Print   Help   
Gray star Gray star Gray star Gray star Gray star (--not rated--)
503 visits    16 replies
Thumbnail Image

Paul DeSousa
Sep 16, 2009 9:03 PM
20. Active Directory

Can someone please help?  I'd like to see if anyone has any details on setting up AD LDAP integration....Step by step preferable as I have had no success at all.

 

Thanks in advance!
Attachments:  
Replies
Thumbnail Image

Mahabalesh Asundi
Sep 26, 2009 4:14 AM
20.1. Re: Active Directory

Hi,

 

Attached document captures step - by - step procedure to configure iFolder with ActiceDirectory.

Let us know in case you are still hitting any other issue with the setup.

 

Thanks

Mahabalesh
Attachments:  
iFolder with AD procedure.pdf
iFolder with AD procedure.pdf Sep 26, 2009 4:14 AM 81 KB Mahabalesh Asundi
Thumbnail Image

Gary D Knue
Oct 7, 2009 4:00 PM
20.2. Re: Active Directory

I have followed your procedure and everything appeared to be successful but now I can't login into the ifolder web administration interface using the system admin account I setup.  Any ideas?
Attachments:  
Thumbnail Image

Mahabalesh Asundi
Oct 7, 2009 10:35 PM
20.3. Re: Active Directory

Since your setup is successful, try the following debug steps to find out why exactly it is not working for you ,

  • Open simias.config file from your data path, check what attribute is set as login attribute, i.e. <setting name="NamingAttribute" value="cn" /> here CN is set as login attribute.
  • Run an ldapsearch command to get all user objects  with all attribute details from AD server.
  • Now check, login attribute value associated with ifolderadmin user object.  If it is same as the one you are using at the time of login, it should ideally allow you to login.
  • If the above is not resolving your issue, check if there are multiple users with the same login attribute value. In this case user object found later in LDAP sync will overwrite the initial user objects as both are having same login attribute value.  Make sure there are not duplicate users with same login attribute value, clean the datapath and setup iFolder again. (This is a bug in 3.7.2 and already fixed in trunk)
  • If any of the above is not solving your problem, Replace "INFO" string to "DEBUG" in <DATAPATH>/Simias.log4net file and save the same. Restart apache, try and login to admin console, now open Simias.log from <DATAPATH>/log/Simias.log file and make sure ifolderadmin is getting synced properly.
  • There could be an issue with proxy user configured, so it is not syncing any user objects to iFolder, with debug log enabled,  ifolder will log enough information to log file which you can use to zero in the problem and resolve the same.

I hope the above debug procedure will help you resolve the problem you are currently hitting. In case you have any other specific question in this regard let me know.
Attachments:  
Thumbnail Image

Gary D Knue
Oct 8, 2009 4:55 PM
20.3.1. Re: Re: Active Directory

Thanks for the quick response.  I checked the simias.config file and NamingAtrribute is set to CN but I'm having trouble getting the syntax correct for the ldapsearch command.  I apologize but I'm new to Linux and have never run this command before.  I keep getting the following error:

 

ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
Attachments:  
Thumbnail Image

Mahabalesh Asundi
Oct 8, 2009 10:01 PM
20.3.1.1. Re: Re: Re: Active Directory


ldapsearch -x -Z  -H  ldap://<IP>:389 -D "AD Admin DN"  -W -b "users/admin Search context"

Examples:

ldapsearch -x -Z  -H  ldap://xxx.xxx.xxx.xxx:389  -D "CN=Administrator, cn=Users, dc=xyz,dc=com"  -W -b " cn=Users, dc=xyz,dc=com"

or if you have configured certificate as mentioned previously attached document and AD is running in SSL mode you can try,

ldapsearch -x -Z  -H  ldaps://xxx.xxx.xxx.xxx:636  -D "CN=Administrator, cn=Users, dc=xyz,dc=com"  -W -b " cn=Users, dc=xyz,dc=com"

 
Attachments:  
Thumbnail Image

Gary D Knue
Oct 9, 2009 2:28 PM
20.3.1.1.1. Re: Re: Re: Re: Active Directory

Thank you again.  I finally got the ldapsearch command to run per your examples.  I do get the following error before it asks for the LDAP password: ldap_start_tls: Server is unavailable (52), but the command does run.  I limited the search to just the ifolderadmin account I'm trying to use.  I've attached the results.  In your next step you ask me to check for multiple users with the same login attribute value.  Before I enabled LDAP I was able to get into the administrative web interface and I created a user (gknue) and used this as a test account.  I was able to login into the user web interface and also connect a windows xp client.  Could this account be causing me problems?  If so, I'm not sure how to get rid of it since I can't get into the admin interface.  I did change the INFO string to DEBUG in Simias.log4net file and restarted apache but I don't see any erros in the simias.log except when I try to login as gknue and then I get the following error:

 

2009-10-09 17:57:23,245 [-1444026032] ERROR Simias.ADLdapProvider.User - LdapError:80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771
2009-10-09 17:57:23,245 [-1444026032] ERROR Simias.ADLdapProvider.User - Error:Invalid Credentials
2009-10-09 17:57:23,245 [-1444026032] ERROR Simias.ADLdapProvider.User - DN:gknue  

 

I'm sorry to be so ignorant on this but your help is greatly appreciated. 
Attachments:  
ldapsearch.txt
ldapsearch.txt [VIEW] Oct 9, 2009 2:28 PM 2 KB Gary D Knue
Thumbnail Image

Mahabalesh Asundi
Oct 10, 2009 4:17 AM
20.4. Re: Active Directory

Based on your last message and error snippet attached it looks like,

* You had configured iFolder server without any LDAP(AD/OpenLdap) server.

i.e. a standalone installation where, you created users from iFolder admin console and logged as those users and used iFolder system.

All iFolder admin, web access and client connections worked fine for you.

 

*  On top of this installation, you ran simias-server-setup again with same datapath(as used for the above configuration), but this time enabled

LDAP(AD server).

Now your are not able to login admin console(neither with old admin name nor with iFolderadmin name ), not able to connect as old users(users created before enabling LDAP) from webaccess and clients,   where as you are able to login to  webaccess and client as other newly added users(other new users imported from LDAP i.e AD).

 

If this is what it is, then(as observed) this iFolder configuration will not work completely.  This is because, ifolder will not allow you to have mix of local users + LDAP users and previously configured admin is not getting replace by iFolderAdmin in iFolder domain.  Since now AD is enabled, iFolder will try and authenticate all users against LDAP irrespective of fact that users were created locally or imported from LDAP.

 

So the ideal solution for this problem would be, clean up iFolder data path, freshly configure the server setup with steps mentioned in iFolder + AD configuration document attached in this thread.

This way you will make sure that all user info is coming from AD, authentication also happens with AD and entire iFolder system functions properly.

 
Attachments:  
Thumbnail Image

Gary D Knue
Oct 15, 2009 10:45 AM
20.5. Re: Active Directory

Thank you again for the quick response.  I've been out of town on business.  I'm going to start from scratch enabling LDAP and then we'll see how things go.  I'll reply back once I've given this a try.
Attachments:  
Thumbnail Image

Dietmar Rohrer
Oct 22, 2009 6:05 AM
20.6. Re: Active Directory

i have one questions about the active directory too.

although i am not the specialist in this. but is it normal to see

computers in the ifolder admin users section?

i have some troubles with the ifolder webpage.

i cant see the directories which i created in the ifolder client on my

mac and windows machine.

so i took the local admin which was created with the ifolder server installation.

there i at least saw the directory which was already existing on the ifolder webpage.

and i also found it when i was logging in with the local ifolder admin at one windows machine.

but then the same problems occured, i put some files into this directory and checked the

webinterface to find these files. but they werent there. and when i uploaded some files on the

webinterface, i didnt see them on the windows ifolder client either.

i think it has something to do with the import of the active directory.

maybe somebody of the specialists, have an idea?
Attachments:  
Thumbnail Image

Gary D Knue
Oct 28, 2009 11:27 AM
20.7. Re: Active Directory

Mahabalesh,

 

I finally got time to start from scratch on this.  I installed ifolder with LDAP turned on and I'm able to login into the administration web interface with my ifolderadmin account.  I am able to do the ldapsearch command on the server to list user objects from my AD server.  Question I have is this, do I have to manually add user accounts through the web administrative interface or should I be able to login from a client's workstation using a valid AD account to get connected?  I've tried logging in from the client as gknue but I see the following error in the simias.log file: gknue is not member of simias.  I've attached the entire log.  I didn't want to manually add my account through the web interface in fear of messing up the configuration again without asking this first.
Attachments:  
Simias.log
Simias.log Oct 28, 2009 11:27 AM 36 KB Gary D Knue
Thumbnail Image

Gary D Knue
Oct 29, 2009 9:16 AM
20.8. Re: Active Directory

I've answered my own question.  I changed the LDAP context to ou=users,ou=mis,dc=xtek,dc=com and now I see all the users defined under this context.  Should I be able to specify just dc=xtek,dc=com and get all the users defined no matter what ou they are defined to? Or do I have to specify mutilple contexts to pick up the users I want?
Attachments:  
Thumbnail Image

Mahabalesh Asundi
Oct 29, 2009 9:40 AM
20.9. Re: Active Directory

Ideally dc=xtek,dc=com should work fine...  i hope you are changing this directly in simias.config and not planning to use

iFolder admin console for the same...
Attachments:  
Thumbnail Image

Gary D Knue
Oct 29, 2009 11:40 AM
20.10. Re: Active Directory

I was changing it in the admin interface.  Is there a problem with doing it that way?  I never did get just dc=xtek,dc=com to work so I added another context which allowed me to see another group of users.  Another question, can I change the login type from cn to the user's login name?  For example, instead of entering Gary Knue to login I enter gknue instead.

 

Thanks for all your help so far.  I've installed the client on 2 workstations and have synced files across the network to both of them.  My next test is to test from the outside world through our firewall.
Attachments:  
Thumbnail Image

Mahabalesh Asundi
Oct 29, 2009 11:57 AM
20.11. Re: Active Directory

Instead of login account name from "cn" you can set it to "samaccountname" or "email" something like that ....

 

But that needs to be done at the time of initial setup, post setup it is not recommended..

But at the time of fresh installation u can use these("samaccountname" or "email" etc...)...
Attachments:  
Thumbnail Image

Gary D Knue
Oct 29, 2009 2:16 PM
20.12. Re: Active Directory

Great.  Thanks for the reply.  I will be doing another fresh install so I will set it then.  Do you recommend not using the admin web interface to make any changes?
Attachments:  
Thumbnail Image

Gary D Knue
Nov 13, 2009 2:07 PM
20.13. Re: Active Directory

I finally got time to re-install the system using samaccountname and that is working great.  But I can't seem to get the client (Windows XP) connected from the outside.  Everything works great from the inside and the server is defined in our DMZ of the firewall.  The web interface also works from the outside but I can't figure out why the client won't connect.  Might someone be of assistance?  This is ifolder 3.7 running on OpenSuse 11 and unfortunately I'm new to Linux.

 

Thanks,

Gary
Attachments:  
Add/Delete Tags
Personal Tags
--none--
Add
Community Tags
--none--
Close
Skip Footer Toolbar
Entry Permalink