Issue getting LDAP to work with AD

scamby · ‎15 Feb 2017

I have setup an AD group named Alfresco which include the users I wish to be Alfresco users. After synchronization takes place the group shows up in Alfresco but the users do not. The users set to default as administrators are also not working. Here are my settings in alfresco-global.properties;

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad
synchronization.synchronizeChangesOnly=false
ntlm.authentication.sso.enabled=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@gracemg.com
ldap.authentication.java.naming.provider.url=ldap://192.16.1.2:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco,scamby,dhuggins
ldap.synchronization.java.naming.security.principal=administrator@gracemg.com
ldap.synchronization.java.naming.security.credentials=?????????
ldap.synchronization.groupSearchBase=CN\=Alfresco,OU\=Groups,DC\=Gracemg,DC\=com
ldap.synchronization.userSearchBase=CN\=Alfresco,OU\=Groups,DC\=Gracemg,DC\=com

I'm sure it probably is my SearchBase settings but I'm not sure.

jpotts · ‎15 Feb 2017

For groups, your search base should most likely be OU\=Groups,DC\=Gracemg,DC\=com while for people your search base should probably be OU\=People,DC\=Gracemg,DC\=com or something similar, but it depends on how your directory is structured.

A search base is essentially telling the LDAP client code "Start looking for objects under this branch".

Jeff Potts
https://www.metaversant.com | https://ecmarchitect.com

scamby · ‎15 Feb 2017

Understood. Basically I just want to sync that group and it's members. No other groups or users need to be synced. Currently no users are being synced with the settings I have in the properties file.

Sent from Outlook<https://aka.ms/qtex0l> on my iPhone

jpotts · ‎16 Feb 2017

If you want to sync only the users that belong to a certain group, you can specify a person query.

Here are the docs that tell you all of the LDAP config properties that are available.

And here is an example personQuery that only grabs the members of a specific group:

ldap.synchronization.personQuery=(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=SomeArbitraryGroup,OU=Groups,DC=someco,DC=com)(userAccountControl:1.2.840.113556.1.4.803:=512))

This assumes Active Directory, which is why the query contains those funky number dot sequences.

Jeff Potts
https://www.metaversant.com | https://ecmarchitect.com

scamby · ‎17 Feb 2017

Still not working. Here is what the distinguished name for the group looks like;

CN=Alfresco,OU=Groups,DC=Gracemg,DC=com

Looking at LDAP I have;

So I changed the person query you mentioned to this;

ldap.synchronization.personQuery=(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN\=Alfresco,OU\=Groups,DC\=Gracemg,DC\=com)(userAccountControl:1.2.840.113556.1.4.803:=512))

I also tried this;

ldap.synchronization.personQuery=(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=OU\=Customer Service,DC\=Gracemg,DC\=com)(userAccountControl:1.2.840.113556.1.4.803:=512))

But I am still not getting any users to sync. No LDAP users are showing in Users under Admin Tools. The Alfresco group shows up but not any of the members;

jpotts · ‎17 Feb 2017

Did you change your search base as well?

Are there any messages in the log?

Jeff Potts
https://www.metaversant.com | https://ecmarchitect.com

scamby · ‎17 Feb 2017

Yes and finally got it at least syn something. Here are my searchbase and personquery settings;

ldap.synchronization.groupSearchBase=OU\=Customer Service,DC\=Gracemg,DC\=com

ldap.synchronization.userSearchBase=OU\=Customer Service,DC\=Gracemg,DC\=com

ldap.synchronization.personQuery=(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=OU\=Customer Service,DC\=Gracemg,DC\=com)(userAccountControl:1.2.840.113556.1.4.803:=512))

In the log I have;

2017-02-17 11:26:08,130 INFO Starting 'Synchronization' subsystem, ID:

2017-02-17 11:26:08,263 INFO Synchronizing users and groups with user registry 'ldap1'

2017-02-17 11:26:08,307 INFO Retrieving groups changed since Feb 14, 2017 3:49:13 PM from user registry 'ldap1'

2017-02-17 11:26:08,337 INFO Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 0 entries

2017-02-17 11:26:08,340 INFO Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 0 entries

2017-02-17 11:26:08,350 INFO Retrieving users changed since Feb 14, 2017 12:53:35 PM from user registry 'ldap1'

2017-02-17 11:26:08,355 INFO Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Commencing batch of 1 entries

2017-02-17 11:26:08,731 INFO Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 1 entries out of 1. 100% complete. Rate: 2 per second. 0 failures detected.

2017-02-17 11:26:08,731 INFO Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Completed batch of 1 entries

2017-02-17 11:26:08,763 INFO Finished synchronizing users and groups with user registry 'ldap1'

2017-02-17 11:26:08,763 INFO 1 user(s) and 0 group(s) processed

2017-02-17 11:26:08,793 INFO Startup of 'Synchronization' subsystem, ID: complete

The 1 user that was created was “Amy Dawes” but none of the others in the Customer Service OU were created. I switched to using that OU since the Alfresco group didn’t seem to working. What if I wanted to add all users in our domain? Or multiple OUs?

jpotts · ‎17 Feb 2017

Are you trying to find members of a group or people below an OU? If it is

members of a group, you need to specify the group DN in the person query,

not the OU. I would expect a group DN to look more like:

CN=SomeGroup,OU=Groups,DC=Gracemg,DC=com

If you want all users, just change the person query to be more general,

like:

ldap.synchronization.personQuery=(&(objectclass=user)(

userAccountControl:1.2.840.113556.1.4.803:=512))

If you want all users in multiple OU's you could try:

ldap.synchronization.personQuery=(&(objectclass=user)(|(OU=Customer

Services)(OU=Human Resources)(OU=Accounting))(userAccountControl:1.2.840.

113556.1.4.803:=512))

This assumes your user search base is:

ldap.synchronization.userSearchBase=DC\=Gracemg,DC\=com

In your prior test you had the search base set to Customer Service which

means the only users it would ever find would be those below Customer

Service.

If you want to go back to groups and you want to find members of multiple

groups, just add an OR clause, like:

ldap.synchronization.personQuery=(&(objectclass=

user)(|(memberOf:1.2.840.113556.

1.4.1941:=CN\=SomeGroup,OU\=Groups,DC\=Gracemg,DC\=com)(memberOf:1.2.840.113556.

1.4.1941:=CN\=SomeOtherGroup,OU\=Groups,DC\=Gracemg,DC\=com)(memberOf:1.2.840.113556.

1.4.1941:=CN\=YetAnotherGroup,OU\=Groups,DC\=Gracemg,DC\=com))(

userAccountControl:1.2.840.113556.1.4.803:=512))

Also, regardless of what you do with your query, be sure to set the

personDifferentialQuery. Using the example above, it would be something

like:

ldap.synchronization.personQuery=(&(objectclass=

user)(|(memberOf:1.2.840.113556.

1.4.1941:=CN\=SomeGroup,OU\=Groups,DC\=Gracemg,DC\=com)(memberOf:1.2.840.113556.

1.4.1941:=CN\=SomeOtherGroup,OU\=Groups,DC\=Gracemg,DC\=com)(memberOf:1.2.840.113556.

1.4.1941:=CN\=YetAnotherGroup,OU\=Groups,DC\=Gracemg,DC\=com))(

userAccountControl:1.2.840.113556.1.4.803:=512)(!(whenChanged<=)))

As you can see, it's just a matter of using the right search base and

person query. I recommend getting an LDAP browser tool of some sort that

can help you browse your directory and test your queries. If you can't get

the objects you want from an LDAP query then Alfresco won't be able to

either. Plus, using a tool like that will help you iterate more quickly

rather than having to restart Alfresco to see if the sync works.

Jeff Potts
https://www.metaversant.com | https://ecmarchitect.com