#1 2010-11-18 10:39:06

**_dbutt_**

Connect Pro and LDAP Installation Issues - Password and Groups

We've set up LDAP connectivity with Connect pro 7.5.  It synchronises but doesn't do what we though it would.  We have two issues.

Passwords 
The LDAP accounts are created on synchronisation.  But we cannot login with the username and password the user has on the network.
If we set the password to an LDAP attributre, we can log in using that username and LDAP attribute.

I think(from the manual) that we should be able to use the AD account username and password.  Am I wrong?  If I'm not, any suggestions as to what I'm doing wrong?

Adding LDAP users to a Connect Pro group
Even though we specify a Connect Pro group for the LDAP users, the user (although created) is not put in that group.

Any suggestions?

For clarity, I've included our LDAP settings and what we think and have done/tested.

Connection Settings

LDAP Server URL* - ldap://172.16.254.121:389
LDAP Connection Authentication Method* - Simple
LDAP Connection Username  - An AD user that can read LDAP
LDAP Connection Password  - Password
LDAP Query Timeout (seconds) - 120 
LDAP Entry Query Page Size Limit (0 or blank default) - 100

(We get "Your settings were successfully saved and LDAP connectivity has been verified." when we save.

User Profile Mapping

Login - sAMAccountName
First Name - GivenName
Last Name - SN
E-mail - Mail
Salutation - personalTitle
Job Title  - Title
School Name - Company

(All of these appear in an imported account)

Branch DN - OU=Teachers,OU=Dickens Heath,OU=Solgrid Schools,DC=solgrid,DC=local
Filter -  (&(objectCategory=person)(memberOf=CN=ORACLE,OU=Administrative accounts,OU=Solgrid Schools,DC=solgrid,DC=local))
Subtree Search - True

(We get the right users in Connect Pro)

Group Profile Mapping

Group Name - cn
Group Member - Member

Branch DN - CN=ORACLE,OU=Administrative accounts,OU=Solgrid Schools,DC=solgrid,DC=local
Filter - (ObjectClass=Group)
Subtree Search - true

(We get the right group in Connect Pro)

Authentication Settings

Enable LDAP Directory authentication - TICKED
Enable Connect Pro fall-back on unsuccessful LDAP Directory authentication - TICKED (we want Connect Pro Users as well as LDAP users)

Create Connect Pro user account upon successful LDAP Directory authentication - Ticked
Select the type of Connect Pro user account to be created - INTERNAL
Group Names - SchoolStaff (this group exists in Connect Pro and spelling is consistent)
Enable group enrollment on first login only - TICKED (We only want the LDAP users in the group, not the Connect Pro users)

Schedule Settings
NOT Set (as we're only setting it up at moment)

Policy Settings
Do nothing. - If we choose this we cannot log the AD accounts in with their AD password BUT the account is created when Connect Pro is synchronised.
Set the password to the value of an LDAP attribute. - This works with the synchronised account.

Apologies if this is basic stuff.  You've got it - we're newbies!

But, I have looked at the books and forums and the video about LDAP.  No joy, sorry!

Thanks

Last edited by **_dbutt_** (2010-11-18 10:40:33)

**_tltengineer_**

Re: Connect Pro and LDAP Installation Issues - Password and Groups

dbutt,

I am not sure if this is the same issue that is affecting you.  We have our AC server set to authenticate with our LDAP.   On the user profile mapping page of the server config page, there are four required fields:

Login  ---> cn
First Name -->givenName
Last Name-->sn
E-mail  --> mail

On login, if one of those required fields is missing, the login will fail.  The ldap sync is successful but the login is not.

In our environment not everyone has the "E-mail" field populated in LDAP. For those users, the login will fail.  So what we do is we set the "E-mail" field  to "mail" during our ldap synchronizations which we do manually. Then I set the the "E-mail" field back to "cn" (on your environment you are using sAMAccountName) because I know that "cn" is populated.  This will then allow the person to login.

Not sure if this is what is causing problems on your server.  You can also look through the debug.log file to see what the error is.  On our server this is found in c:\breeze\logs\support.

Regards,
Stanley

**_Purnima_**

Re: Connect Pro and LDAP Installation Issues - Password and Groups

Dbutt, if solution suggested by Stanley doesn't work, copy the logs generated. also i think the groups are not working properly since LDAP Authentication is failing.

**_dbutt_**

Re: Connect Pro and LDAP Installation Issues - Password and Groups

Hi Stanley and Purnima -

Many thanks for your help - it's great when you get a problem solved by people who know what they're doing.

After some testing, LDAP authentication does fail if the email address field is empty for a user.  However you worked that out, Stanley, I cannot imagine.  But Magic.  Many thanks!

David