1) Overview

User/Group Synchronization of OpenLdap and Alfresco servers.
Two servers deployed with openldap and alfresco ( Installation method :: Jumpbox)
2) Objective

  • Full Users/Groups Synchronization from OpenLdap to Alfresco with a hourly cron
  • Differential Synchronization of Users/Groups when ever the alfresco server is restarted
  • User Account Synchronization when ever a new user attempts login

3) Configuration overview

User type :: PosixAccount
Group type :: PosixGroup
User base :: ou=example,dc=com ( only users under ou example will be imported )
Group base :: ou=example,dc=com ( only groups under ou example will be imported )
Full Sync Interval :: Hourly
Login id :: cn ( users should login to alfreso/share with the cn )

5) Configuration done on alfresco server

Step 1
Main property file

Add the below line to the end of the file

root@home:~# /opt/alfresco/tomcat/shared/classes/alfresco-global.properties

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
#Sync Settings
synchronization.synchronizeChangesOnly=false
synchronization.syncOnStartup=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.import.cron=0 0 * * * ?

Step 2
root@home:~# mkdir -p /opt/alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1

Step 3

Configuring common-ldap-context.xml, ldap-authentication.properties, ldap-authentication-context.xml

root@home:~# cp -p  /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication-context.xml /opt/alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/

root@home:~# cp -p /opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/common-ldap-context.xml /opt/Alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/

root@home:~# vi /opt/alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-authentication.properties

ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=cn=%s,ou=example,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://ldap_server_ip:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=admin
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=cn=Admin,dc=com
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(objectclass=posixGroup)
ldap.synchronization.groupDifferentialQuery=(&(objectclass=posixGroup)(!(modifyTimestamp<={0})))
ldap.synchronization.personQuery=(objectclass=posixAccount)
ldap.synchronization.personDifferentialQuery=(&(objectclass=posixAccount)(!(modifyTimestamp<={0})))
ldap.synchronization.groupSearchBase=ou=example,dc=com
ldap.synchronization.userSearchBase=ou=example,dc=Directory
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss’Z’
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=posixGroup
ldap.synchronization.personType=posixAccount
ldap.synchronization.groupMemberAttributeName=memberUid
ldap.synchronization.enableProgressEstimation=true

Please make sure to provide proper LDAP server IP, login and  with the directives

ldap.authentication.java.naming.provider.url=ldap://ldap_server_ip:389
ldap.synchronization.java.naming.security.principal=cn=Admin,dc=com
ldap.synchronization.java.naming.security.credentials=secret
ldap.authentication.defaultAdministratorUserNames=admin

Step 4
Log configuration

Add the following lines to the end of the given file

root@home:~# vi /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties

log4j.logger.org.alfresco.repo.importer.ImporterJob=debug
log4j.logger.org.alfresco.repo.importer.ExportSourceImporter=debug
log4j.logger.org.alfresco.repo.security.authentication.ldap=debug

Step 5

Stop/Start alfresco
root@home:~# /etc/init.d/alfresco stop
root@home:~# /etc/init.d/alfresco start