hello,
I have a problem of synchronisation with LDAP active directory and alfresco.
I can successfully synchronise all the groups and all users but unfortunately all the groups are empty
can you please help me to find a solution to import users in their appropriate groups
alfresco-global.properties : alfresco community 5.2 201701
### authentication.chain=alfinst:alfrescoNtlm,ldap1:lda
authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
### Ntlm ###
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=false
ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false
### Synchronisation Active Directory ###
synchronization.import.cron=0 0/59 21-23 ? * MON-FRI
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
ldap-authentication.properties
ldap.authentication.active=true
ntlm.authentication.sso.enabled=false
ldap.authentication.allowGuestLogin=false
ldap.synchronization.java.naming.security.principal=CN=OVDI,OU=System Users,DC=domain,DC=biz
ldap.synchronization.java.naming.security.credentials=123456789
ldap.synchronization.groupSearchBase=dc=domain,dc=biz
ldap.synchronization.userSearchBase=dc=domain,dc=biz
# How to map the user id entered by the user to that passed through to LDAP
ldap.authentication.userNameFormat=%s@domain.biz
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://dc01.domain.biz:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.synchronization.queryBatchSize=0
ldap.synchronization.attributeBatchSize=100
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.personQuery=(objectclass\=person)
ldap.synchronization.personDifferentialQuery=(objectclass\=person)
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=ou
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=group
ldap.synchronization.personType=person
ldap.synchronization.groupMemberAttributeName=members
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
synchronization.synchronizeChangesOnly=false
As you can see in these images that I could import groups and users.
but all groups are all empty
Solved! Go to Solution.
thank you Mr Axel Faust ,the problem solved and this is my new config.
alfresco-global.properties : alfresco community 5.2 201701
### authentication.chain=alfinst:alfrescoNtlm,ldap1:lda
authentication.chain=ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
### Ntlm ###
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=false
ntlm.authentication.sso.enabled=false
ntlm.authentication.mapUnknownUserToGuest=false
ldap-authentication.properties
ldap.authentication.active=true
ldap.authentication.userNameFormat=%s@domain.biz
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://dc01.domain.biz:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=CN=OVDI,OU=System Users,DC=domain,DC=biz
ldap.synchronization.java.naming.security.credentials=*******
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.personQuery=(&(objectclass\=person)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=dc=domain,dc=biz
ldap.synchronization.userSearchBase=dc=domain,dc=biz
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupType=group
ldap.synchronization.personType=person
ldap.synchronization.groupMemberAttributeName=member
Alfresco Explorer: Alfresco Authentication and Integration with Active Directory
I am wondering why you have used the ldap-authentication.properties file for customisation and activated the LDAP subsystem - since you want to integrate with Active Directory you should have used the ldap-ad-authentication.properties file (in tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/) and activated the LDAP-AD subsystem (authentication.chain=ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm)
thanks Alex for the response
I will try to use ldap-ad-authentication.properties
thank you Mr Axel Faust ,the problem solved and this is my new config.
alfresco-global.properties : alfresco community 5.2 201701
### authentication.chain=alfinst:alfrescoNtlm,ldap1:lda
authentication.chain=ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
### Ntlm ###
alfresco.authentication.allowGuestLogin=false
alfresco.authentication.authenticateCIFS=false
ntlm.authentication.sso.enabled=false
ntlm.authentication.mapUnknownUserToGuest=false
ldap-authentication.properties
ldap.authentication.active=true
ldap.authentication.userNameFormat=%s@domain.biz
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://dc01.domain.biz:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=administrator
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=CN=OVDI,OU=System Users,DC=domain,DC=biz
ldap.synchronization.java.naming.security.credentials=*******
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.personQuery=(&(objectclass\=person)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=dc=domain,dc=biz
ldap.synchronization.userSearchBase=dc=domain,dc=biz
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupType=group
ldap.synchronization.personType=person
ldap.synchronization.groupMemberAttributeName=member
Alfresco Explorer: Alfresco Authentication and Integration with Active Directory
Salut Yacine,
j'ai essayé ta config finale et elle ne marche pas chez moi (j'ai la version 5.0.d)
je ne trouve toujours pas mes utilisateurs quand je consulte mes groupes AD depuis Alfresco!!
t'as une idée? faut il adopter une structure spécifique à mon AD pour que la synchronisation marche correctement?
je te donne une idée sur ma structure actuelle:
Alfresco (OU)
-- groups (OU)
-- groupe_rabat (CN)
-- groupe_casa (CN)
-- people (OU)
-- user_rabat (CN)
-- user_casa (CN)
j'arrive bien à me connecter avec mes utilisateurs LDAP depuis Alfresco et je trouve bien mes groupes mais le lien entre utilisateur et groupe n'est pas synchronisé même si je l'ai bien sur mon LDAP (user_rabat membre de groupe_rabat et user_casa membre de groupe_casa)
Merci bien
It would be polite to join a conversation in the language that has been used so far. Now people may have to use Google Translate (as I am doing right now) just to understand your message and respond to you - with all the potentiall translation errors....
You do not need a specific user / group structure in AD to be able to synchronise, as long as you have one root tree that contains all users and one that contains all groups (it actually can be the same root). Synchronisation of the link between users and groups depends on the ldap.synchronization.groupMemberAttributeName setting which by default is set to "member".
Il serait judicieux de participer à une conversation dans la langue utilisée jusqu'ici. Maintenant, les gens devront utiliser Google Translate (comme je le fais maintenant) pour comprendre votre message et répondre à vous - avec toutes les erreurs de traduction potentiall ....
Vous n'avez pas besoin d'une structure utilisateur / groupe spécifique dans AD pour pouvoir synchroniser, pourvu que vous disposiez d'une arborescence racine qui contient tous les utilisateurs et qui contient tous les groupes (il peut en être même). La synchronisation du lien entre les utilisateurs et les groupes dépend du paramètre ldap.synchronization.groupMemberAttributeName qui, par défaut, est défini sur "member".
OK i'm really sorry,
I spoke to yassine because i thought he speaks my mother tongue and that it would be easy to explain exactly and easly the problem
I apologize once again
So what do you think about the value of this parameter? should i keep the default one (="Member")?
Most certainly unless your LDAP / AD uses a completely different directory schema. If you pick a different value and the LDAP / AD uses the default schema, you will end up not synchronizing (and even loosing) user-group relationships..
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.