Two suggestions.
1. have you tried to follow Example: authentication and synchronization with one ldap-ad subsystem | Alfresco Documentation ?
2. Does your security principal have access to read all properties in LDAP? You should run a test to make sure that the user can query LDAP properly using a test tool.
What LDAP system/server are you using?
I note you have used "ldap.synchronization.java.naming.security.authentication=simple". This is not recommended.
I am not sure why you have used all the settings that you have. The example provide in point 1 should allow you to synchronise.
I have set up the authentication chain as:
authentication.chain=alfinst:alfrescoNtlm,passthru1assthru,ad1:ldap-ad
The passthru allows users to open office documents without prompting for credentials and therefore I also set ldap.authentication.active=false
The other point I thought looked odd is the domain qualifications. I use ou=People,dc=xyz,dc=abc,dc=mycompany,dc=com as per example.
1. i have tried that sugestion and all sort of stuff i found while browsing for hints. But will try agian from the beggining.
2. the user i am using as all the properties on ldap ( after i do it ok i will make a new one just for alfresco )
i am using the Active Directory Users and Computers Version: 5.2.3790.3959 ona windows server 2003 r2 x64
OK, let us know how you go. I am using Windows Active Directory and have got it working seamlessly. Happy to help if you need more information.
Please also refer to https://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx
Use the tool LDP included with Windows server 2003. Follow the instructions in the link above to validate your ldap user and password and access.
Hi Antonio,
I use the ldap client "apache directory studio" to test my ldap connection and queries.
My ldap configuration differs in
ldap.authentication.java.naming.provider.url=ldap://myad:389
I had to use the fully qualified name in the URL ldap://myad.mydom:389
Created an extra AD user for ldap sync "ldap.alfresco" which is referred to as
ldap.sychronization.java.naming.security.principal=ldap.alfresco@mydom
The user has be in the according groups if your AD is ACLed in some way. Normally it just has to be a Domain user.
Here are the only values I set (changed to example domain dom.local, domaincontroller server is dc).
I use searchbase dc=dom,dc=local because some users are in a special ou and wanted to import only users with email address - you should adapt this
DC is windows 2012, alfresco (5.2.0 r135134-b14) uses ubuntu 16.04.2 LTS
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@dom.local
ldap.authentication.java.naming.provider.url=ldap://dc.dom.local:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=ldap.alfresco@dom.local
ldap.synchronization.java.naming.security.credentials=XXXXXXXX
ldap.synchronization.groupSearchBase=dc=dom,dc=local
ldap.synchronization.userSearchBase=dc=dom,dc=local
#group Type = global groups
ldap.synchronization.groupQuery=(&((objectClass=group)(groupType:1.2.840.113556.1.4.803:=2)))
ldap.synchronization.groupDifferentialQuery=(&((objectClass=group)(groupType:1.2.840.113556.1.4.803:=2)))
#only enabled users with mail address
ldap.synchronisation.personQuery=(&((objectClass=person)(userAccountControl:1.2.840.113556.1.4.803:=512)(mail=*@*)))
ldap.synchronisation.personDifferentialQuery=(&((objectClass=person)(userAccountControl:1.2.840.113556.1.4.803:=512)(mail=*@*)))
### Sync Settings ###
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.import.cron=0 0 * * * ?
This is the setup of my test system. So differential queries are the same as the full queries...
Got it working with pass- trough. Thanks all for the help
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.