Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

few users are unable to authenticate by ldap?why?

smkhawaja
Champ in-the-making
Champ in-the-making

‎03-02-2010 06:32 AM

Hi guys,

I am facing a strange issue.

I am using this ldap.authentication.userNameFormat as mentioned below
ldap.authentication.userNameFormat=CN=%s,ou=Alfresco_West,dc=dare,dc=local
in ldap authentication file
"/opt/alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/ldap-authentication.properties"

Its really strange, few users are able to authenticate while others or not. Any idea why? or how can I troubleshoot it?

Thanks in advance.

Soh
Labels:
0 Kudos
17 REPLIES 17

kyriakos
Champ in-the-making
Champ in-the-making

‎03-03-2010 07:19 AM

i am using the ldap-ad subsystem
wait to make the changes and i tell you
0 Kudos

kyriakos
Champ in-the-making
Champ in-the-making

‎03-03-2010 07:30 AM

cn=%s
dc=domain
ou= ?? ->   multipe organization units (OUs)
my question is i want to add all units so is there a general symbol or something or i leave it blank ?
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎03-03-2010 07:38 AM

With active directory you can use a User Principal Name (UPN) to authenticate. This has a fixed suffix, so doesn't need to encode any OUs. Use an LDAP browser to determine what the correct UPN suffix is by looking up the userPrincipalName attribute of one of your users.

If you want to search multiple ous in groupSearchBase and userSearchBase, just shorten them so that they only contain the common suffix of all your DNs. For example:


# How to map the user id entered by the user to taht passed through to LDAP
# In Active Directory, this can either be the user principal name (UPN) or DN.
# UPNs are in the form <sAMAccountName>@domain and are held in the userPrincipalName attribute of a user
ldap.authentication.userNameFormat=%s@domain

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=dc=domain,dc=com

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=dc=domain,dc=com

Please undo any changes you made to userIdAttributeName or comment it out.
0 Kudos

kyriakos
Champ in-the-making
Champ in-the-making

‎03-03-2010 07:48 AM

ldap.synchronization.userIdAttributeName=sAMAccountName

should i change it to

ldap.synchronization.userIdAttributeName=%s@domain ?
0 Kudos

kyriakos
Champ in-the-making
Champ in-the-making

‎03-03-2010 08:09 AM

maaaaaaate i can see at query all of my users and groups!! thank you you are god!!!!!!!!!!!!
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎03-03-2010 08:34 AM

"No" to your question above. That's the LDAP attribute used by Active Directory to store your user ID.
0 Kudos

smkhawaja
Champ in-the-making
Champ in-the-making

‎03-03-2010 12:22 PM

I have fixed my problem with
ldap.authentication.userNameFormat=%s

I was using ldap.authentication.userNameFormat=CN=%s,ou=Alfresco_West,dc=companyname,dc=local and had an issue few users werent able to authenticat. Anyhow this is solved.

How can we generate alfresco.log as a separate log file rather then all authentication and user movement should be written in catalina.out?
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎03-03-2010 01:02 PM

See http://logging.apache.org/log4j/1.2/manual.html

BTW alfresco.log will appear in the current directory when you start alfresco.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC