cache refresh

By: Vlad Dubnikov user 04 Jun 2019 at 7:43 a.m. CDT

7 Responses
Vlad Dubnikov gravatar
Hi team. I have managed to configure "cash refresh" with backend active directory ldap server and now all of users into gluu ldap server. I can see these users through "users"=>"manage people". Now , all users I have being created locally ("users" -> "add person") are not authenticated anymore, despite the "keep external persons" is marked . Further, even if web authentication with active directory is working well, I received permanent error message category=TOOLS seq=0 severity=FINEST msg=Connect Error exception=LDAPConnectionException: Connect Error (LDAPConnection.java:514 LDAPConnection.java:611 LDAPConnection.java:239 LDAPSearch.java:1520 LDAPSearch.java:549) Connect Error Result Code: 91 (Connect Error) every time when I connect to remote ldap server by ldapsearch /opt/opendj/bin/ldapsearch -v -h ldap://winadcctchild.cc.huji.ac.il -p 389 -s base -T -D 'cn=vladimird,ou=ausers,ou=allusers,dc=child,dc=wonderland,dc=here' -j /tmp/.bpw -b 'dc=child,dc=wonderland,dc=here' -z 25 '(objectclass=*)' or /opt/opendj/bin/ldapsearch -v -h ldap://sfad2.cc.huji.ac.il -p 389 -D -T uid=manager,ou=people,dc=accessmanager,dc=h uji,dc=ac,dc=il -b 'ou=people,dc=accessmanager,dc=huji,dc=ac,dc=il' "(&(objectclass=*))" -w **** It seems not DNS problem, because web authentication is working well. If I am exiting from chroot, regular ldapsearch is working. Thank you.
Rhel 7.3
closed

Answers

By Michael Schwartz Account Admin 04 Jun 2019 at 8 a.m. CDT

Copy
Michael Schwartz gravatar
I haven't seen all the options you're using. Can you try something simpler like: ``` /opt/opendj/bin/ldapsearch -h host -D "cn=vladimird,ou=ausers,ou=allusers,dc=child,dc=wonderland,dc=here" -j /tmp/.pw -b "dc=ac,dc=il" -s base "objectclass=*" ```

By Vlad Dubnikov user 04 Jun 2019 at 10:10 a.m. CDT

Copy
Vlad Dubnikov gravatar
Hi Michael. I have tried on /opt/opendj/bin/ldapsearch -h winadcctchild.cc.huji.ac.il -p 389 -D "cn=vladimird,ou=ausers,ou=allusers,dc=child,dc=wonderland,dc=here" -j /tmp/.bpw -b "dc=child,dc=wonderland,dc=here" "sAMAccountname=vladi*" uid cn sn givenname and it is working. I have no clue why it was not worked before. Probably, last symbol of password was space. I also inserted hostname resolution into /etc/hosts. Thanks you. Could you to help me to resolve next issue: I have a problem with local users, created locally ("users" -> "add person”). They can not authenticate, though the "keep external persons” option is marked . Thanks in advance

By Michael Schwartz Account Admin 04 Jun 2019 at 10:51 a.m. CDT

Copy
Michael Schwartz gravatar
If you have specified your external LDAP server as the source for authentication, then the Gluu Server will not know that a user has been locally created. You might have to use one of our custom authentication scripts to get this done: Have a look at some of the [sample scripts](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations) like `basic.multi_auth_conf`

By Vlad Dubnikov user 04 Jun 2019 at 11:56 a.m. CDT

Copy
Vlad Dubnikov gravatar
Hi Michael. Thank you for quick response. I will check it. Could you explain me when flag "keep external persons" is actually worked. Thanks Vlad.

By Michael Schwartz Account Admin 04 Jun 2019 at 1:45 p.m. CDT

Copy
Michael Schwartz gravatar
without that, extra user entries will be deleted (as they are not in the external LDAP)

By Aliaksandr Samuseu staff 04 Jun 2019 at 7:56 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Vlad. >Now , all users I have being created locally ("users" -> "add person") are not authenticated anymore, despite the "keep external persons" is marked What Michael suggested so far is overall correct. I just would like to add that there may be another way to achieve it, except using the mentioned scripts. 1. Move to "Manage authentication -> Manage LDAP authentication" page 2. Find "Add source LDAP server" button at the bottom, click it 3. Fill in the fields with the properties needed to utilize the internal LDAP server (see the attached picture); basically, you add the internal LDAP server as optional location which oxAuth needs to check during authentication 4. Click "Update" button below 5. Click "Activate" button, then "Update" button again If everything is done correctly, now oxAuth shoud allow you to log in with credentials both of local users, and users from external LDAP server. As for your issues with commands, I'm not quite sure this is correct way to specify a host when using OpenDJ's `ldapsearch` (I saw it's being used with OpenLDAP tools successfully, though): "ldap://winadcctchild.cc.huji.ac.il" I use the same format as Michael already mentioned: "winadcctchild.cc.huji.ac.il" Works like a charm for me.
Selection_029.jpg

By Vlad Dubnikov user 05 Jun 2019 at 4:26 a.m. CDT

Copy
Vlad Dubnikov gravatar
Hi Aliaksandr. It really works. I have attached additional ldap with definitions for local gluu ldap. Now, I see as local as external users. Authentication works fine also. Thank you and Michael for your help. Vlad
Video or screenshot link

Post an answer