Cache refresh: Unable to login with LDAP users

By: Neemesh Patel user 17 May 2016 at 9:13 a.m. CDT

6 Responses
Neemesh Patel gravatar
My previous [ticket was closed](https://support.gluu.org/integrations/help-needed-with-setting-up-gluu-to-use-external-ldap-2701), which this is somewhat related to. I've tried replying in the past to closed tickets but I think that then falls off your radar (understandable), so apologies if raising a new ticket isn't quite right and I'm overlooking re-opening a ticket in anyway (please say if that is the case so I can do so correctly in the future). I've watched your cache refresh (CR) videos on youtube, thanks for those they did help me make some progress on the original issue of why nothing was coming though to Gluu via CR. I now have details coming through LDAP users coming through on cache refresh, but the new problem is I can't actually login as any of these users into Gluu. [Part 3](https://www.youtube.com/watch?v=fyAEwJuwqn4) of your CR series covers changing the "manage authentication" area to use the external LDAP server instead of the default built in one (openDJ) if I am understanding it correctly. This removes the ability to log in as the default "admin" user. I've done this previously and locked myself out of the system (as CR wasn't working at the time) but the support forum got me back in by using ldif to revert back to default authentication. Are the changes required in order to login with your external LDAP users (where you change the manage authentication area to use the external LDAP server only)? The reason I ask is ideally, I would like to retain the admin user so we can go in and manage the system whilst LDAP users are using Gluu. If it is required, is it the case that cache refresh stores information about users, but not the information needed to authorise logins. So that is why manage authentication needs to be configured to use the external ldap server? In case it helps, the "source attributes" in the "customer backend key/attributes" tab I am pulling in are: uid mail cn sn displayName Thanks as always. Appreciate the patience whilst I try and get my head around things
closed

Answers

By Michael Schwartz Account Admin 17 May 2016 at 9:39 a.m. CDT

Copy
Michael Schwartz gravatar
There is a checkbox that in the cache refresh config to keep external users (i.e. the admin user). You may also want to add an AD user to the Manager group in the Gluu Server LDAP. Make sure that your pointing your authentication source to the external LDAP server. Let us know if you have any more problems.

By Mohib Zico staff 17 May 2016 at 9:51 a.m. CDT

Copy
Mohib Zico gravatar
Neemesh, You can open as many tickets as you want; no problem at all. >> Part 3 of your CR series covers changing the "manage authentication" area to use the external LDAP server instead of the default built in one (openDJ) if I am understanding it correctly. Correct. That's why in video we tested authentication with a new browser; just in case if anything goes wrong we can change the manage authentication setup to previous working setting. >>The reason I ask is ideally, I would like to retain the admin user so we can go in and manage the system whilst LDAP users are using Gluu. If you want to use 'admin' user along with backend users, it will require advance level of authentication methods which has custom authentication script written in python. My suggestion is to use any backend user as 'admin'. Say there is one user named 'neemesh' in backend Active Directory and you just need to add this user in Gluu Server's admin group. After adding this user in Gluu Server admin group this user will get all kind of administrative privilege in Gluu Server; you don't have to bother for 'admin' user.

By Aliaksandr Samuseu staff 17 May 2016 at 10:05 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Neemesh. It seems Mike and Zico have provided exhaustive answers, but if you still have any troubles with making the whole thing to work - feel free to let us know. I'll summarize it for you. > I now have details coming through LDAP users coming through on cache refresh, but the new problem is I can't actually login as any of these users into Gluu. That's good. Now, as Zico recommended, just move to "Users -> Manage groups" and add one of your backend users to default admin group there. After that you can switch authentication to your backend directory, as is shown in the tutorial. The "Keep external users" checkbox Mike mentioned is set by default, so after you'll revert your authentication source back to default/internal, you'll be able to log in again with it. Please listen to Zico's advice about using 2nd browser for accessing web UI after the change, for the first time. Regards, Alex.

By Neemesh Patel user 17 May 2016 at 12:03 p.m. CDT

Copy
Neemesh Patel gravatar
Much appreciated, I'll certainly be trying this out tomorrow when back in the office and will report back. From this conversation, I'm sure I've confused the purpose of the cache refresh, so I was hoping you could clarify this for me (apologies in advance for anything dumb I'm about to say). I thought that cache refresh was the mechanism used to sync external LDAP users (i.e. Active Directory users) to the Gluu LDAP server (openDJ) so that when Gluu is used for authentication, it then had access to all the information needed to log in users; so it would use local openDJ for the authentication rather than needing to contact the external LDAP for authentication. If cache refresh is now synching the data from the external LDAP to openDJ, but I am still required to change the Gluu authentication to use external LDAP instead of openDJ, I'm a bit confused as to why we need cache refresh. Like I mentioned above, I'm sure I'm misunderstanding something, could anyone clarify the purpose of cache refresh and it's interaction with openDJ/external LDAP so I can try and understand the system better? Thanks again!

By Aliaksandr Samuseu staff 17 May 2016 at 1:40 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
> I thought that cache refresh was the mechanism used to sync external LDAP users (i.e. Active Directory users) to the Gluu LDAP server (openDJ) so that when Gluu is used for authentication, it then had access to all the information needed to log in users; so it would use local openDJ for the authentication rather than needing to contact the external LDAP for authentication. You are correct about the first half, but not about authentication part. The purpose of CR is indeed to aggregate and prepare (with CR interception scripts) attributes from a multitude of sources (only LDAP directories by default, but that may be extended in the future). But in most scenarios where CR is used actual authentication still must happen against one of the backends you've got these attributes from. One reason for that is the fact that passwords usually are not fetched (and for some backends, like Active Directory, they cannot be fetched at all, not via LDAP interface, at least). So usually the next step after you got user data into Gluu's own directory is to configure oxAuth to use backend for authetication. Unless you are trying something really unique. Meaning you are not forced to use backend, you could use some other means and assign passwords to all these user entries CR created for you, and use internal LDAP for auth (i.e. by changing nothing on the "Manage authentication" page), but that's not something many organizations use. It's just more convenient to have a central service where all your internal authentication happens. The purpose of CR is to aggregate and process attributes, so it could serve them then without consulting the backend on each SSO request (and there could be thousands of such per minute). Like, authentication happens just once, and then session is created for this user at Gluu, and each subsequent SSO request will be handled from Gluu's internal db of user's attributes, which values may be significantly different from values in backend (due to logic implemented in some CR scripts)

By Neemesh Patel user 18 May 2016 at 10:54 a.m. CDT

Copy
Neemesh Patel gravatar
Thanks a lot for all the information. I got this up and running earlier using your guidance, I'll now need to tackle openID connect and failover, so no doubt I'll be back in touch with some more questions in the future. Please feel free to close the ticket. Thanks

Post an answer