• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

Can anyone post the SystemGlobals.properties here for successful LDAP/AD integration? Thanks.  RSS feed

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have worked for JForum LDAP/AD integration for a while. But any try I did doesn't work. I am thinking that i may not do correctly in SystemGlobals.properties file. If you are successful in LDAP integration, would you please post SSO / User authentication and LDAP sessions here? I very appreciate your help.

[originally posted on jforum.net by steveCh]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry, I don't have an example settings. But one common "gotcha" is that the LDAP SSO code assumes that the user id exists in the branch specified by your settings. It DOES NOT SEARCH for id's under the tree.

In other words, it assume the users are in a big pile under a single OU. So, if you have users in OU's below what you set it up for, it will not find them.

If you look at the code, you will see the user DN string is produced like this:



Where LDAP_LOGIN_* are the related config parameters.

This is used with the password to define the LDAP security information (e.g. used to log onto the LDAP server). This has to match the exact user DN.

This is combined with a lookup of the e-mail attribute defined by either the DN defined above or:



Note: If the LDAP_LOOKUP* config parameters aren't set, the LDAP_LOGIN* parameters are used. This option is for sites that store authentication location in one place but user attributes in another.

So, two things could be happening. The LDAP DN strings generated by this process don't match the exact DNs of the user. Or maybe the user does not have rights to look up their own attributes.

You could try looking at your LDAP log to see if there is an authentication rejection or add some debug logging code to the LDAP SSO class.
[originally posted on jforum.net by monroe]
 
Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!