Hi,

Attached document captures step - by - step procedure to configure iFolder with ActiceDirectory.

Let us know in case you are still hitting any other issue with the setup.

Thanks

Mahabalesh

I have followed your procedure and everything appeared to be successful but now I can't login into the ifolder web administration interface using the system admin account I setup.  Any ideas?

Since your setup is successful, try the following debug steps to find out why exactly it is not working for you ,

• Open simias.config file from your data path, check what attribute is set as login attribute, i.e. <setting name="NamingAttribute" value="cn" /> here CN is set as login attribute.
• Run an ldapsearch command to get all user objects  with all attribute details from AD server.
• Now check, login attribute value associated with ifolderadmin user object.  If it is same as the one you are using at the time of login, it should ideally allow you to login.
  
• If the above is not resolving your issue, check if there are multiple users with the same login attribute value. In this case user object found later in LDAP sync will overwrite the initial user objects as both are having same login attribute value.  Make sure there are not duplicate users with same login attribute value, clean the datapath and setup iFolder again. (This is a bug in 3.7.2 and already fixed in trunk)
  
• If any of the above is not solving your problem, Replace "INFO" string to "DEBUG" in <DATAPATH>/Simias.log4net file and save the same. Restart apache, try and login to admin console, now open Simias.log from <DATAPATH>/log/Simias.log file and make sure ifolderadmin is getting synced properly.
• There could be an issue with proxy user configured, so it is not syncing any user objects to iFolder, with debug log enabled,  ifolder will log enough information to log file which you can use to zero in the problem and resolve the same.
  

I hope the above debug procedure will help you resolve the problem you are currently hitting. In case you have any other specific question in this regard let me know.

Thanks for the quick response.  I checked the simias.config file and NamingAtrribute is set to CN but I'm having trouble getting the syntax correct for the ldapsearch command.  I apologize but I'm new to Linux and have never run this command before.  I keep getting the following error:

ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

ldapsearch -x -Z  -H  ldap://<IP>:389 -D "AD Admin DN"  -W -b "users/admin Search context"

Examples:

ldapsearch -x -Z  -H  ldap://xxx.xxx.xxx.xxx:389  -D "CN=Administrator, cn=Users, dc=xyz,dc=com"  -W -b " cn=Users, dc=xyz,dc=com"

or if you have configured certificate as mentioned previously attached document and AD is running in SSL mode you can try,

ldapsearch -x -Z  -H  ldaps://xxx.xxx.xxx.xxx:636  -D "CN=Administrator, cn=Users, dc=xyz,dc=com"  -W -b " cn=Users, dc=xyz,dc=com"

Thank you again.  I finally got the ldapsearch command to run per your examples.  I do get the following error before it asks for the LDAP password: ldap_start_tls: Server is unavailable (52), but the command does run.  I limited the search to just the ifolderadmin account I'm trying to use.  I've attached the results.  In your next step you ask me to check for multiple users with the same login attribute value.  Before I enabled LDAP I was able to get into the administrative web interface and I created a user (gknue) and used this as a test account.  I was able to login into the user web interface and also connect a windows xp client.  Could this account be causing me problems?  If so, I'm not sure how to get rid of it since I can't get into the admin interface.  I did change the INFO string to DEBUG in Simias.log4net file and restarted apache but I don't see any erros in the simias.log except when I try to login as gknue and then I get the following error:

2009-10-09 17:57:23,245 [-1444026032] ERROR Simias.ADLdapProvider.User - LdapError:80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1771
2009-10-09 17:57:23,245 [-1444026032] ERROR Simias.ADLdapProvider.User - Error:Invalid Credentials
2009-10-09 17:57:23,245 [-1444026032] ERROR Simias.ADLdapProvider.User - DN:gknue  

I'm sorry to be so ignorant on this but your help is greatly appreciated. 

Based on your last message and error snippet attached it looks like,

* You had configured iFolder server without any LDAP(AD/OpenLdap) server.

i.e. a standalone installation where, you created users from iFolder admin console and logged as those users and used iFolder system.

All iFolder admin, web access and client connections worked fine for you.

*  On top of this installation, you ran simias-server-setup again with same datapath(as used for the above configuration), but this time enabled

LDAP(AD server).

Now your are not able to login admin console(neither with old admin name nor with iFolderadmin name ), not able to connect as old users(users created before enabling LDAP) from webaccess and clients,   where as you are able to login to  webaccess and client as other newly added users(other new users imported from LDAP i.e AD).

If this is what it is, then(as observed) this iFolder configuration will not work completely.  This is because, ifolder will not allow you to have mix of local users + LDAP users and previously configured admin is not getting replace by iFolderAdmin in iFolder domain.  Since now AD is enabled, iFolder will try and authenticate all users against LDAP irrespective of fact that users were created locally or imported from LDAP.

So the ideal solution for this problem would be, clean up iFolder data path, freshly configure the server setup with steps mentioned in iFolder + AD configuration document attached in this thread.

This way you will make sure that all user info is coming from AD, authentication also happens with AD and entire iFolder system functions properly.

Thank you again for the quick response.  I've been out of town on business.  I'm going to start from scratch enabling LDAP and then we'll see how things go.  I'll reply back once I've given this a try.

i have one questions about the active directory too.

although i am not the specialist in this. but is it normal to see

computers in the ifolder admin users section?

i have some troubles with the ifolder webpage.

i cant see the directories which i created in the ifolder client on my

mac and windows machine.

so i took the local admin which was created with the ifolder server installation.

there i at least saw the directory which was already existing on the ifolder webpage.

and i also found it when i was logging in with the local ifolder admin at one windows machine.

but then the same problems occured, i put some files into this directory and checked the

webinterface to find these files. but they werent there. and when i uploaded some files on the

webinterface, i didnt see them on the windows ifolder client either.

i think it has something to do with the import of the active directory.

maybe somebody of the specialists, have an idea?

Mahabalesh,

I finally got time to start from scratch on this.  I installed ifolder with LDAP turned on and I'm able to login into the administration web interface with my ifolderadmin account.  I am able to do the ldapsearch command on the server to list user objects from my AD server.  Question I have is this, do I have to manually add user accounts through the web administrative interface or should I be able to login from a client's workstation using a valid AD account to get connected?  I've tried logging in from the client as gknue but I see the following error in the simias.log file: gknue is not member of simias.  I've attached the entire log.  I didn't want to manually add my account through the web interface in fear of messing up the configuration again without asking this first.

I've answered my own question.  I changed the LDAP context to ou=users,ou=mis,dc=xtek,dc=com and now I see all the users defined under this context.  Should I be able to specify just dc=xtek,dc=com and get all the users defined no matter what ou they are defined to? Or do I have to specify mutilple contexts to pick up the users I want?

Ideally dc=xtek,dc=com should work fine...  i hope you are changing this directly in simias.config and not planning to use

iFolder admin console for the same...

I was changing it in the admin interface.  Is there a problem with doing it that way?  I never did get just dc=xtek,dc=com to work so I added another context which allowed me to see another group of users.  Another question, can I change the login type from cn to the user's login name?  For example, instead of entering Gary Knue to login I enter gknue instead.

Thanks for all your help so far.  I've installed the client on 2 workstations and have synced files across the network to both of them.  My next test is to test from the outside world through our firewall.

Instead of login account name from "cn" you can set it to "samaccountname" or "email" something like that ....

But that needs to be done at the time of initial setup, post setup it is not recommended..

But at the time of fresh installation u can use these("samaccountname" or "email" etc...)...

Great.  Thanks for the reply.  I will be doing another fresh install so I will set it then.  Do you recommend not using the admin web interface to make any changes?

I finally got time to re-install the system using samaccountname and that is working great.  But I can't seem to get the client (Windows XP) connected from the outside.  Everything works great from the inside and the server is defined in our DMZ of the firewall.  The web interface also works from the outside but I can't figure out why the client won't connect.  Might someone be of assistance?  This is ifolder 3.7 running on OpenSuse 11 and unfortunately I'm new to Linux.

Thanks,

Gary