4 Replies Latest reply on Apr 19, 2007 6:48 AM by couture

    Active Directory Groups

      I am currently running an eval of clearspace and trying to work out the kinks with active directory integration. I didn't have much luck trying to setup the ldap settings through the initial setup tool. It would get to the point of asking which ldap user to make admin, but couldn't get past that point. I checked the jive logs and saw it was saying no such user existed (such a user did indeed exist in AD). To get around that issue I just did the setup as default user database then went in after and followed the instructions for setting up ldap integration without the setup tool. I did mixed mode. I also found the instructions for the group parts and set that up as well (I used a group search filter to pull in only one group of users). The first issue I hit was not having my admin account anymore, but I fixed that by diddling the ID of one of my users to 1. After that I could login and I saw my AD group under the group summary saying it had 17 members. I go to the user summary and I see those 17 users, but if I click on any of the users it shows their "Group:" as "No group memberships." I thought maybe the group just wasn't showing up in the admin tool, so i tried setting permissions to a space via the group, but that was a no go. The users did not gain access. So any advice on how to get over this one last hurdle of AD integration?

       

      On a side note some of my users have asked if it would be possible to use both the AD users and groups as well as non AD users and groups on the same system. As far as I can tell this is not an option on the stock system. If anyone has insight on if or how this would be possible I'd appreciate any pointers you could offer.

        • Re: Active Directory Groups

          Couture,

           

          If you want to use ldap groups along with normal database groups you would need to do a custom AuthFactory, UserManager, AuthFactory, Group and GroupManger. These would basically be combinations of the Db and Ldap versions of all the above classes.

           

          From what I've seen people that have had the same LDAP issue as didn't set the search filter and username fields to point to sAmaccountName rather than uid.

           

          Do you think that could be your issue?

           

          Cheers,

          Nate

            • Re: Active Directory Groups

              Hey Nate,

               

              Here are the relevant ldap settings I am using:

               

              ldap.searchFilter  =    (sAMAccountName=) ldap.usernameField  =    sAMAccountName ldap.groupSearchFilter  =    (&(cn=jivegroup)(member=))

              ldap.groupNameField  =    cn

              ldap.groupMemberField  =    member

              ldap.groupDescriptionField  =    description

               

              -Nate

                • Re: Active Directory Groups

                  I still haven't had success with the groups. I have tried re-installing from scratch several times and have tried various combinations to get it to work, but no luck. I also think I may have noticed a bug with the LDAP auth. I think it is trying to login repeatedly when the wrong password is given. I have my active directory set to lock an account after multiple failed login attempts. If I try to login to clearspace once with an incorrect password the account locks (everything is fine with the correct password). The auth tool should really only try to authenticate one time and if it fails give up. The multiple attempt bit will cause lockout headaches for anyone using AD.

                   

                  -Nate

                    • Re: Active Directory Groups

                      Update - I figured out the problem with groups integration. My user DNs all have a \ in them from way way back when they were converted from another user directory. The \ must be seen be clearspace as an escape character and therefore breaks everything. Now I need to figure out if I can get clearspace to ignore the \, or if I can just rip the \ out of all of my user DNs, but at least the root cause has been discovered.

                       

                      The issue with multiple attempts with the incorrect password still exists though.