December 22, 2024

Alfresco tips and tricks – #15 Ldap Error The Guest user cannot be deleted

The Alfresco Synchronization Subsystem is responsible for the synchronization of Alfresco with all the user registries (LDAP servers). When you enable the synchronization functionality for the user registry export, if you have wrongly included the built-in user Guest of the LDAP server into the Alfresco local repository, you may struggle with the error “The Guest user cannot be deleted”:

INFO [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-5] Synchronization,Category=directory,id1=test-myldap,id2=7 Authority Deletion: Completed batch of 40 entries ERROR [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-5] Synchronization,Category=directory,id1=test-myldap,id2=7 Authority Deletion: 1 error(s) detected. Last error from entry “Guest” org.alfresco.error.AlfrescoRuntimeException: 04280010 The Guest user cannot be deleted. at org.alfresco.repo.security.person.PersonServiceImpl.beforeDeleteNode (PersonServiceImpl.java:1792) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

USE CASE

Suppose you have configured Alfresco to interact with a Microsoft Active Directory server which includes the built-in Guest user. Here is what could happen.

Step 1 – The LDAP subsystem for user registry export functions is enabled and all users and groups of the AD server are added/updated locally in the Alfresco repository when the subsystem starts up for the first time.
Step 2 – The query to select all objects that represent the users to export, points to an element of the AD tree which includes the bulit-in Guest user:

ldap.synchronization.active=true
ldap.synchronization.groupSearchBase=dc\=testad,dc\=com
ldap.synchronization.userSearchBase=dc\=testad,dc\=com

giuseppe-urso-alfresco-ldap-guest-error-01

Step 3 – The Guest AD user is locally updated in Alfresco and considered a real LDAP user.
Step 4 – A scheduled job triggers synchronization in differential with removals mode every 24 hours (by default).
Step 5 – Change the Distinguished Name for the user query and configure an element of the AD tree that no longer includes the Guest user.
Step 6 – When a differential sync with removals is performed, the error “The Guest user cannot be deleted” could occur.

ldap.synchronization.groupSearchBase=ou\=MilanoUO,dc\=testad,dc\=com
ldap.synchronization.userSearchBase=ou\=MilanoUO,dc\=testad,dc\=com

giuseppe-urso-alfresco-ldap-guest-error-02
SOLUTION 1

### Exclude always the Guest user from the person query
ldap.synchronization.personQuery=(&(objectclass\=user)(!(cn\=Guest))(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(!(cn\=Guest))(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

SOLUTION 2

### Restrict the LDAP user query to a sub section of tree on the LDAP server where the Guest user will never be included
ldap.synchronization.groupSearchBase=ou\=MyNoGuestUnit,dc\=testad,dc\=com
ldap.synchronization.userSearchBase=ou\=MyNoGuestUnit,dc\=testad,dc\=com

SOLUTION 3

### Disable user removals. If false, then no sync job will be allowed to delete users or groups
synchronization.allowDeletions=false

SOLUTION 4

### The sub section of tree on the LDAP server includes always the Guest user
ldap.synchronization.groupSearchBase=ou\=MilanoUO,dc\=testad,dc\=com
ldap.synchronization.userSearchBase=ou\=MilanoUO,dc\=testad,dc\=com

giuseppe-urso-alfresco-ldap-guest-error-03

giuseppe-urso-alfresco-ldap-guest-error-04

Related posts

2 Comments

  1. hedi

    hi,
    have Alfresco community 4.2.f installed in Windows Server 2008 R2 and syncronized very well with AD, but I have an error in afresco.log file every every day at midnight
    ——————————————–
    ... Failed to process entry "Guest".
    org.alfresco.error.AlfrescoRuntimeException: 09301582 The Guest user cannot be deleted.
    ...
    Synchronization,Category=directory,id1=ldap-ad1,id2=7 Authority Deletion: 1 error(s) detected. Last error from entry "Guest"
    org.alfresco.error.AlfrescoRuntimeException: 09301582 The Guest user cannot be deleted.

    ——————————————–
    So I have do this modification as you mentioded in your article but nothing was happened. and I still got the same error,

    ### Disable user removals. If false, then no sync job will be allowed to delete users or groups
    synchronization.allowDeletions=false

    # The query to select all objects that represent the users to import.
    ldap.synchronization.personQuery=(&(objectclass\=user)(!(cn=Guest))(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

    # The query to select objects that represent the users to import that have changed since a certain time.
    ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(!(cn=Guest))(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
    ——————————————————————————-

    Reply
    1. Giuseppe Urso

      Hi Hedi,

      make sure you’ve configured the ” synchronization.allowDeletions” property in the alfresco-global.properties file.

      About the two other properties, If you have already imported the Guest user into the Alfresco repository, there is no way to force its deletion (Alfresco has a own builtin Guest user that can not be removed).
      So, use only the synchronization.allowDeletions=false in the alfresco-global.properties.
      Alternatively, you can create a Guest user into the DN of your AD server, below which you run the user queries (see the userSearchBase property) .

      Giuseppe

Leave a Reply

Your email address will not be published.