myDBR Forums » General discussion

Active Directory Login Problems

(8 posts) (2 voices)

  1. EricW, Member

    Hi

    I'm trying to get AD logins to work and am currently bewildered.

    In Environment Settings I have authentication set to Active Directory
    In Active Directory Settings I have a domain controller, username, password and account suffix set

    When I click "Test Connection", I get "Connection OK. 8 User"
    When I go to "Active Directory", it echoes my settings back, and says the MyDBR base group is 'MyDBR groups'
    All the various checks on that page come back OK and it reports all the users and groups I've put into MyDBR groups

    My personal account seems to work OK, but anyone else's gets bounced with "check the username/password" when we try to login..

    What have I done wrong?

    Regards

    Eric

  2. myDBR Team, Key Master

    If the connection can be made and the users are shown correctly, then the AD definitions are correct and it should work as expected. If your account works and the others do not, that needs to be checked.

    Can you login with your working credentials from user's computer? If not, try to clear the myDBR cookie from the browser.

    What are users using as username when trying to login? Their user name or their email address (should not make any difference if those two match)?

    --
    myDBR Team

  3. EricW, Member

    I can log in with my working account from a computer logged onto by another user.
    Users are using their username rather than email address.

    Other LDAP logins work for all users (our wiki for example)

  4. myDBR Team, Key Master

    Trying to simplify things:

    So you have one username that works (yours) and another that does not (another user).

    • You can see the another user listed behind the 'Active Directory'-link in myDBR (one of those 8)?
    • You can verify this with one computer and one browser. Login with your account works and then you log out and let user try (same browser window) and it does not work for him/her?
    • Is the username that does not work the same what is defined for the user in Active Directory's "User UPN Logon"?
    • What happens if the user tries to login with the email-address + password

    Other LDAP logins work for all users (our wiki for example)

    Also those not listed under 'MyDBR groups'? What is the definition for Base DN in myDBR?

    --
    myDBR Team

  5. EricW, Member

    You can see the another user listed behind the 'Active Directory'-link in myDBR (one of those 8)?
    Yes.

    You can verify this with one computer and one browser. Login with your account works and then you log out and let user try (same browser window) and it does not work for him/her?
    My account works. The other account does not.

    Is the username that does not work the same what is defined for the user in Active Directory's "User UPN Logon"?
    Yes. I've tried 'username', 'domain\username', and UPN (email)
    I login OK as just 'username'

    LDAP logins to the wiki work whether they're in the MyDBR group or not, as you'd expect.

    Base DN is blank

    My account shows up in Users with 'Active Directory' authentication.
    Other accounts do not appear (apart from dba, which has MyDBR authentication)

  6. myDBR Team, Key Master

    LDAP logins to the wiki work whether they're in the MyDBR group or not, as you'd expect.

    What is the content of 'myDBR Groups' in AD?

    Base DN is blank

    OK. Try setting the Base DN pointing to where the 'myDBR Groups' exists in AD. Most likely the users are not found from AD tree and therefore the invalid login. Set the base DN for example as:

    CN=Users,DC=yourcompany,DC=com

    My account shows up in Users with 'Active Directory' authentication.

    This is just because you have logged in. Users show as AD users in myDBR if they have logged in or you have run Sync behind 'Active Directory' link.
    --
    mYDBR Team

  7. EricW, Member

    OK.
    I've found it.

    At some time in the past.. *someone* hardened our AD so that random people could not easily view user properties.
    The LDAP browsing account did not have read access to EVERY user - just those with VPN access (me, for example)

    Fiddling with BaseDN just returned 'myDBR Group not found', but "Most likely the users are not found from AD tree " made me explicitly check read access for the service account and then set it to inherit at the user CN.

    People can now log in.

    Thanks

    Eric

  8. myDBR Team, Key Master

    OK, that explains it.

    You may still want to use (a correct) Base DN as it will speed up the AD queries.

    And you could check the users in groups under 'myDBR Group' are the correct ones (your wiki probably should not haves access).

    --
    myDBR Team


Reply

You must log in to post.