Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 2 subscribers
  • Views 4217 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

7.405 user portal login for AD group member fails

paule
Hi,

I followed the steps in http://portal.knowledgebase.net/display/2n/kb/article.asp?aid=302244

I want to enable the members of one AD group to log into user portal
and then use remote access via SSL.

I have a working connection to AD, test authentication on Active Directory
Configuration page works, two configured backend group memberships
are shown properly. (astaro has joined the domain)
(the members of one group shall be able to use the user portal, the other
group I created only to verify that the membership is detected correctly)

First error is in the log when I prefetch one goup:

2009:09:23-22:08:13 mail user_prefetch[30693]: ------------------------------------------------------------
2009:09:23-22:08:13 mail user_prefetch[30693]: Adding/updating users
2009:09:23-22:08:13 mail user_prefetch[30693]: ------------------------------------------------------------
2009:09:23-22:08:13 mail user_prefetch[30693]: # 1 Creating user testuser
2009:09:23-22:08:13 mail user_prefetch[30693]: Failed to set object
2009:09:23-22:08:13 mail user_prefetch[30693]: >=========================================================================
2009:09:23-22:08:13 mail user_prefetch[30693]: $VAR1 = [
2009:09:23-22:08:13 mail user_prefetch[30693]: 'OBJECT_NAMESPACE',
2009:09:23-22:08:13 mail user_prefetch[30693]: ''
2009:09:23-22:08:13 mail user_prefetch[30693]: ];
2009:09:23-22:08:13 mail user_prefetch[30693]: 


This thread was automatically locked due to age.
  • 0
    Hi Paul,

    please confirm that you have active the following option:

    Users » Authentication » Automatic user creation

    Automatic user creation
  • 0 in reply to suzzyx
    yes, automatic user creation is active
  • 0
    Paul, I think you may be running afoul of an old "feature."  Can you post a pic of the edit of the backend group definition in the Astaro?

    Cheers - Bob
  • 0 in reply to BAlfson
    I attached config screenshots

    regards
  • 0
    That's what I thought.  In the 'Users >> Groups' definitions, modify the group so that you have only the content of CN, no "CN=" and none of the other stuff that came across when you dragged the AD group into the definition in the Astaro.  The Prefetch section is correctly configured.

    Also, I noticed that you have joined the Astaro to your domain, activating SSO.  You don't need to join the domain unless you want to use AD SSO in the HTTP Proxy.  At present, you don't have automatic user creation activated for the HTTP Proxy, so you'll need to change that if you want the users to browse via the proxy.

    Cheers - Bob
  • 0 in reply to BAlfson
    I modified the usergroup as you wrote, left the AD settings as before, because changing them to a short Group name leads to:

    2009:09:24-15:25:35 mail user_prefetch[22763]: ------------------------------------------------------------
    2009:09:24-15:25:35 mail user_prefetch[22763]: Starting synchronization for adirectory
    2009:09:24-15:25:35 mail user_prefetch[22763]: ------------------------------------------------------------
    2009:09:24-15:25:35 mail user_prefetch[22763]: Retrieving configuration
    2009:09:24-15:25:35 mail user_prefetch[22763]: -> using internal configuration
    2009:09:24-15:25:36 mail user_prefetch[22763]: ldap server:
    2009:09:24-15:25:36 mail user_prefetch[22763]: server: 192.168.yyyyyyyyy
    2009:09:24-15:25:36 mail user_prefetch[22763]: port: 389
    2009:09:24-15:25:36 mail user_prefetch[22763]: ssl: 0
    2009:09:24-15:25:36 mail user_prefetch[22763]: bind_dn: info@intern.yyyyyyyyy.de
    2009:09:24-15:25:36 mail user_prefetch[22763]: update: 1
    2009:09:24-15:25:36 mail user_prefetch[22763]: contexts:
    2009:09:24-15:25:36 mail user_prefetch[22763]: yyyyyyyyy-Remote
    2009:09:24-15:25:36 mail user_prefetch[22763]: ------------------------------------------------------------
    2009:09:24-15:25:36 mail user_prefetch[22763]: Searching for users
    2009:09:24-15:25:36 mail user_prefetch[22763]: ------------------------------------------------------------
    2009:09:24-15:25:36 mail user_prefetch[22763]: Connecting to ldap server
    2009:09:24-15:25:36 mail user_prefetch[22763]: ldap server: ldap://192.168.yyyyyyyy:389
    2009:09:24-15:25:36 mail user_prefetch[22763]: search for context 'yyyyyyyy-Remote' failed: invalid search base or filter
    2009:09:24-15:25:36 mail user_prefetch[22763]: ------------------------------------------------------------
    2009:09:24-15:25:36 mail user_prefetch[22763]: performing ldap search:
    2009:09:24-15:25:36 mail user_prefetch[22763]: ldap search returned 0 users
    2009:09:24-15:25:36 mail user_prefetch[22763]: Search time: 0m 0s
    2009:09:24-15:25:36 mail user_prefetch[22763]: ------------------------------------------------------------
    2009:09:24-15:25:36 mail user_prefetch[22763]: Adding/updating users
    2009:09:24-15:25:36 mail user_prefetch[22763]: ------------------------------------------------------------
    2009:09:24-15:25:36 mail user_prefetch[22763]: 0 user objects were found:
    2009:09:24-15:25:36 mail user_prefetch[22763]: 0 users were created
    2009:09:24-15:25:36 mail user_prefetch[22763]: 0 users were updated
    2009:09:24-15:25:36 mail user_prefetch[22763]: 0 users are authenticated locally.
    2009:09:24-15:25:36 mail user_prefetch[22763]: Overall time: 0m 0s
    2009:09:24-15:27:52 mail user_prefetch[22850]: ------------------------------------------------------------



    in opposite, with settings as in the screenshot:
    2009:09:24-15:27:52 mail user_prefetch[22850]: Starting synchronization for adirectory
    2009:09:24-15:27:52 mail user_prefetch[22850]: ------------------------------------------------------------
    2009:09:24-15:27:52 mail user_prefetch[22850]: Retrieving configuration
    2009:09:24-15:27:52 mail user_prefetch[22850]: -> using internal configuration
    2009:09:24-15:27:52 mail user_prefetch[22850]: ldap server:
    2009:09:24-15:27:52 mail user_prefetch[22850]: server: 192.168.yyyyyyyy
    2009:09:24-15:27:52 mail user_prefetch[22850]: port: 389
    2009:09:24-15:27:52 mail user_prefetch[22850]: ssl: 0
    2009:09:24-15:27:52 mail user_prefetch[22850]: bind_dn: info@intern.yyyyyyyyyyyyy.de
    2009:09:24-15:27:52 mail user_prefetch[22850]: update: 1
    2009:09:24-15:27:52 mail user_prefetch[22850]: contexts:
    2009:09:24-15:27:52 mail user_prefetch[22850]: CN=yyyyyyyy-Remote,CN=Users,DC=intern,DC=yyyyyyyyyyy,DC=de
    2009:09:24-15:27:52 mail user_prefetch[22850]: ------------------------------------------------------------
    2009:09:24-15:27:52 mail user_prefetch[22850]: Searching for users
    2009:09:24-15:27:52 mail user_prefetch[22850]: ------------------------------------------------------------
    2009:09:24-15:27:52 mail user_prefetch[22850]: Connecting to ldap server
    2009:09:24-15:27:52 mail user_prefetch[22850]: ldap server: ldap://192.168.yyyyyyyyyy:389
    2009:09:24-15:27:52 mail user_prefetch[22850]: context 'CN=yyyyyyyyyy-Remote,CN=Users,DC=intern,DC=yyyyyyyyy,DC=de' is a group. Adding group members:
    2009:09:24-15:27:52 mail user_prefetch[22850]: CN=testuser\, Firstname,CN=Users,DC=intern,DC=yyyyyyyyyyyy,DC=de
    2009:09:24-15:27:52 mail user_prefetch[22850]: ------------------------------------------------------------
    2009:09:24-15:27:52 mail user_prefetch[22850]: performing ldap search:
    2009:09:24-15:27:52 mail user_prefetch[22850]: searching 'CN=testuser\, firstname,CN=Users,DC=intern,DC=yyyyyyyyyyy,DC=de'
    2009:09:24-15:27:52 mail user_prefetch[22850]: ldap search returned 1 users
    2009:09:24-15:27:52 mail user_prefetch[22850]: Search time: 0m 0s
    2009:09:24-15:27:53 mail user_prefetch[22850]: ------------------------------------------------------------
    2009:09:24-15:27:53 mail user_prefetch[22850]: Adding/updating users
    2009:09:24-15:27:53 mail user_prefetch[22850]: ------------------------------------------------------------
    2009:09:24-15:27:53 mail user_prefetch[22850]: # 1 Creating user testuser
    2009:09:24-15:27:53 mail user_prefetch[22850]: Failed to set object
    2009:09:24-15:27:53 mail user_prefetch[22850]: >=========================================================================
    2009:09:24-15:27:53 mail user_prefetch[22850]: $VAR1 = [
    2009:09:24-15:27:53 mail user_prefetch[22850]: 'OBJECT_NAMESPACE',
    2009:09:24-15:27:53 mail user_prefetch[22850]: ''
    2009:09:24-15:27:53 mail user_prefetch[22850]: ];
    2009:09:24-15:27:53 mail user_prefetch[22850]: 
  • 0 in reply to paule
    Here is a screenshot of the new group settings
  • 0
    The first section of your post 45 minutes ago looks like you chnged the group definition in the prefetch section, so I apologize if I was unclear about that.  It should have been left as it was.  I suspect that you may be having a problem with the definition in AD of a user named "testuser\" and that you are trying to login with "testuser" (without the backslash).

    Aslo, I'm confused by the following line in the second section: 
    2009:09:24-15:27:52 mail user_prefetch[22850]: bind_dn: info@intern.yyyyyyyyyyyyy.de

    Cheers - Bob
  • 0 in reply to BAlfson
    sorry Bob, but I tried a little to anonymize the logs

    The change in the prefetch I reverted when noticing the change in the log.

    The sesond logs shows the previous behaviour, with 
    Failed to set object
     $VAR1 = [
    'OBJECT_NAMESPACE',
    ''
    ];

    So this and the changed group setting was what I tried last, without success again
  • 0
    testuser and yyyyy (with varying length)  are replacements for real data