Active Directory Authetication

blazted · 2008-03-20 18:09:43

I keep on getting a Error when I try to Authenticate using AD.

My Settings

I keep on getting a connection failed. The user is an authenticated user. The only part I am not sure of is the Base Dn and the name. I copied the Base Dn from ADSI Edit for the user account sfghldap. I am using the Root DN that i user for our printers that need to connect to LDAP.Any suggestions?

DarrylC · 2008-03-20 23:55:49

I wasn't able to use the IP address in the Server field, I used 'ldap://servername.company.com', I also wasn't able to get it to work using port 3268, and had to use the default 389. My GLPI instance is running only on our intranet, so I'm not as worried about the unencrypted connection, but if I have some time later I'd prefer to use SSL.

I simply used the root of the domain for Basedn: 'DC=company,DC=com'

In the rootdn field, you need the full distinguishedName attribute to the user account you are using for the lookup. e.g. 'CN=glpi_user_search,CN=users,DC=company,DC=com' (If your user account is in another container, adjust as neccessary). I use Softerra's LDAP Browser to help me figure out some of these attributes. Google it, it's free and it saves me a lot of time.

For AD use the 'samaccountname' attribute for the Login Field.

I spent a while getting this to work on my installation, but now it is working.

Good Luck.
-Darryl

Weastbug · 2008-03-21 01:06:57

Hello,

Here it's my conf if it can help you:

Name: Cjml (what you want)
Server: 127.0.0.1 (IP address work fine for me, her it s a loopback but work fine with subnet IP too)
LDAP Port (default=389): 389 (i m on default no SSL, never tried)
Basedn: OU=IME CAMPAN,DC=CJML,DC=ADOUR (can work too with the root DC=CJML,DC=ADOUR)
rootdn (for non anonymous binds): s.gille@cjml.adour ( can work too with full path)
Pass (for non-anonymous binds): ****
Connection filter: (&(objectClass=user)(name=a *)) (name=a it's because all my user i want have a "a " in 1st charterf for Account)
Login Field: samaccountname
Use TLS: No
Time zone: GMT
Search type: Users & Groups
User attribute containing its groups: memberof
Filter to search in groups: (objectClass=group)
Group attribute containing its users: member
Use DN in the search: Yes
Surname: sn
First name: givenname
Comments: info
E-Mail: mail
Phone: telephonenumber
Phone 2: otherphone
Mobile: mobile

Regards, Weast.

blazted · 2008-03-24 18:31:06

I got it working so that both my rootdn and basedn are populated and have a successful test connection.

However when I go to login with a domain account i get one of two error messages. if I put a domain\user name I get a error message

unknown user
unsuccessful authorization in LDAP

if I put username\password I get a
unknown user
User not found or several users found

Error message.

I did check my settings under general and I have automatically add users checked. Any ideas of why this isn't working or is there something else I got to do?

One other question: Under the login name you enter. Do you put domain\username?

Last edited by blazted (2008-03-24 21:19:52)

7andY · 2008-03-25 10:24:45

Did you manually import your users? I couldn't get the automatic bit to work...if there is one!
Once imported, it seems to work fine.
7&Y

blazted · 2008-03-25 18:07:14

I have to manually import my users from AD? I thought I could use the LDAP authentication to authenticate to AD and then it would add that user to the DB.

Weastbug · 2008-03-25 19:17:22

Hi,

Before trying to connect from a AD login try to import some users from the LDAP Link. In this place do you see any users account from your AD?

For login from a AD account you don't need "domain\username", just username is used (the samaccountname from you LDAP tree).

Regards, Weast.

blazted · 2008-03-25 21:10:22

Where do you import users from on the console?

DarrylC · 2008-03-25 22:30:28

It looks to me as though you aren't using the distinguishedName attribute for your rootDN. user@domain.com shouldn't work. You should try using the whole string...

e.g. 'CN=userName,CN=container,DC=domain,DC=com' for the userName that is connecting to GLPI to perform searches.

Try using an LDAP browser, then just C&P the distinguishedName attribute for the user you want to use.

-DC

blazted · 2008-03-25 22:55:01

I have fixed that and it says test successfully when i test it. It simply will not allow me to login though with a AD user.

DarrylC · 2008-03-25 23:35:15

Login Field: samaccountname

blazted · 2008-03-26 00:31:47

Thanks for the help.

I changed the login field to the user name only. I still get the same error message when I try to login with a AD account.

unknown user
User not found or several users found

7andY · 2008-03-26 11:16:49

blazted wrote:

Where do you import users from on the console?

Administration|Users|LDAP Link|Import Users

7&Y

blazted · 2008-03-26 18:57:27

Thank you. I went to import my users. I put the search filter for users then it said it successfully imported. But in the next menu it says Last update on LDAP shows the date but under Last Update in GLPI it shows blank.

This is my search filter for users.

(&(objectClass=user)(objectCategory=person))

Any ideas?

Weastbug · 2008-03-27 10:23:34

Hi,

blazted wrote:

it says Last update on LDAP shows the date but under Last Update in GLPI it shows blank.

And in your Glpi userlist you have nothing user added?
What is your glpi version? Perviously i had the same thing with one SVN release, no users will be added & auth will no work.

I sugest you to try installing a new fresh 0.70.2 for testing the LDAP auth if you have a old install wo was updated some time, maybe your db was broken.

Regards, Weast.

Forum GLPI-Project

Announcement

#1 2008-03-20 18:09:43

Active Directory Authetication

#2 2008-03-20 23:55:49

Re: Active Directory Authetication

#3 2008-03-21 01:06:57

Re: Active Directory Authetication

#4 2008-03-24 18:31:06

Re: Active Directory Authetication

#5 2008-03-25 10:24:45

Re: Active Directory Authetication

#6 2008-03-25 18:07:14

Re: Active Directory Authetication

#7 2008-03-25 19:17:22

Re: Active Directory Authetication

#8 2008-03-25 21:10:22

Re: Active Directory Authetication

#9 2008-03-25 22:30:28

Re: Active Directory Authetication

#10 2008-03-25 22:55:01

Re: Active Directory Authetication

#11 2008-03-25 23:35:15

Re: Active Directory Authetication

#12 2008-03-26 00:31:47

Re: Active Directory Authetication

#13 2008-03-26 11:16:49

Re: Active Directory Authetication

#14 2008-03-26 18:57:27

Re: Active Directory Authetication

#15 2008-03-27 10:23:34

Re: Active Directory Authetication

Board footer