I have setup an AD group named Alfresco which include the users I wish to be Alfresco users. After synchronization takes place the group shows up in Alfresco but the users do not. The users set to default as administrators are also not working. Here are my settings in alfresco-global.properties;
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad
synchronization.synchronizeChangesOnly=false
ntlm.authentication.sso.enabled=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@gracemg.com
ldap.authentication.java.naming.provider.url=ldap://192.16.1.2:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco,scamby,dhuggins
ldap.synchronization.java.naming.security.principal=administrator@gracemg.com
ldap.synchronization.java.naming.security.credentials=?????????
ldap.synchronization.groupSearchBase=CN\=Alfresco,OU\=Groups,DC\=Gracemg,DC\=com
ldap.synchronization.userSearchBase=CN\=Alfresco,OU\=Groups,DC\=Gracemg,DC\=com
I'm sure it probably is my SearchBase settings but I'm not sure.
For groups, your search base should most likely be OU\=Groups,DC\=Gracemg,DC\=com while for people your search base should probably be OU\=People,DC\=Gracemg,DC\=com or something similar, but it depends on how your directory is structured.
A search base is essentially telling the LDAP client code "Start looking for objects under this branch".
Understood. Basically I just want to sync that group and it's members. No other groups or users need to be synced. Currently no users are being synced with the settings I have in the properties file.
Sent from Outlook<https://aka.ms/qtex0l> on my iPhone
If you want to sync only the users that belong to a certain group, you can specify a person query.
Here are the docs that tell you all of the LDAP config properties that are available.
And here is an example personQuery that only grabs the members of a specific group:
ldap.synchronization.personQuery=(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=SomeArbitraryGroup,OU=Groups,DC=someco,DC=com)(userAccountControl:1.2.840.113556.1.4.803:=512))
This assumes Active Directory, which is why the query contains those funky number dot sequences.
Still not working. Here is what the distinguished name for the group looks like;
CN=Alfresco,OU=Groups,DC=Gracemg,DC=com
Looking at LDAP I have;
So I changed the person query you mentioned to this;
ldap.synchronization.personQuery=(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN\=Alfresco,OU\=Groups,DC\=Gracemg,DC\=com)(userAccountControl:1.2.840.113556.1.4.803:=512))
I also tried this;
ldap.synchronization.personQuery=(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=OU\=Customer Service,DC\=Gracemg,DC\=com)(userAccountControl:1.2.840.113556.1.4.803:=512))
But I am still not getting any users to sync. No LDAP users are showing in Users under Admin Tools. The Alfresco group shows up but not any of the members;
Did you change your search base as well?
Are there any messages in the log?
Yes and finally got it at least syn something. Here are my searchbase and personquery settings;
ldap.synchronization.groupSearchBase=OU\=Customer Service,DC\=Gracemg,DC\=com
ldap.synchronization.userSearchBase=OU\=Customer Service,DC\=Gracemg,DC\=com
ldap.synchronization.personQuery=(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=OU\=Customer Service,DC\=Gracemg,DC\=com)(userAccountControl:1.2.840.113556.1.4.803:=512))
In the log I have;
2017-02-17 11:26:08,130 INFO Starting 'Synchronization' subsystem, ID:
2017-02-17 11:26:08,263 INFO Synchronizing users and groups with user registry 'ldap1'
2017-02-17 11:26:08,307 INFO Retrieving groups changed since Feb 14, 2017 3:49:13 PM from user registry 'ldap1'
2017-02-17 11:26:08,337 INFO Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 0 entries
2017-02-17 11:26:08,340 INFO Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 0 entries
2017-02-17 11:26:08,350 INFO Retrieving users changed since Feb 14, 2017 12:53:35 PM from user registry 'ldap1'
2017-02-17 11:26:08,355 INFO Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Commencing batch of 1 entries
2017-02-17 11:26:08,731 INFO Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 1 entries out of 1. 100% complete. Rate: 2 per second. 0 failures detected.
2017-02-17 11:26:08,731 INFO Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Completed batch of 1 entries
2017-02-17 11:26:08,763 INFO Finished synchronizing users and groups with user registry 'ldap1'
2017-02-17 11:26:08,763 INFO 1 user(s) and 0 group(s) processed
2017-02-17 11:26:08,793 INFO Startup of 'Synchronization' subsystem, ID: complete
The 1 user that was created was “Amy Dawes” but none of the others in the Customer Service OU were created. I switched to using that OU since the Alfresco group didn’t seem to working. What if I wanted to add all users in our domain? Or multiple OUs?
Are you trying to find members of a group or people below an OU? If it is
members of a group, you need to specify the group DN in the person query,
not the OU. I would expect a group DN to look more like:
CN=SomeGroup,OU=Groups,DC=Gracemg,DC=com
If you want all users, just change the person query to be more general,
like:
ldap.synchronization.personQuery=(&(objectclass=user)(
userAccountControl:1.2.840.113556.1.4.803:=512))
If you want all users in multiple OU's you could try:
ldap.synchronization.personQuery=(&(objectclass=user)(|(OU=Customer
Services)(OU=Human Resources)(OU=Accounting))(userAccountControl:1.2.840.
113556.1.4.803:=512))
This assumes your user search base is:
ldap.synchronization.userSearchBase=DC\=Gracemg,DC\=com
In your prior test you had the search base set to Customer Service which
means the only users it would ever find would be those below Customer
Service.
If you want to go back to groups and you want to find members of multiple
groups, just add an OR clause, like:
ldap.synchronization.personQuery=(&(objectclass=
user)(|(memberOf:1.2.840.113556.
1.4.1941:=CN\=SomeGroup,OU\=Groups,DC\=Gracemg,DC\=com)(memberOf:1.2.840.113556.
1.4.1941:=CN\=SomeOtherGroup,OU\=Groups,DC\=Gracemg,DC\=com)(memberOf:1.2.840.113556.
1.4.1941:=CN\=YetAnotherGroup,OU\=Groups,DC\=Gracemg,DC\=com))(
userAccountControl:1.2.840.113556.1.4.803:=512))
Also, regardless of what you do with your query, be sure to set the
personDifferentialQuery. Using the example above, it would be something
like:
ldap.synchronization.personQuery=(&(objectclass=
user)(|(memberOf:1.2.840.113556.
1.4.1941:=CN\=SomeGroup,OU\=Groups,DC\=Gracemg,DC\=com)(memberOf:1.2.840.113556.
1.4.1941:=CN\=SomeOtherGroup,OU\=Groups,DC\=Gracemg,DC\=com)(memberOf:1.2.840.113556.
1.4.1941:=CN\=YetAnotherGroup,OU\=Groups,DC\=Gracemg,DC\=com))(
userAccountControl:1.2.840.113556.1.4.803:=512)(!(whenChanged<=)))
As you can see, it's just a matter of using the right search base and
person query. I recommend getting an LDAP browser tool of some sort that
can help you browse your directory and test your queries. If you can't get
the objects you want from an LDAP query then Alfresco won't be able to
either. Plus, using a tool like that will help you iterate more quickly
rather than having to restart Alfresco to see if the sync works.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.