I have worked for JForum LDAP/AD integration for a while. But any try I did doesn't work. I am thinking that i may not do correctly in SystemGlobals.properties file. If you are successful in LDAP integration, would you please post SSO / User authentication and LDAP sessions here? I very appreciate your help.
[originally posted on jforum.net by steveCh]
Migrated From Jforum.net
posted 10 years ago
Sorry, I don't have an example settings. But one common "gotcha" is that the LDAP SSO code assumes that the user id exists in the branch specified by your settings. It DOES NOT SEARCH for id's under the tree.
In other words, it assume the users are in a big pile under a single OU. So, if you have users in OU's below what you set it up for, it will not find them.
If you look at the code, you will see the user DN string is produced like this:
Where LDAP_LOGIN_* are the related config parameters.
This is used with the password to define the LDAP security information (e.g. used to log onto the LDAP server). This has to match the exact user DN.
This is combined with a lookup of the e-mail attribute defined by either the DN defined above or:
Note: If the LDAP_LOOKUP* config parameters aren't set, the LDAP_LOGIN* parameters are used. This option is for sites that store authentication location in one place but user attributes in another.
So, two things could be happening. The LDAP DN strings generated by this process don't match the exact DNs of the user. Or maybe the user does not have rights to look up their own attributes.
You could try looking at your LDAP log to see if there is an authentication rejection or add some debug logging code to the LDAP SSO class. [originally posted on jforum.net by monroe]