Alfresco 5.2 synchronization

cancel
Showing results for 
Search instead for 
Did you mean: 
michael_s1
Active Member

Re: Alfresco 5.2 synchronization

Two suggestions.

1.  have you tried to follow Example: authentication and synchronization with one ldap-ad subsystem | Alfresco Documentation ?

2. Does your security principal have access to read all properties in LDAP?  You should run a test to make sure that the user can query LDAP properly using a test tool.

What LDAP system/server are you using?

I note you have used "ldap.synchronization.java.naming.security.authentication=simple".  This is not recommended.

I am not sure why you have used all the settings that you have.  The example provide in point 1 should allow you to synchronise.

I have set up the authentication chain as:

authentication.chain=alfinst:alfrescoNtlm,passthru1Smiley Tongueassthru,ad1:ldap-ad

The passthru allows users to open office documents without prompting for credentials and therefore I also set ldap.authentication.active=false

The other point I thought looked odd is the domain qualifications.  I use ou=People,dc=xyz,dc=abc,dc=mycompany,dc=com   as per example.

amarques
Active Member

Re: Alfresco 5.2 synchronization

1. i have tried that sugestion and all sort of stuff i found while browsing for hints. But will try agian from the beggining.

2. the user i am using as all the properties on ldap ( after i do it ok i will make a new one just for alfresco )

i am using the Active Directory Users and Computers Version: 5.2.3790.3959 ona  windows server 2003 r2 x64

michael_s1
Active Member

Re: Alfresco 5.2 synchronization

OK, let us know how you go.  I am using Windows Active Directory and have got it working seamlessly.  Happy to help if you need more information.

Please also refer to https://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx 

Use the tool LDP included with Windows server 2003. Follow the instructions in the link above to validate your ldap user and password and access.

mehe
Senior Member II

Re: Alfresco 5.2 synchronization

Hi Antonio,

I use the ldap client "apache directory studio" to test my ldap connection and queries.

My ldap configuration differs in

ldap.authentication.java.naming.provider.url=ldap://myad:389

 

I had to use the fully qualified name in the URL ldap://myad.mydom:389

Created an extra AD user for ldap sync "ldap.alfresco" which is referred to as

ldap.sychronization.java.naming.security.principal=ldap.alfresco@mydom

 

 The user has be in the according groups if your AD is ACLed in some way. Normally it just has to be a Domain user.

Here are the only values I set (changed to example domain dom.local, domaincontroller server is dc).

I use searchbase dc=dom,dc=local because some users are in a special ou and wanted to import only users with email address - you should adapt this

DC is windows 2012, alfresco (5.2.0 r135134-b14) uses ubuntu 16.04.2 LTS

 

ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@dom.local
ldap.authentication.java.naming.provider.url=ldap://dc.dom.local:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=ldap.alfresco@dom.local
ldap.synchronization.java.naming.security.credentials=XXXXXXXX

ldap.synchronization.groupSearchBase=dc=dom,dc=local
ldap.synchronization.userSearchBase=dc=dom,dc=local

#group Type = global groups
ldap.synchronization.groupQuery=(&((objectClass=group)(groupType:1.2.840.113556.1.4.803:=2)))
ldap.synchronization.groupDifferentialQuery=(&((objectClass=group)(groupType:1.2.840.113556.1.4.803:=2)))
#only enabled users with mail address
ldap.synchronisation.personQuery=(&((objectClass=person)(userAccountControl:1.2.840.113556.1.4.803:=512)(mail=*@*)))
ldap.synchronisation.personDifferentialQuery=(&((objectClass=person)(userAccountControl:1.2.840.113556.1.4.803:=512)(mail=*@*)))

### Sync Settings ###
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.import.cron=0 0 * * * ?‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

 This is the setup of my test system. So differential queries are the same as the full queries...

amarques
Active Member

Re: Alfresco 5.2 synchronization

Got it working with pass- trough. Thanks all for the help