Evolution of LDAP synchronization and User Management planned in v3.2

July 7, 2009

I did raise my concerns to Alfresco Editor regarding LDAP synchronization (see my previous post), and I’m happy to see that they have been able to take our needs into account.

In version 3.2, there are big improvements planned regarding the LDAP synchronization and the LDAP authentication process:

1/ First the current LDAP synchronization mechanism will be completely redesigned and enhanced to propose 2 modes : full (this is the current option) and differential (new option). For more information about the differential mode see this link : The_Synchronization_Subsystem

2/ Create users “on the fly”: I have no detail about that, but it seems the target is to leverage the differential mode synchronization process (as per the previous link) :
“This ‘differential’ mode is much faster, and by default is triggered when a user is successfully authenticated who doesn’t yet have a local person object in Alfresco. This should mean that new users and their group information are pulled over from LDAP servers as and when required.”

So Alfresco plan to provide 2 options to manage user account (LDAP synchronization and LDAP based authentication). This is really a great improvement. I’m looking forward testing these new features in September !

Note: for more information about “Subsystem” see, and “Authentication Subsystem” see.

Advertisements

Is there any plan to plug Alfresco directly on a LDAP ?

June 17, 2009

In our enterprise, Users and Groups are managed into a LDAP. So we are currently using the Alfresco LDAP synchronization mechanism to import the corresponding users and groups into the Alfresco repository.

The problem is that we currently have about 3000 Groups to import and about 12.000 users. So the synchro process (based on XML file creation and import) takes more and more time and sometimes fails (please note that most of the time is does not really failed due to errors, but it is stopped because we are running the synchro during night and we also have to stop the server for backup).

We are currently implementing a custom “user provisionning” process to manage the synchro in a more robust way, but I have asked to Alfresco editor if there are any plan to allow customer to plug Alfresco directly on an external User repository (like an enterprise LDAP).

 

Here is basically the Alfresco feedback:

First, the synchronization will always be the approach chosen by Alfresco. This is mandatory if we want to keep good performances (caching access rights vs on the fly retrieving groups from LDAP). Moreover, LDAP administrator will probably not appreciate to see thousands of request sent to LDAP per seconds each time a user access to an alfresco space).

However the current LDAP synchro mechanism is currently being redesigned and will not be based on the current approach (i.e synchro of full LDAP entries at each batch execution).

My interlocutor was not able to describe the new detail design of the process but this is a priority for engineering for the 3.2 release. But the new approach will still be based on a synchronization solution (full or delta mode).

 The first relase of this process should be available in 3.2E beta.

—————-

Well, my point of view is still that it would be really useful for big customer like us if Alfresco could be plugged directly on a LDAP…this will avoid maintaining and “monitoring” the synchro process, and also this would prevent any problem of synchronisation. This is an existing option of some “advanced” softwares we already use internally, and this is working well. Of course to garantee good performances a very efficient User/Group caching strategy/layer must be implemented at the software level (on top of LDAP), but this is technically feasible…

Hope Alfresco will change its strategy in future release…


How to debug the User and Group synchro from LDAP ?

March 13, 2009

Trying to debug the User and Group synchronization process (from LDAP) might be a complex task.
Here are some tips and tricks to better understand how it works:

Basically, you should know this process is based on the following principles:
– A first Alfresco process connects to the source LDAP, and then creates 2 XML output files (list of Users and list of Groups),
– Then a second process runs to parse the XML file and perform the corresponding import tasks into the Alfresco repository.

1/ Of course the first task is to enable LDAP synchronization. To do so you will have to configure the following files:
/home/alfresco/tomcat/shared/classes/alfresco/extension
ldap-synchronisation.properties
ldap-synchronisation-context.xml

I will not detail this part here. You can find more info here.
So for the next section of this post, I will assume LDAP synchro has been enabled.

———-

2/ Disable the temporary file cleaner task to be able to see the result of the User/Group export tasks:

This operation is mandatory, because without it you will not be able to see what is the output result of the export process. This is because Alfresco consider daily export files as temporary files and deletes them.

Edit the file : scheduled-jobs-context.xml
(should be here : “/home/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco”)

And comment the following bean:

 <bean id=”tempFileCleanerTrigger” class=”org.alfresco.util.TriggerBean”>

 

Then restart the server, and wait for the LDAP synchro to run.
At the end of the User/Group export, you should see 2 new files in:

/home/alfresco/tomcat/temp/Alfresco

ExportSourceImporter-41245.xml

ExportSourceImporter-51936.xml

One is for Users, the other is for Groups.

———-

3/ Check the consistency of export files:

In some cases, especially if the export files are too big, they might not be properly terminated (xml file is not complete).
So it is important to verify that the output files are properly formated (valid XML file).

– Open the Group export file, and verify that it ends properly with the “</view:view>” tag, as follows:

<?xml version=”1.0″ encoding=”UTF-8″?>
<view:view xmlns:view=(list of namespace here)>
   <usr:authorityContainer view:childName=”usr:GROUP_APP_ALFRESCO_EUROPE” view:id=”08af8a56-0f6c-11de-a3e9-4d545cfc49d0″>
      <usr:authorityName>GROUP_APP_ALFRESCO_EUROPE</usr:authorityName>
      <usr:members>

(…)

</view:view> 

– Open the Users export file, and verify that it ends properly with the “</view:view>” tag, as follows:

<?xml version=”1.0″ encoding=”UTF-8″?>
<view:view xmlns:view=”http://www.alfresco.org/view/repository/1.0” xmlns:d=”http://www.alfresco.org/model/dictionary/1.0” xmlns:alf=”http://www.alfresco.org” xmlns:nt=”http://www.jcp.org/jcr/nt/1.0” xmlns:act=”http://www.alfresco.org/model/action/1.0” xmlns:wf=”http://www.alfresco.org/model/workflow/1.0” xmlns:app=”http://www.alfresco.org/model/application/1.0” xmlns:usr=”http://www.alfresco.org/model/user/1.0” xmlns:ver=”http://www.alfresco.org/model/versionstore/1.0” xmlns:cm=”http://www.alfresco.org/model/content/1.0” xmlns:sv=”http://www.jcp.org/jcr/sv/1.0” xmlns:mix=”http://www.jcp.org/jcr/mix/1.0” xmlns:jcr=”http://www.jcp.org/jcr/1.0” xmlns:wcm=”http://www.alfresco.org/model/wcmmodel/1.0” xmlns:wca=”http://www.alfresco.org/model/wcmappmodel/1.0” xmlns:sys=”http://www.alfresco.org/model/system/1.0” xmlns:wcmwf=”http://www.alfresco.org/model/wcmworkflow/1.0” xmlns:rule=”http://www.alfresco.org/model/rule/1.0” xmlns:bpm=”http://www.alfresco.org/model/bpm/1.0” xmlns:fm=”http://www.alfresco.org/model/forum/1.0” xmlns:custom=”custom.model” xmlns:reg=”http://www.alfresco.org/system/registry/1.0” xmlns:module=”http://www.alfresco.org/system/modules/1.0” xmlns=””>
   <cm:person view:childName=”cm:person”>
      <cm:ownable></cm:ownable>
      <cm:owner>A4673985</cm:owner>

(…)
   <cm:person view:childName=”cm:person”>
      <cm:ownable></cm:ownable>
      <cm:owner>M6058475</cm:owner>
      <cm:userName>M6058475</cm:userName>
      <cm:firstName>Myong-Cheol</cm:firstName>
      <cm:lastName>LEE</cm:lastName>
      <cm:email>mclee@sgh-china.com</cm:email>
      <cm:organizationId></cm:organizationId>
      <cm:homeFolderProvider>personalHomeFolderProvider</cm:homeFolderProvider>
      <sys:node-uuid>2ef18982-e73f-11dd-a096-dd7b8853f76c</sys:node-uuid>
   </cm:person>
</view:view>

 

4/ Enable log traces for the export/import process:

By default, there is no log traces of the export/import process.
So to know what happen exactly, you should enable at least the import traces.

Edit the log4j.properties file (which should be located here:
/home/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties
)

And add:
log4j.logger.org.alfresco.repo.importer.view.ViewParser=DEBUG

Then restart server, and wait for LDAP synchro. In the alfresco.log file you should see traces similar to:

Begin of import Group traces:
03:44:42,770 DEBUG [org.alfresco.repo.importer.view.ViewParser] Pushed ParentContext[parent=user://alfrescoUserStore/53644b61-e548-11dc-8708-09624679a589,assocType=null]
03:44:42,823 DEBUG [org.alfresco.repo.importer.view.ViewParser] Pushed NodeContext[childName=usr:GROUP_APP_ALFRESCO_EUROPE,type={http://www.alfresco.org/model/user/1.0}authorityContainer,nodeRef=null,aspects=[],parentContext=ParentContext[parent=user://alfrescoUserStore/53644b61-e548-11dc-8708-09624679a589,assocType=null]]
03:44:42,823 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/user/1.0}authorityName
(…)

Begin of import Users traces:
19:06:17,984 DEBUG [org.alfresco.repo.importer.view.ViewParser] Popped NodeContext[childName=cm:person,type={http://www.alfresco.org/model/content/1.0}person,nodeRef=null,aspects=[ClassDef[name={http://www.alfresco.org/model/content/1.0}ownable]],parentContext=ParentContext[parent=workspace://SpacesStore/56404266-e548-11dc-8708-09624679a589,assocType=null]]
19:06:18,153 DEBUG [org.alfresco.repo.importer.view.ViewParser] Pushed NodeContext[childName=cm:person,type={http://www.alfresco.org/model/content/1.0}person,nodeRef=null,aspects=[],parentContext=ParentContext[parent=workspace://SpacesStore/56404266-e548-11dc-8708-09624679a589,assocType=null]]
19:06:18,153 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed aspect {http://www.alfresco.org/model/content/1.0}ownable
19:06:18,153 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}owner
19:06:18,153 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}userName
19:06:18,153 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}firstName
19:06:18,154 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}lastName
19:06:18,154 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}email
19:06:18,154 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}organizationId
19:06:18,154 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/content/1.0}homeFolderProvider
19:06:18,154 DEBUG [org.alfresco.repo.importer.view.ViewParser] Processed property {http://www.alfresco.org/model/system/1.0}node-uuid

IMPORTANT: Please note that it might be required to customize or override the out-of-the-box Alfresco exporter/importer classes, especially to add more log traces (the default classes does not provide a lot of traces even with debug mode).

To know what classes are involved, look at the file ldap-synchronisation-context.xml. These 2 beans manage the export
and import process:

org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource

org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource