By: Stephen LAI user 25 Apr 2017 at 11:25 p.m. CDT

8 Responses
Stephen LAI gravatar
I try to sync the destination attribute "userPassword" via Cache Refresh (I have the password of a new user stored together with other information of the user in a backend AD server). However, I get the error "attribute 'userPassword' provided more than once". What is the advised approach for setting the password of a new user automatically? (Setting the password manually by using the "Change Password" feature of oxTrust after adding a new user is not desirable.) Or, if the password of the new user must be assigned with a random one during Cache Refresh operation, how can we find such assigned password? (From the LDAP server behind the Gluu server, we only find a hashed password from the attribute "userPassword".)

By Mohib Zico Account Admin 26 Apr 2017 at 3:22 a.m. CDT

Mohib Zico gravatar
Please allow me to ask couple of questions: - You want userPassword attribute to pull with Cache Refresh? - You want your users as they can change password from Gluu Server ( by oxTrust GUI )?

By Stephen LAI user 26 Apr 2017 at 4:11 a.m. CDT

Stephen LAI gravatar
Thanks for the response from Mohib. In short, we need to add new users to a Gluu server based on records in an AD server (using Cache Refresh). And then, such new users can login to the Gluu server. However, we are not able to pull values from the AD server to the userPassword attribute during Cache Refresh operation. Therefore, currently, we need to have an administrator set passwords manually for those new users (using oxTrust) before such new users can login to the Gluu server. Any advice for the case?

By Mohib Zico Account Admin 26 Apr 2017 at 5:50 a.m. CDT

Mohib Zico gravatar
>> we need to add new users to a Gluu server based on records in an AD server (using Cache Refresh). Ok. Default cache refresh; straight solution. >> And then, such new users can login to the Gluu server. Ok, general authentication method. Straight purpose. >> However, we are not able to pull values from the AD server to the userPassword attribute during Cache Refresh operation. We need to check why 'userPassword' attribute is not pulling. But if you use your backend as 'user source'; you actually don't need to pull this password attribute and value. Check out '[Manage Authentication](https://gluu.org/docs/ce/3.0.1/admin-guide/user-group/#ldap-synchronization)' section in Cache Refresh. By using 'Manage Authentication', you are actually pointing to your backend AD server which will 'validate' passwords for any active users so you do not need to store any password here in Gluu Server. >> Therefore, currently, we need to have an administrator set passwords manually for those new users (using oxTrust) before such new users can login to the Gluu server. Whenever you will point your backend AD server in Manage Authentication section, users who are active in your backend will be able to login in Gluu Server. But make sure to use multiple browser when you apply Manage Authentication settings, keep old browser active for any kind of roll back.

By Stephen LAI user 26 Apr 2017 at 11:16 p.m. CDT

Stephen LAI gravatar
Thanks for the further information provided by Mohib. Following the steps as shown in "Part 3/3: Managing Authentication After You've Setup Cache Refresh", new users can now login to the Gluu server. However, there comes another problem. Without the original backend LDAP server, all administrator accounts no longer exist. On the other hand, all new users (from the AD server) do not have administrator rights. What is the suggested approach for having administrators under the new arrangement (using the AD server for authentication)? My only idea is that, with the original backend LDAP server still in use, import new users from the AD server, appoint some new users as administrators, then start using the AD server for authentication. I wonder whether there can be a better approach with less human intervene. For example, can a new user be directly imported as an administrator? If so, how can it be done?

By Mohib Zico Account Admin 28 Apr 2017 at 12:53 a.m. CDT

Mohib Zico gravatar
You can add any user in Gluu Server administrative group with oxTrust /GUI. Please read [User Management](https://gluu.org/docs/ce/3.0.1/admin-guide/user-group/) doc for clarifications. If doc is not clear, let us know please.

By Stephen LAI user 28 Apr 2017 at 1:34 a.m. CDT

Stephen LAI gravatar
Thanks for reply by Mohib. Before posting my last message, I have already read "[User Management in Gluu Server](https://gluu.org/docs/ce/3.0.1/admin-guide/user-group/)". However, from the web page, I can only find the steps to add a user to the administrator group (Gluu Manager Group) manually using the UI of oxTrust. On the other hand, what I want is adding selected new users to the administrator group automatically during the operation of Cache Refresh.

By Mohib Zico Account Admin 28 Apr 2017 at 4:47 a.m. CDT

Mohib Zico gravatar
>> On the other hand, what I want is adding selected new users to the administrator group automatically during the operation of Cache Refresh. Let's create a new ticket and move forward from there? This ticket's subject is different. Please use proper subject for next ticket, if you don't mind; that will help other community users to search solutions/suggestions on same situation.

By Stephen LAI user 28 Apr 2017 at 5:33 a.m. CDT

Stephen LAI gravatar
Thanks for the advice by Mohib. I have create a new ticket: [https://support.gluu.org/identity-management/4038/assign-users-to-suitable-groups-during-cache-refresh-operation/](https://support.gluu.org/identity-management/4038/assign-users-to-suitable-groups-during-cache-refresh-operation/)