Search code examples
active-directoryldapalfrescoalfresco-ldap

How to configure full synchronization instead of incremental?

AFAIK Alfresco CE at startup performs only incremental synchronization with LDAP-AD. When I installed Alfresco and configured synchronization with LDAP-AD was performed a full synchronization. All the fields that I declared was displayed in the user profile. Now, I decided to add a few more fields. For example, skype and companyfax.

But they are not displayed.

Part of the alfresco-global.properties (similarly, in /alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-ad-authentication.properties):

    ...
    ldap.authentication.active=false
    ldap.authentication.allowGuestLogin=false
    ldap.authentication.userNameFormat=%s@...
    ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
    ldap.authentication.java.naming.provider.url=ldap://...:389
    ldap.synchronization.active=true
    ldap.synchronization.java.naming.security.principal=Alfresco@...
    ldap.synchronization.java.naming.security.credentials=...
    ldap.synchronization.queryBatchSize=0
    ldap.synchronization.attributeBatchSize=0

    ldap.synchronization.groupQuery=(objectclass\=group)
    ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
    ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
    ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))

    ldap.synchronization.groupSearchBase=cn\=Builtin,dc\=...,dc\=local
    ldap.synchronization.userSearchBase=cn\=Users,dc\=...,dc\=local
    #ldap.synchronization.modifyTimestampAttributeName=whenChanged
    #synchronization.import.cron=* */40 * * * ?
    ntlm.authentication.sso.enabled=true
    passthru.authentication.defaultAdministratorUserNames=Admin,BykovAN
    passthru.authentication.domain=...
    passthru.authentication.servers=...\\...
    passthru.authentication.defaultAdministratorUserNames=Admin,BykovAN
    ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
    ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
    ldap.synchronization.userIdAttributeName=sAMAccountName

    ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
    ldap.synchronization.groupType=group
    ldap.synchronization.personType=user
    ldap.synchronization.groupMemberAttributeName=member
    ldap.synchronization.enableProgressEstimation=true
    ldap.synchronization.userFirstNameAttributeName=displayName
    ldap.synchronization.userLastNameAttributeName=department
    ldap.synchronization.userEmailAttributeName=email
    ldap.synchronization.userOrganizationalIdAttributeName=department
    ldap.synchronization.userJobTitleAttributeName=title
    ldap.synchronization.userLocationAttributeName=description
    ldap.synchronization.userTelephoneAttributeName=telephoneNumber

    ldap.synchronization.groupIdAttributeName=cn
    ldap.synchronization.groupDisplayNameAttributeName=displayName
    ldap.synchronization.synchronizeChangesOnly=false

    #synchronization.syncWhenMissingPeopleLogIn=true
    #synchronization.syncOnStartup=true
    #synchronization.autoCreatePeopleOnLogin=true
...

In the logs I see that the synchronization is not performed:

 ...
 2017-03-07 10:07:39,891  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'
 2017-03-07 10:07:39,921  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since 01.03.2017 14:46:18 from user registry 'ldap1'
 2017-03-07 10:07:39,941  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 0 entries
 2017-03-07 10:07:39,942  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 0 entries
 2017-03-07 10:07:39,945  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving users changed since 07.03.2017 9:13:44 from user registry 'ldap1'
 2017-03-07 10:07:39,963  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Commencing batch of 0 entries
 2017-03-07 10:07:39,963  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Completed batch of 0 entries
 2017-03-07 10:07:39,975  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Finished synchronizing users and groups with user registry 'ldap1'
 2017-03-07 10:07:39,976  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Processed users: 0 groups: 0
...

I changed LDAP queries to (removed whenChanged):

ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectClass\=group))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user))

Then restart Alfresco and each time it performs a full synchronization. It seems that now everything is OK. Or am I wrong?..

...
2017-03-07 11:42:30,314  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'
2017-03-07 11:42:30,341  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since 01.03.2017 14:46:18 from user registry 'ldap1'
2017-03-07 11:42:30,431  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Users' with distinguished name: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=...,DC=local
2017-03-07 11:42:30,431  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Users' with distinguished name: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=...,DC=local
2017-03-07 11:42:30,437  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'The performance log users' with distinguished name: CN=S-1-5-20,CN=ForeignSecurityPrincipals,DC=...,DC=local
2017-03-07 11:42:30,626  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'DCOM Users' with distinguished name: CN=PK-535-W8,OU=Computers,OU=OIT,OU=...,DC=...,DC=local
2017-03-07 11:42:30,685  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'DCOM Users' with distinguished name: CN=PK-265-XP,OU=Computers,OU=FSO,OU=...,DC=...,DC=local
2017-03-07 11:42:30,697  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Pre-Windows 2000 access' with distinguished name: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=...,DC=local
2017-03-07 11:42:30,698  WARN  [sync.ldap.LDAPUserRegistry] [localhost-startStop-1] Failed to resolve member of group 'Windows authorization access group' with distinguished name: CN=S-1-5-9,CN=ForeignSecurityPrincipals,DC=...,DC=local
2017-03-07 11:42:30,704  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 19 entries
2017-03-07 11:42:30,874  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Processed 19 entries out of 19. 100% complete. Rate: 111 per second. 0 failures detected.
2017-03-07 11:42:30,875  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 19 entries
2017-03-07 11:42:30,896  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=3 Group Creation and Association Deletion: Commencing batch of 4 entries
2017-03-07 11:42:30,897  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=3 Group Creation and Association Deletion: Processed 4 entries out of 4. 100% complete. Rate: 4000 per second. 0 failures detected.
2017-03-07 11:42:30,897  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=3 Group Creation and Association Deletion: Completed batch of 4 entries
2017-03-07 11:42:30,900  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving users changed since 07.03.2017 9:13:44 from user registry 'ldap1'
2017-03-07 11:42:30,939  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Commencing batch of 529 entries
2017-03-07 11:42:32,015  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 100 entries out of 529. 19% complete. Rate: 92 per second. 0 failures detected.
2017-03-07 11:42:32,777  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 200 entries out of 529. 38% complete. Rate: 108 per second. 0 failures detected.
2017-03-07 11:42:33,426  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 300 entries out of 529. 57% complete. Rate: 120 per second. 0 failures detected.
2017-03-07 11:42:34,025  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 400 entries out of 529. 76% complete. Rate: 129 per second. 0 failures detected.
2017-03-07 11:42:34,640  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 500 entries out of 529. 95% complete. Rate: 135 per second. 0 failures detected.
2017-03-07 11:42:34,791  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Processed 529 entries out of 529. 100% complete. Rate: 137 per second. 0 failures detected.
2017-03-07 11:42:34,791  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization,Category=directory,id1=ldap1,id2=6 User Creation and Association: Completed batch of 529 entries
2017-03-07 11:42:34,803  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Finished synchronizing users and groups with user registry 'ldap1'
2017-03-07 11:42:34,803  INFO  [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Processed users: 529 groups: 19
...

How to properly configure the full synchronization at the startup?

Solution

  • Axel Faust gave an exhaustive answer:

    How to configure full synchronization instead of incremental?

    It solved my issue.

    As said here: Synchronization configuration properties

    • synchronization.synchronizeChangesOnly: specifies whether the scheduled synchronization job is run in differential mode. The default is true, which means that the scheduled sync job is run in differential mode (rather than full mode). Regardless of this setting a differential sync can still be triggered when a user who does not yet exist in Alfresco is successfully authenticated.