myDBR Forums » General discussion

Active Directory - Trouble Shooting Login Failures and Group Membership

(6 posts) (2 voices)

  1. jluth, Member

    I've been working with myDBR over the last five months and have reached the point where it's becoming fully integrated into our operations. That said the next step for us was to implement integration with Active Directory.

    I've been able to connect to AD and sync without any issues. I tested and verified that my regular user account in AD and my admin account were able to connect. Everything looked great from http://btreporting.baer-timberlake.com/index.php?a=ad_check but after it was synchronized and I made the switch I found that the majority of users weren't able to authenticate. After some more digging I found the group memberships that showed up in AD (http://btreporting.baer-timberlake.com/index.php?a=ad_check) were complete but those memberships weren't all showing up in when I viewed the group memberships in myDBR.

    I will fully admit that I started off with a lot of testing and playing with myDBR when I first set it up so it's possible something is awry with how groups and users were setup and that somehow it's going cross-wise between myDBR and AD but I'd assume that when I switched the authentication it'd focus solely on what was in AD.

    What can I do to troubleshoot this or clear out the user accounts and groups in myDBR to get a fresh pull straight from AD?

    So in summary, some users can login to myDBR using AD but most can't and group memberships aren't accurate between what AD Check shows and what myDBR groups show. All of the users do show as existing though.

  2. myDBR Team, Key Master

    Hi,
    user's group definitions are updated every time user logs in through AD, so you should not need to worry about even if the user/groups definitions are not in sync. You can clear them out from the UI or directly from the database (mydbr_groupsusers).

    What needs to be checked is that if some users cannot log in even if they show up in ad_check as valid myDBR users.

    --
    myDBR Team

  3. jluth, Member

    Alright, so I tried clearing everything and re-syncing but the issue still exists. Using ad_check shows all of the users and groups. However, when I click on some of the users they don't show to be part a group. However, when I click on the groups they show up as a member. I assume that's the root cause of my issue. What would cause the user not to display any groups but show up as a member of the group?

  4. myDBR Team, Key Master

    Have you overridden the default value for 'active_directory_recursive_user_groups' found in defaults.php? If this is turned off, the group list still shows all the groups but for member, only direct groups are shown.

    The other limiting factor is that only myDBR groups are shown under user, but as your group list shows these groups, it should not cause this.

    --
    myDBR Team

  5. jluth, Member

    It was set to true. I've set it false, restarted the website and still don't see any change. The user is listed but no groups are listed under the user in ad_check. When I click on the group in ad_check she is listed.

    I'm assuming this is related to the main issue I have which is the inability of this subset of users from being able to login to mydbr through AD.

  6. myDBR Team, Key Master

    We've sent you a script that should help you to debug your AD configuration.

    --
    myDBR Team


Reply

You must log in to post.