How to debug the User and Group synchro from LDAP ?

Trying to debug the User and Group synchronization process (from LDAP) might be a complex task.
Here are some tips and tricks to better understand how it works:

Basically, you should know this process is based on the following principles:
– A first Alfresco process connects to the source LDAP, and then creates 2 XML output files (list of Users and list of Groups),
– Then a second process runs to parse the XML file and perform the corresponding import tasks into the Alfresco repository.

1/ Of course the first task is to enable LDAP synchronization. To do so you will have to configure the following files:
/home/alfresco/tomcat/shared/classes/alfresco/extension
ldap-synchronisation.properties
ldap-synchronisation-context.xml

I will not detail this part here. You can find more info here.
So for the next section of this post, I will assume LDAP synchro has been enabled.

———-

2/ Disable the temporary file cleaner task to be able to see the result of the User/Group export tasks:

This operation is mandatory, because without it you will not be able to see what is the output result of the export process. This is because Alfresco consider daily export files as temporary files and deletes them.

Edit the file : scheduled-jobs-context.xml
(should be here : “/home/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco”)

And comment the following bean:

 <bean id=”tempFileCleanerTrigger” class=”org.alfresco.util.TriggerBean”>

 

Then restart the server, and wait for the LDAP synchro to run.
At the end of the User/Group export, you should see 2 new files in:

/home/alfresco/tomcat/temp/Alfresco

ExportSourceImporter-41245.xml

ExportSourceImporter-51936.xml

One is for Users, the other is for Groups.

———-

3/ Check the consistency of export files:

In some cases, especially if the export files are too big, they might not be properly terminated (xml file is not complete).
So it is important to verify that the output files are properly formated (valid XML file).

– Open the Group export file, and verify that it ends properly with the “</view:view>” tag, as follows:

<?xml version=”1.0″ encoding=”UTF-8″?>
<view:view xmlns:view=(list of namespace here)>
   <usr:authorityContainer view:childName=”usr:GROUP_APP_ALFRESCO_EUROPE” view:id=”08af8a56-0f6c-11de-a3e9-4d545cfc49d0″>
      <usr:authorityName>GROUP_APP_ALFRESCO_EUROPE</usr:authorityName>
      <usr:members>

(…)

</view:view> 

– Open the Users export file, and verify that it ends properly with the “</view:view>” tag, as follows:

<?xml version=”1.0″ encoding=”UTF-8″?>
<view:view xmlns:view=”http://www.alfresco.org/view/repository/1.0” xmlns:d=”http://www.alfresco.org/model/dictionary/1.0” xmlns:alf=”http://www.alfresco.org” xmlns:nt=”http://www.jcp.org/jcr/nt/1.0” xmlns:act=”http://www.alfresco.org/model/action/1.0” xmlns:wf=”http://www.alfresco.org/model/workflow/1.0” xmlns:app=”http://www.alfresco.org/model/application/1.0” xmlns:usr=”http://www.alfresco.org/model/user/1.0” xmlns:ver=”http://www.alfresco.org/model/versionstore/1.0” xmlns:cm=”http://www.alfresco.org/model/content/1.0” xmlns:sv=”http://www.jcp.org/jcr/sv/1.0” xmlns:mix=”http://www.jcp.org/jcr/mix/1.0” xmlns:jcr=”http://www.jcp.org/jcr/1.0” xmlns:wcm=”http://www.alfresco.org/model/wcmmodel/1.0” xmlns:wca=”http://www.alfresco.org/model/wcmappmodel/1.0” xmlns:sys=”http://www.alfresco.org/model/system/1.0” xmlns:wcmwf=”http://www.alfresco.org/model/wcmworkflow/1.0” xmlns:rule=”http://www.alfresco.org/model/rule/1.0” xmlns:bpm=”http://www.alfresco.org/model/bpm/1.0” xmlns:fm=”http://www.alfresco.org/model/forum/1.0” xmlns:custom=”custom.model” xmlns:reg=”http://www.alfresco.org/system/registry/1.0” xmlns:module=”http://www.alfresco.org/system/modules/1.0” xmlns=””>
   <cm:person view:childName=”cm:person”>
      <cm:ownable></cm:ownable>
      <cm:owner>A4673985</cm:owner>

(…)
   <cm:person view:childName=”cm:person”>
      <cm:ownable></cm:ownable>
      <cm:owner>M6058475</cm:owner>
      <cm:userName>M6058475</cm:userName>
      <cm:firstName>Myong-Cheol</cm:firstName>
      <cm:lastName>LEE</cm:lastName>
      <cm:email>mclee@sgh-china.com</cm:email>
      <cm:organizationId></cm:organizationId>
      <cm:homeFolderProvider>personalHomeFolderProvider</cm:homeFolderProvider>
      <sys:node-uuid>2ef18982-e73f-11dd-a096-dd7b8853f76c</sys:node-uuid>
   </cm:person>
</view:view>

 

4/ Enable log traces for the export/import process:

By default, there is no log traces of the export/import process.
So to know what happen exactly, you should enable at least the import traces.

Edit the log4j.properties file (which should be located here:
/home/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties
)

And add:
log4j.logger.org.alfresco.repo.importer.view.ViewParser=DEBUG

Then restart server, and wait for LDAP synchro. In the alfresco.log file you should see traces similar to:

Begin of import Group traces:
03:44:42,770 DEBUG [org.alfresco.repo.importer.view.ViewParser] Pushed ParentContext[parent=user://alfrescoUserStore/53644b61-e548-11dc-8708-09624679a589,assocType=null]
03:44:42,823 DEBUG [org.alfresco.repo.importer.view.ViewParser] Pushed NodeContext[childName=usr:GROUP_APP_ALFRESCO_EUROPE,type={http://www.alfresco.org/model/user/1.0}authorityContainer,nodeRef=null,aspects=[],parentContext=ParentContext[parent=user://alfrescoUserStore/53644b61-e548-11dc-8708-09624679a589,assocType=null]]
03:44:42,823 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/user/1.0}authorityName
(…)

Begin of import Users traces:
19:06:17,984 DEBUG [org.alfresco.repo.importer.view.ViewParser] Popped NodeContext[childName=cm:person,type={http://www.alfresco.org/model/content/1.0}person,nodeRef=null,aspects=[ClassDef[name={http://www.alfresco.org/model/content/1.0}ownable]],parentContext=ParentContext[parent=workspace://SpacesStore/56404266-e548-11dc-8708-09624679a589,assocType=null]]
19:06:18,153 DEBUG [org.alfresco.repo.importer.view.ViewParser] Pushed NodeContext[childName=cm:person,type={http://www.alfresco.org/model/content/1.0}person,nodeRef=null,aspects=[],parentContext=ParentContext[parent=workspace://SpacesStore/56404266-e548-11dc-8708-09624679a589,assocType=null]]
19:06:18,153 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed aspect {http://www.alfresco.org/model/content/1.0}ownable
19:06:18,153 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}owner
19:06:18,153 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}userName
19:06:18,153 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}firstName
19:06:18,154 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}lastName
19:06:18,154 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}email
19:06:18,154 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}organizationId
19:06:18,154 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}homeFolderProvider
19:06:18,154 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/system/1.0}node-uuid

IMPORTANT: Please note that it might be required to customize or override the out-of-the-box Alfresco exporter/importer classes, especially to add more log traces (the default classes does not provide a lot of traces even with debug mode).

To know what classes are involved, look at the file ldap-synchronisation-context.xml. These 2 beans manage the export
and import process:

org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource

org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource