Author Topic: Keystore and AD - AM_ACTIVEDIRECTORY (Solved - kind of)  (Read 279 times)

Zvolensky

  • EA User
  • **
  • Posts: 62
  • Karma: +0/-0
  • Do... or do not. There is no try.
    • View Profile
Keystore and AD - AM_ACTIVEDIRECTORY (Solved - kind of)
« on: October 06, 2017, 01:52:31 am »
Hello
Another issue I have, now with Keystore and AD
In my setting file for keystore i have following:

AUTHMETHOD=AM_ACTIVEDIRECTORY
AUTHMETHOD_OPTIONS=Mylovelyusers

The AD group "Mylovelyusers" exists and i'm a member.

When i start the service (i have tried system account and also my domain account where i'm admin on the server) in the log file i see this:
...
[SYSTEM]: [ACTIVEDIRECTORYGROUP_AM] SUCCESS: Initialised. Naming Context: 'LDAP://DC=XYZ,DC=ABC,DC=EFG', 1 Group(s) added.
....

when i try to connect to the keystore from my Sparx it is not working, the log file messages are:

[WARNING]: [ACTIVEDIRECTORYGROUP_AM] WARN: Authentication failed. Group 'CN=Mylovelyusers' not found.
[SYSTEM]: [ACTIVEDIRECTORYGROUP_AM] WARN: Authentication failed. User 'myuser' is not a member of any permitted groups.
[WARNING]: WARN Client from XX.YY.QQ.ZZ was denied authorisation. Reason: User 'myuser' is not a member of any permitted groups. Please contact your SSKS administrator for further details..

Any idea? What did I do wrong?
« Last Edit: October 06, 2017, 06:49:46 pm by Zvolensky »

Glassboy

  • EA User
  • **
  • Posts: 903
  • Karma: +52/-54
    • View Profile
Re: Keystore and AD - AM_ACTIVEDIRECTORY
« Reply #1 on: October 06, 2017, 06:51:50 am »
At a guess your group is the wrong type of group.

Zvolensky

  • EA User
  • **
  • Posts: 62
  • Karma: +0/-0
  • Do... or do not. There is no try.
    • View Profile
Re: Keystore and AD - AM_ACTIVEDIRECTORY
« Reply #2 on: October 06, 2017, 03:15:15 pm »
Hi
Ok, and do you know the the correct type of group please?

Zvolensky

  • EA User
  • **
  • Posts: 62
  • Karma: +0/-0
  • Do... or do not. There is no try.
    • View Profile
Re: Keystore and AD - AM_ACTIVEDIRECTORY (Solved - kind of)
« Reply #3 on: October 06, 2017, 06:53:17 pm »
So the problem was not in the type of group but in the cfg file.
Our AD is a big one and i was not able to specify where exactly is this group in the bigger context. I was trying different approaches and gave up as the guide is not very specific (surprise surprise)
So instead AM_ACTIVEDIRECTORY i'm using AM_ACTIVEDIRECTORYEX with an adconfig file where I was able to specify the exact naming context of the group and now it is working.
So it is solved, kind of.