By: John Feulner user 23 Dec 2015 at 2:24 p.m. CST

5 Responses
John Feulner gravatar
Hey All, I have successfully setup my Gluu server, and setup Cache Refresh to sync the data to the local machine for authentication. Now it seems that passwords do not sync and I have to manually set a password to be able to authenticate. Is this a method where I have to create a custom script for login to check the local store for an identity, and then leverage my current AD environment for authentication? I've combed the documentation, but it seems to jump from topic. I've tried changing the authentication mechanism from local to AD, but that would break Manager groups and such. Any thoughts?

By Michael Schwartz Account Admin 23 Dec 2015 at 2:36 p.m. CST

Michael Schwartz gravatar
John, 1) View the Manager Group in oxTrust and add one of your imported AD users to this group. Then you won't need your default admin user anymore. 2) Then change the LDAP authentication to point to your AD server. You can't sync AD passwords because they are in a non-standard format. - Mike

By Aliaksandr Samuseu staff 23 Dec 2015 at 2:38 p.m. CST

Aliaksandr Samuseu gravatar
Hi, John. Cache Refresh doesn't copy any passwords from backend into Gluu's internal LDAP directory (actually, in case of AD it isn't possible to achieve with LDAP requests at all; you need to use its APIs for replication, that's the only way, AFAIK). It just aggregates user attributes from several sourse backend LDAP servers, and, optionally, run transform script on this attributes before saving them internally. When authenticating some user who was imported by CR from backend, oxAuth will anyway test its credentials against backend (after making sure that such user exists at all in Gluu's internal LDAP directory) Regards, Alex.

By Aliaksandr Samuseu staff 23 Dec 2015 at 2:42 p.m. CST

Aliaksandr Samuseu gravatar
Also, Mike is correct, you most likely haven't set oxAuth to use your backend for authentication from now on.

By John Feulner user 27 Dec 2015 at 8:01 p.m. CST

John Feulner gravatar
Ok perfect, I will give these instructions a go. Thank y'all so much for your help! - I'll configure oxAuth to point to Backend for authentication. **_EDITED_** for Assistance on connecting to Active Directory: ** Got to Configuration, Manage Authentication, ** *For those with [ ] - Make sure those are removed when typing in your config. * - Name: [Server name] - Bind DN: - Max Connections: 1000 - primarykey: samaccountname - localprimarykey: uid - server: [ServerIP]:636 For SSL or [ServerIP]:389 for non SSL - basedn: dc=company,dc=com (Mileage may vary) - SSL: Marked (If not use port 389 for LDAP. However SSL **Strongly** recommended) - Enabled: Marked

By Ivan Carrion user 28 Nov 2017 at 4:46 a.m. CST

Ivan Carrion gravatar
It's been a long time from this ticket and I would like to know if there's now a way to sync ad passwords to avoid a single-error point (AD or comms down). Thanks!