Help

LDAP sync stopped working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Peter_Adam_SB
Active Member II
‎18 Mar 2022 3:33 PM

LDAP sync stopped working

Jump to solution

One of our users moved from one branch to other. We have tracked this as usual in the AD. The user reported that she see the old branch's documents but not the new one's. We double checked the AD (AD1 and AD2 in sync), still not working. After office hours we have changed the way of synchronization to full sync ( ldap.synchronization.active=false ) , not only the changes. Log here:

Spoiler
 2022-03-17 19:15:00,221  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronizing users and groups with user registry 'ldap-ad1'
2022-03-17 19:15:00,221  WARN  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Some users and groups previously created by synchronization with this user registry may be removed.
2022-03-17 19:15:00,269  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Retrieving all groups from user registry 'ldap-ad1'
2022-03-17 19:15:00,790  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Commencing batch of 40 entries
2022-03-17 19:15:01,350  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Processed 40 entries out of 40. 1
2022-03-17 19:15:01,350  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=1 Group Analysis: Completed batch of 40 entries
2022-03-17 19:15:01,408  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Commenci
2022-03-17 19:15:01,409  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Processe
2022-03-17 19:15:01,409  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=3 Group Creation and Association Deletion: Complete
2022-03-17 19:15:01,409  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Retrieving all users from user registry 'ldap-ad1'
2022-03-17 19:15:01,436  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Commencing batch o
2022-03-17 19:15:01,545  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 100 entr
2022-03-17 19:15:01,602  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 200 entr
2022-03-17 19:15:01,663  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 300 entr
2022-03-17 19:15:01,718  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 400 entr
2022-03-17 19:15:01,773  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 500 entr
2022-03-17 19:15:01,831  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 600 entr
2022-03-17 19:15:02,017  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Processed 700 entr
2022-03-17 19:15:02,017  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Synchronization,Category=directory,id1=ldap-ad1,id2=6 User Creation and Association: Completed batch of
2022-03-17 19:15:02,025  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] Finished synchronizing users and groups with user registry 'ldap-ad1'
2022-03-17 19:15:02,025  INFO  [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-2] 700 user(s) and 40 group(s) processed

So 700 users and 40 groups force synched.

If I look at the user in the AD manager, I see 2 Alfresco groups set for her.

I I ask Alfresco about her via

https://**********.intra:8443/alfresco/service/api/people/*****?groups=true

Alfresco says she is a member of 5 groups,

0th : Group 1 from AD

1st: Group 2 from AD

2nd: not in the AD, but exists in the database table public.alf_authority

3rd: not in the AD, but exists in the database table public.alf_authority

4th: All Alfresco users group, Group 1 and Group 2 is a member of this group

5th: not in the AD, but exists in the database table public.alf_authority

 

How to make Alfresco to delete the unused groups? Kinda like starting AD sync with a blank page.

How can I get from the database what Alfresco thinks is a membership of a group? Where the group-people relationship stored?

Version:

Alfresco Share v6.2.0
(r7791ffba8f0b22f1ef9fa25ba17400c4657068e3-b9, Aikau 1.0.101.19, Spring Surf 6.2.0, Spring WebScripts 7.10, Freemarker 2.3.28, Rhino 1.7.11, Yui 2.9.0-alfresco-20141223)
 
Alfresco Community v6.2.0
(r05dbaf43-b368) schema 13001

 

Relevant part of the config ( alfresco-6.2.0/tomcat/shared/classes/alfresco-global.properties ) :

### Authentication subsystem
authentication.chain=ldap-ad1:ldap-ad
authentication.allowGuestLogin=false
authentication.ticket.ticketsExpire=false

ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@*************.intra
ldap.authentication.java.naming.provider.url=ldap://*************.intra:389
ldap.authentication.java.naming.read.timeout=0
ldap.authentication.defaultAdministratorUserNames=*************,*************,*************
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=alfresco@*************
ldap.synchronization.java.naming.security.credentials=*************
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.groupSearchBase=ou\=Alfresco,ou\=_Groups,ou\=*************,dc\=sb,dc\=intra
ldap.synchronization.userSearchBase=ou\=*************,dc\=sb,dc\=intra
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn

synchronization.synchronizeChangesOnly=true
synchronization.import.cron=0 0/5 * * * ?
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.SyncOnStartup=true
synchronization.autoCreatePeopleOnLogin=false
synchronization.loggingInterval=100
synchronization.workerThreads=1
synchronization.allowDeletions=true
synchronization.syncDelete=true
synchronization.externalUserControl=true
synchronization.externalUserControlSubsystemName=ldap-ad1
Labels
0 Kudos
Reply
1 Solution

Accepted Solutions
Peter_Adam_SB
Active Member II
‎23 Mar 2022 1:58 PM

Re: LDAP sync stopped working

Jump to solution

SOLVED: ad sync synchronized group names with space differently, originally space omitted, now replaced with underscore.

View solution in original post

0 Kudos
Reply
1 Reply
Peter_Adam_SB
Active Member II
‎23 Mar 2022 1:58 PM

Re: LDAP sync stopped working

Jump to solution

SOLVED: ad sync synchronized group names with space differently, originally space omitted, now replaced with underscore.

0 Kudos
Reply
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.