Re: Active Directory and OO LDAP config (778 Views)
Reply
Occasional Contributor
_GMS_
Posts: 5
Registered: ‎07-18-2013
Message 1 of 5 (826 Views)
Accepted Solution

Active Directory and OO LDAP config

hi there,

 

Im not having much luck configuring LDAP (AD W2k8 R2) auth with OO (version 9.07), I have spent almost a day on this problem and have read the other posts relating to OO LDAP Auth.

 

OO doesnt seem to be able to see any other group aside from Domain Users and thats only when i point the contexts to the top of the LDAP tree, when i point it to the contexts shown below it fails to see the group I'm pointing to (MS). Even when it does see the Domain Users group it fails to recognize my user as a member of it.

 

Ive tested everything as far as attributes using ADSI Edit and LDAP paths using ADFind so i know they are correct, any help on this would be most appreciated.

 

AD Domain = testdomain

An internal OO account  = cn=matrix console login,cn=managed service accounts,dc=testdomain,dc=local

LDAP URL = ldap://ad2.testdomain.local:389

LDAP search filter that tries to match the user groups = (&(member=cn={1},CN=MS,OU=Access Groups,OU=MS,OU=Staff,DC=testdomain,DC=local))

List of LDAP contexts containing user groups = OU=Access Groups,OU=MS,OU=Staff,DC=testdomain,DC=local

List of LDAP contexts containing users = cn={0},OU=MS,OU=Staff,DC=testdomain,DC=local

LDAP search filter used in the user search = (sAMAccountName={0})

Valued Contributor
Dimiter Todorov
Posts: 109
Registered: ‎03-02-2010
Message 2 of 5 (804 Views)

Re: Active Directory and OO LDAP config

Try replacing the LDAP search filter that tries to match user groups to just this:

 

(member={0})

Occasional Contributor
_GMS_
Posts: 5
Registered: ‎07-18-2013
Message 3 of 5 (785 Views)

Re: Active Directory and OO LDAP config

Thanks for the reply

 

Unfortunately no luck with that change either.

 

When I was making the change yesterday I noticed if I set "List of user context attribute names which can be used as groups." to memberOf OO returns all the groups I am a member of yet still fails to see me as a member of any of them. Im testing as a Domain admin as well so still not sure what the issues might be...

Occasional Visitor
greglbn
Posts: 3
Registered: ‎07-23-2013
Message 4 of 5 (778 Views)

Re: Active Directory and OO LDAP config

Good evening

 

I have The same issue.

The user is find but not in any group is member or.

 

Thank you in advance

Gregory

Occasional Contributor
_GMS_
Posts: 5
Registered: ‎07-18-2013
Message 5 of 5 (751 Views)

Re: Active Directory and OO LDAP config

so, got some help with this from an HP guy here in NZ and its now working.

 

my mistake was the path i had put in for LDAP search filter that tries to match the user groups.

 

in the config I originally posted I had:

 

(&(member=cn={1},CN=MS,OU=Access Groups,OU=MS,OU=Staff,DC=testdomain,DC=local))

 

this should have been:

 

member=CN={1},OU=MS,OU=Staff,DC=testdomain,DC=local

 

it needed to point to where my useraccount is, so "OU=Access Groups" shouldnt have been in there, and I was pointing to a "CN" not an "OU" since MS is a Organisational Unit not a container.

 

for "Attribute of any group (returned from the group search), to use as group name" we added: name (same as the example in the LDAP config in OO)

 

for "List of user context attribute names which can be used as groups. The list separator is a ";"."  we left this blank

 

for "LDAP search filter used in the user search" we set back to the same as the example in the LDAP config in OO:

 

 (&(objectClass=person)(|(sAMAccountName={0})(uid={0})))

 

(the HP guy said he has never had to change the above value from this in order to get it working)

 

also - dont forget to create a group in OO which maps to a group the users who will be logging in are in. For me i used the same group referenced in the "LDAP search filter that tries to match the user groups" which is MS in my config above.  The mapping seems to work just by putting the group name in there as opposed to using an LDAP path

 

good luck!

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.