ldap - Alfresco - Configure 2 groupSearchBases for Active Directory

Question

How to configure 2 groupSearchBases for Alfresco?

Right now i have this property in my global.properties:

ldap.synchronization.groupSearchBase=CN=Alfresco users,OU=Users,OU=AWE,DC=main,DC=awe

But i need to configure second search base with path

CN=Alfresco users,OU=Labs,OU=AWE,DC=main,DC=awe

. What i have tried is to configure the property with OR statement like this:

ldap.synchronization.groupSearchBase=(|(CN=Alfresco users,OU=Users,OU=AWE,DC=main,DC=awe)(CN=Alfresco users,OU=Labs,OU=AWE,DC=main,DC=awe))

This setting gave me an error:

00:30:07,147 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error
org.alfresco.error.AlfrescoRuntimeException: 02290000 Error during LDAP Search. Reason: null
...
Caused by: javax.naming.PartialResultException [Root exception is javax.naming.NamingException: LDAP response read timed out, timeout used:5000ms. [Root exception is com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'DC=main,DC=awe']; remaining name '']
...
Caused by: javax.naming.NamingException: LDAP response read timed out, timeout used:5000ms. [Root exception is com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'DC=main,DC=awe']; remaining name ''
...
Caused by: com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'DC=main,DC=awe'

I also minimized the searchBase path to include both of the directories like this:

ldap.synchronization.groupSearchBase=CN=Alfresco users,OU=AWE,DC=main,DC=awe

But this also gave me an error:

    org.alfresco.error.AlfrescoRuntimeException: 02310000 Error during LDAP Search. Reason: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=AWE,DC=main,DC=awe'
...
    Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:'OU=AWE,DC=main,DC=awe'

What i am doing wrong and how to make alfresco search for both groupSearchBases (the easiest way if possible). Thanks in advance.

Answer 1

as mentioned in the comments, the search base is a LDAP (Distinguished Name) path, not a query. This means that you should select the search base for your user and group query to a path for which both organizational units are subordinate: OU=AWE,DC=main,DC=awe.

Then you need to build the users and groups query so that only groups and users are returned as expected. E.g. for the person query can look like this:

(&
 (objectCategory=Person)
 (|
   (memberOf:1.2.840.113556.1.4.1941:=CN=Alfresco users,OU=Users,OU=AWE,DC=main,DC=awe)
   (memberOf:1.2.840.113556.1.4.1941:=CN=Alfresco users,OU=Labs,OU=AWE,DC=main,DC=awe)
 )
 (userAccountControl:1.2.840.113556.1.4.803:=512)
)

for the group search you should do the same.

hint: 1.2.840.113556.1.4.1941 is a Active-Directory specific filter to retrieve nested groups (recursive retrieval of all members of that DN). For more info check Active Directory: LDAP Syntax Filters | MS Tecnet