AnsweredAssumed Answered

ldap-ad network configuration - need to specify domain controller ip

Question asked by skushnerenko on Apr 19, 2018
Latest reply on Oct 1, 2018 by skushnerenko

We have specific installation of Alfresco 5.2.d repository where primary domain controller, identified by domain name is unavailabe by its ip, available is only secondary domain controller host. 

So, we have domain some.com.ua and the command telnet some.com.ua 389  results in

telnet some.com.ua 389
Trying 10.36.0.1...
Trying 10.44.0.2...
Connected to some.com.ua.

primary domain controller ip 10.36.0.1 is unavailable from alfresco host .  We tried to manage this by putting to parameter ldap.authentication.java.naming.provider.url  host  ldap.some.com.ua which is resolved as available 10.44.0.2 

ldap.authentication.java.naming.provider.url=ldap://ldap.some.com.ua:389

but with no luck, alfresco sometimes (not regurlaly) still gives syncronization error: some.com.ua:389 Connection timed out

If ldap is ldap.some.com.ua:389, why is it connecting to some.com.ua:389 ?

It is possible. that reason of the error is not that I supposed but some other.

The error log is 

2018-03-23 22:19:22,007 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-7] Synchronization aborted due to error
org.alfresco.error.AlfrescoRuntimeException: 022365714 Error during LDAP Search. Reason:null
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1326)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:711)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:996)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronizeInternal(ChainingUserRegistrySynchronizer.java:742)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:471)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob$1.doWork(UserRegistrySynchronizerJob.java:53)
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:555)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob.execute(UserRegistrySynchronizerJob.java:49)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: some.com.ua:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]]
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:347)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1307)
... 9 more
Caused by: javax.naming.CommunicationException: some.com.ua:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96)
at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:150)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325)
at com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
... 13 more
Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at java.net.Socket.connect(Socket.java:538)
at java.net.Socket.<init>(Socket.java:434)
at java.net.Socket.<init>(Socket.java:211)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:363)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(LdapClientFactory.java:64)
at com.sun.jndi.ldap.pool.Connections.<init>(Connections.java:115)
at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Pool.java:132)
at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(LdapPoolManager.java:329)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1606)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52)
at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601)
at javax.naming.spi.NamingManager.processURL(NamingManager.java:381)
at javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:361)
at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:333)
at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:119)
... 16 more

Below is part of alfresco-global.properties  for AD

 

#AD
ldap.authentication.active=true
ldap.synchronization.active=true
authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
ldap.authentication.allowGuestLogin=false
#OU
ldap.authentication.userNameFormat=
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap.some.com.ua:389
ldap.authentication.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.authentication=simple

ldap.authentication.defaultAdministratorUserNames=adsedtest
ldap.synchronization.java.naming.security.principal=some_ldap@some.com.ua
ldap.synchronization.java.naming.security.credentials=rfsdf34gfdgd
ldap.synchronization.queryBatchSize=1000

ldap.synchronization.attributeBatchSize=1000

ldap.synchronization.groupQuery=(&(objectclass\=group)(CN\=webadmin))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0}))(CN\=webadmin))
ldap.synchronization.personQuery=(&(objectclass\=user)(samAccountType=805306368)(!(CN\=admin))(!(CN\=robot))(!(CN\=Guest)))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(samAccountType=805306368)(!(whenChanged<\={0}))(!(CN\=admin))(!(CN\=robot))(!(CN\=Guest)))
ldap.synchronization.groupSearchBase=dc\=some,dc\=com,dc\=ua
ldap.synchronization.userSearchBase=dc\=some,dc\=com,dc\=ua
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.authentication.java.naming.read.timeout=0
ldap.synchronization.userAccountStatusProperty=ds-pwp-account-disabled
ldap.synchronization.disabledAccountPropertyValue=true

ldap.synchronization.userFirstNameAttributeName=givenName

ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider

ldap.synchronization.groupIdAttributeName=cn

ldap.synchronization.groupMemberAttributeName=member

ldap.synchronization.enableProgressEstimation=true

ldap.pooling.com.sun.jndi.ldap.connect.pool.debug=all

synchronization.allowDeletions=false
synchronization.autoCreatePeopleOnLogin=true
synchronization.synchronizeChangesOnly=true
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true

synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap1

# sync every 15 minutes
synchronization.import.cron=0 0/15 * * * ?

Outcomes