I’m using Community 9.5 and have configured LDAP successfully with our service account and have set up a group in CentraSite associated with a group in AD and imported the users belonging to that group. I am able to sign in to CS with my userid (I’m a member of that group), but no one else in my group is able to sign on. I see the following on the sag-osgi.log when they try (replacing values with x’s):
AuthUser_W: login of user xxxxxx(domain: xxxxxxxxx, host:xxxxx.xxxxx.com, port:389) was successful(154902E8).
getLDAPgroupsOfUserW: ldap get groups of user((&(objectClass=group)(member=CN=xxxxx, xxxxxx,OU=IT,OU=xxxxxx,DC=xxxxx,DC=com))) failed(“”).
ERROR: Can not receive user groups properties.
ERROR: Can’t get groups of user User with name: xxxxx. (-7)
Anyone run into this or know why it lets me sign in with no issues, and no one else can?
Thanks, Diane
I have found what is causing this and was wondering if anyone is aware of a way to modify CentraSite for how it pulls in members of an associated LDAP group. For some reason the convention of how our security group adds new members has changed in the formatting of the CN parameter for a member within AD. For those that are CN=firstname.lastname CentraSite pulls in the members for the associated group and makes them a member of the associated group within CentraSite. For those that are CN=lastname, firstname…CentraSite pulls them in as a User but does not make them a member of the group.
This is causing an issue when these users try to login to CentraSite…they authenticate ok…but then CentraSite searches to see which group they are a part of and then I get the failure listed in my previous post.
Anyway to modify how CentraSite handles the import process when importing all members of an AD group?
Unfortunately it looks like it is happening at the query level to the LDAP server.
I don’t think you can modify the CentraSite configuration to get this to work.
It looks like it could be due to the structure of the CN field.
Logging of the login module might make this clearer.
Which LDAP server are you using?
In many of our LDAP servers we typically use a userid that is normally a shortened version of the username (e.g. initials). This is what is used for logins.
Is that a possibility in your environment? To use a different field for the CentraSite user names?