Sync all the active users of LDAP

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Active Member

Sync all the active users of LDAP

Hi Team,

I have configured LDAP using below properties:

 

### Ldap : Synchronization  ###
ldap.synchronization.active=true

######  LDAP configuration  ############
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@xyz.in
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://<ip adress>:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=Administrator
synchronization.syncOnStartup=true
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=username
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
synchronization.synchronizeChangesOnly=true
synchronization.allowDeletions=true
synchronization.syncWhenMissingPeopleLogIn=true

ldap.synchronization.groupQuery=objectclass\=group
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

ldap.synchronization.personQuery=objectclass\=user
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(!(modifyTimestamp<\={0})))

ldap.synchronization.groupSearchBase=dc\=XYZ,dc\=IN

ldap.synchronization.userSearchBase=dc\=XYZ,dc\=IN


ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true

As per alfresco.log, i can see all the groups and users are synced in alfresco.
But when i search with '*', in admin tools --> users, i can see only 813 users available. As per my knowledge, organization has more than 15000 active AD users.

In the alfresco.log file, it says :

2020-06-15 11:52:18,428 INFO [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap-ad1,id2=5 User Association: Processed 81803 entries out of 81803. 100% complete. Rate: 67216 per second. 0 failures detected.

Questions:
1. How can i sync all the available active users of AD?

2. Getting below mentioned warning for multiple groups and users:

2020-06-15 11:33:17,119 WARN [org.alfresco.repo.security.sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Google_Meet_POC_Group' with distinguished name: CN=Gowtham B A 90000054,OU=Users,OU=QMM-Migrated User,OU=XYZ Users,DC=xyz,DC=in

So, how to sync users/groups which has multiple OU?

3. Is there any api available through which we can identify the number of synced users from LDAP?


4. During starting of server, it prints below logs:

2020-06-15 11:42:27,849 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since Apr 15, 2020 2:38:57 PM from user registry 'ldap-ad1'

How to sync with latest data?

 

Thanks,

Hardik

2 Replies
Highlighted
Senior Member

Re: Sync all the active users of LDAP

Are you sure

ldap.synchronization.userSearchBase=dc\=XYZ,dc\=IN

contains all the users referenced in the groups as member? You could check your query using https://directory.apache.org/studio/

Additionally: are your group names unique?

Highlighted
Active Member

Re: Sync all the active users of LDAP

Hi @heiko_robert ,

In Apache directory studio, under "Root DSE", i can see 3 differrent 

dc\=XYZ,dc\=IN

 There are unique group name also.

I didn't have much idea about how to run queries in studio.

Thanks,

Hardik