ldap-ad network configuration - need to specify domain controller ip

cancel
Showing results for 
Search instead for 
Did you mean: 
skushnerenko
Active Member II

ldap-ad network configuration - need to specify domain controller ip

We have specific installation of Alfresco 5.2.d repository where primary domain controller, identified by domain name is unavailabe by its ip, available is only secondary domain controller host. 

So, we have domain some.com.ua and the command telnet some.com.ua 389  results in

telnet some.com.ua 389
Trying 10.36.0.1...
Trying 10.44.0.2...
Connected to some.com.ua.

primary domain controller ip 10.36.0.1 is unavailable from alfresco host .  We tried to manage this by putting to parameter ldap.authentication.java.naming.provider.url  host  ldap.some.com.ua which is resolved as available 10.44.0.2 

ldap.authentication.java.naming.provider.url=ldap://ldap.some.com.ua:389

but with no luck, alfresco sometimes (not regurlaly) still gives syncronization error: some.com.ua:389 Connection timed out

If ldap is ldap.some.com.ua:389, why is it connecting to some.com.ua:389 ?

It is possible. that reason of the error is not that I supposed but some other.

The error log is 

2018-03-23 22:19:22,007 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-7] Synchronization aborted due to error
org.alfresco.error.AlfrescoRuntimeException: 022365714 Error during LDAP Search. Reason:null
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1326)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:711)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:996)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronizeInternal(ChainingUserRegistrySynchronizer.java:742)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:471)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob$1.doWork(UserRegistrySynchronizerJob.java:53)
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:555)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob.execute(UserRegistrySynchronizerJob.java:49)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: some.com.ua:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]]
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:347)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1307)
... 9 more
Caused by: javax.naming.CommunicationException: some.com.ua:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96)
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:150)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
... 13 more
Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at java.net.Socket.connect(Socket.java:538)
at java.net.Socket.<init>(Socket.java:434)
at java.net.Socket.<init>(Socket.java:211)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:363)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(LdapClientFactory.java:64)
at com.sun.jndi.ldap.pool.Connections.<init>(Connections.java:115)
at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Pool.java:132)
at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(LdapPoolManager.java:329)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1606)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52)
at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601)
at javax.naming.spi.NamingManager.processURL(NamingManager.java:381)
at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:361)
at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:333)
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:119)
... 16 more

Below is part of alfresco-global.properties  for AD

#AD
ldap.authentication.active=true
ldap.synchronization.active=true
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
ldap.authentication.allowGuestLogin=false
#OU
ldap.authentication.userNameFormat=
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap.some.com.ua:389
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple

ldap.authentication.defaultAdministratorUserNames=adsedtest
ldap.synchronization.java.naming.security.principal=some_ldap@some.com.ua
ldap.synchronization.java.naming.security.credentials=rfsdf34gfdgd
ldap.synchronization.queryBatchSize=1000

ldap.synchronization.attributeBatchSize=1000

ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=webadmin))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0}))(CN\=webadmin))
ldap.synchronization.personQuery=(&(objectclass\=user)(samAccountType=805306368)(!(CN\=admin))(!(CN\=robot))(!(CN\=Guest)))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(samAccountType=805306368)(!(whenChanged<\={0}))(!(CN\=admin))(!(CN\=robot))(!(CN\=Guest)))
ldap.synchronization.groupSearchBase=dc\=some,dc\=com,dc\=ua
ldap.synchronization.userSearchBase=dc\=some,dc\=com,dc\=ua
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.authentication.java.naming.read.timeout=0
ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled
ldap.synchronization.disabledAccountPropertyValue=true

ldap.synchronization.userFirstNameAttributeName=givenName

ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider

ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupMemberAttributeName=member

ldap.synchronization.enableProgressEstimation=true

ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=all

synchronization.allowDeletions=false
synchronization.autoCreatePeopleOnLogin=true
synchronization.synchronizeChangesOnly=true
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true

synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1

# sync every 15 minutes
synchronization.import.cron=0 0/15 * * * ?

3 Replies
skushnerenko
Active Member II

Re: ldap-ad network configuration - need to specify domain controller ip

We still suffer from problem with AD synchronization

As I have found, Alfresco during synchronization not only connect domain controller "ldap.authentication.java.naming.provider.url=ldap://ldap.some.com.ua:389", but somehow connect also the domain name "some.com.ua"

And in case when we have a few domain controllers and not all of them are accessible from Alfresco host, we have errors in alfresco.log, which are in start message

cesarista
Customer

Re: ldap-ad network configuration - need to specify domain controller ip

Hi Sergei:

If you have problems for resolving ldap.some.co.ua server with your config, you can help Alfresco setting IP directly or assigning it /etc/hosts temporally. This should allow to go ahead and to see if the rest of sync configuration is working. 

Regards. 

--C. 

skushnerenko
Active Member II

Re: ldap-ad network configuration - need to specify domain controller ip

Thank you for your reply, my problem is that the real cause of the situation is too complicated and not as obvious as can be supposed at first glance.

You see, setting IP directly does not solve the problem, because AD synchronization connects not only host indicated by parameter host ldap.some.com.ua (ldap.some.com.ua), but somehow it also connects domain by name  (some.com.ua), which it should not connect.

AD synchronization should connect  ldap.some.com.ua but connects  also some.com.ua !!!!

This is proved fact, which I observed twice in different network infrastructures.

Resuming, in case when AD configuration has several AD controllers, and only part of them are accessible by Alfresco host, whatever we indicate in parameter ldap.authentication.java.naming.provider.url , host or ip directly, periodically we observe errors in synchronization log:

Caused by: javax.naming.CommunicationException: some.com.ua:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]

It can be solved by adding line in etc/hosts for domain name some.com.ua and accessible IP, but the operating system is not ours and system admin prohibits doing this.