Thread Starter
cwolff
(@cwolff)
Ok, I have figured this out.
The point of confusion was with “OU” versus “AD Groups”.
I was under the impression that I need to use the OU from users DNs to authorize.
What this plugin actually expects is a group defined in Active Directory, rather than a OU from the distinguished name.
So, in the case of: CN=Jones\, George (Developers),OU=Justice Integration Services,DC=JIS,DC=org – Justice Integration Services was NOT what needed to be entered for group authorization, but rather a Active Directory “class type” of “group”, which in this case was “JIS Employees”.
Hope this helps others.
cwolff,
Thanks for posting, but you’re not being very clear here.
What was the “Base DN” you entered, in full in the box Active Directory integration asked for?
For example, I have the following and it is not permissioning the groups or roles correctly for users.
OU=Groups Unsecured,OU=CORP,OU=AHCFS,DC=ahc-ad,DC=example,DC=com
I have 15 groups under the “Groups Unsecured” directory. Does this look correct?
SOLUTION:
I resolved the issue. Change the BASE DN to the following:
Let’s say your Domain is: support.google.com, you would use the following:
DC=support,DC=google,DC=com
I didn’t need the OU in front of it at all.
Hope that helps others.
jchambo.
that fixed up to us also. thank you so much !
DC=domainname,DC=local
no OU.
Hi,
Hope this thread is still active..
My Base DN is like ‘DC=support,DC=google,DC=com’ but yet I can’t authorize users by group membership. I’m getting this:
[NOTICE] Authentication successfull for “user”
[NOTICE] cleaning up failed logins for user “user”
[DEBUG] USER GROUPS:Array
(
)
[WARN] Authorization by group failed. User is not authorized.
Logon failed
What I’m doing wrong?
thanks
Alex,
that is the error i was getting until I tried what I said in my former message.
Hi, ruben
Do you really think i’ve posted this without trying all solutions described here?…
Anyway, it didn’t help either.
Alex, does the UPN prefix of the user object match the cn of that user object?
I have not been able to get AD users to login via group authorization if the UPN prefix is different than the user object cn. When you look at the ‘member’ attribute of the group object, you see this is the full distinguished name of the user accounts.
I think the plug-in does an ldap search of groups where the group ‘member’ attribute contains the username used to login. If the UPN is different than what that cn is, the ldap query will return zero groups.
Hi
I’ve found the solution:
1. the problem was related to several DCs we have (users and groups are not always in the same DC), so i was need to change the Base DN from ‘DC=support,DC=google,DC=com’ to ‘DC=google,DC=com’
2. the default 389 port wasn’t good. Should use 3268
both solved me the group authentication and the metadata (didn’t work before)
thank you all for helping
