ldap.synchronization.groupSearchBase=cn\=Builtin,dc\=...,dc\=local
ldap.synchronization.userSearchBase=cn\=Users,dc\=...,dc\=local
#ldap.synchronization.modifyTimestampAttributeName=whenChanged
#synchronization.import.cron=* */40 * * * ?
ntlm.authentication.sso.enabled=true
passthru.authentication.defaultAdministratorUserNames=Admin,BykovAN
passthru.authentication.domain=...
passthru.authentication.servers=...\\...
passthru.authentication.defaultAdministratorUserNames=Admin,BykovAN
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName

ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.synchronization.userFirstNameAttributeName=displayName
ldap.synchronization.userLastNameAttributeName=department
ldap.synchronization.userEmailAttributeName=email
ldap.synchronization.userOrganizationalIdAttributeName=department
ldap.synchronization.userJobTitleAttributeName=title
ldap.synchronization.userLocationAttributeName=description
ldap.synchronization.userTelephoneAttributeName=telephoneNumber

ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.synchronizeChangesOnly=false

#synchronization.syncWhenMissingPeopleLogIn=true
#synchronization.syncOnStartup=true
#synchronization.autoCreatePeopleOnLogin=true
...

 

In the logs I see that the synchronization is not performed:

 

 ...
 2017-03-07 10:07:39,891  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'
 2017-03-07 10:07:39,921  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since 01.03.2017 14:46:18 from user registry 'ldap1'
 2017-03-07 10:07:39,941  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 0 entries
 2017-03-07 10:07:39,942  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 0 entries
 2017-03-07 10:07:39,945  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving users changed since 07.03.2017 9:13:44 from user registry 'ldap1'
 2017-03-07 10:07:39,963  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Commencing batch of 0 entries
 2017-03-07 10:07:39,963  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Completed batch of 0 entries
 2017-03-07 10:07:39,975  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Finished synchronizing users and groups with user registry 'ldap1'
 2017-03-07 10:07:39,976  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Processed users: 0 groups: 0
...

 

I changed LDAP queries to (removed whenChanged):

 

ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectClass\=group))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user))

 

Then restart Alfresco and each time it performs a full synchronization. It seems that now everything is OK. Or am I wrong?..

 

...
2017-03-07 11:42:30,314  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'
2017-03-07 11:42:30,341  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since 01.03.2017 14:46:18 from user registry 'ldap1'
2017-03-07 11:42:30,431  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Users' with distinguished name: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=...,DC=local
2017-03-07 11:42:30,431  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Users' with distinguished name: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=...,DC=local
2017-03-07 11:42:30,437  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'The performance log users' with distinguished name: CN=S-1-5-20,CN=ForeignSecurityPrincipals,DC=...,DC=local
2017-03-07 11:42:30,626  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'DCOM Users' with distinguished name: CN=PK-535-W8,OU=Computers,OU=OIT,OU=...,DC=...,DC=local
2017-03-07 11:42:30,685  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'DCOM Users' with distinguished name: CN=PK-265-XP,OU=Computers,OU=FSO,OU=...,DC=...,DC=local
2017-03-07 11:42:30,697  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Pre-Windows 2000 access' with distinguished name: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=...,DC=local
2017-03-07 11:42:30,698  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Windows authorization access group' with distinguished name: CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=...,DC=local
2017-03-07 11:42:30,704  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 19 entries
2017-03-07 11:42:30,874  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Processed 19 entries out of 19. 100% complete. Rate: 111 per second. 0 failures detected.
2017-03-07 11:42:30,875  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 19 entries
2017-03-07 11:42:30,896  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=3 Group Creation and Association Deletion: Commencing batch of 4 entries
2017-03-07 11:42:30,897  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=3 Group Creation and Association Deletion: Processed 4 entries out of 4. 100% complete. Rate: 4000 per second. 0 failures detected.
2017-03-07 11:42:30,897  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=3 Group Creation and Association Deletion: Completed batch of 4 entries
2017-03-07 11:42:30,900  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving users changed since 07.03.2017 9:13:44 from user registry 'ldap1'
2017-03-07 11:42:30,939  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Commencing batch of 529 entries
2017-03-07 11:42:32,015  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 100 entries out of 529. 19% complete. Rate: 92 per second. 0 failures detected.
2017-03-07 11:42:32,777  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 200 entries out of 529. 38% complete. Rate: 108 per second. 0 failures detected.
2017-03-07 11:42:33,426  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 300 entries out of 529. 57% complete. Rate: 120 per second. 0 failures detected.
2017-03-07 11:42:34,025  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 400 entries out of 529. 76% complete. Rate: 129 per second. 0 failures detected.
2017-03-07 11:42:34,640  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 500 entries out of 529. 95% complete. Rate: 135 per second. 0 failures detected.
2017-03-07 11:42:34,791  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 529 entries out of 529. 100% complete. Rate: 137 per second. 0 failures detected.
2017-03-07 11:42:34,791  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Completed batch of 529 entries
2017-03-07 11:42:34,803  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Finished synchronizing users and groups with user registry 'ldap1'
2017-03-07 11:42:34,803  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Processed users: 529 groups: 19
...

 

How to properly configure the full synchronization at the startup? It does not work even through the schedule job (I checked).

 

I would be very grateful for the information. Thanks to all.

Outcomes