• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Paul Clapham
  • Devaka Cooray
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Frits Walraven
Bartenders:
  • Carey Brown
  • salvin francis
  • Claude Moore

Can anyone post the SystemGlobals.properties here for successful LDAP/AD integration? Thanks.  RSS feed

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have worked for JForum LDAP/AD integration for a while. But any try I did doesn't work. I am thinking that i may not do correctly in SystemGlobals.properties file. If you are successful in LDAP integration, would you please post SSO / User authentication and LDAP sessions here? I very appreciate your help.

[originally posted on jforum.net by steveCh]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry, I don't have an example settings. But one common "gotcha" is that the LDAP SSO code assumes that the user id exists in the branch specified by your settings. It DOES NOT SEARCH for id's under the tree.

In other words, it assume the users are in a big pile under a single OU. So, if you have users in OU's below what you set it up for, it will not find them.

If you look at the code, you will see the user DN string is produced like this:



Where LDAP_LOGIN_* are the related config parameters.

This is used with the password to define the LDAP security information (e.g. used to log onto the LDAP server). This has to match the exact user DN.

This is combined with a lookup of the e-mail attribute defined by either the DN defined above or:



Note: If the LDAP_LOOKUP* config parameters aren't set, the LDAP_LOGIN* parameters are used. This option is for sites that store authentication location in one place but user attributes in another.

So, two things could be happening. The LDAP DN strings generated by this process don't match the exact DNs of the user. Or maybe the user does not have rights to look up their own attributes.

You could try looking at your LDAP log to see if there is an authentication rejection or add some debug logging code to the LDAP SSO class.
[originally posted on jforum.net by monroe]
 
I AM MIGHTY! Especially when I hold this tiny ad:
Create Edit Print & Convert PDF Using Free API with Java
https://coderanch.com/wiki/703735/Create-Convert-PDF-Free-Spire
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!