[Enterprise Plone] Active Directory Auth not working, but query OK
Aaron Paxson
All, I'm integrating my Plone installation as our Worldwide Corporate
Intranet.
In installed the Active Directory Multi plugin using the tutorial
(http://plone.org/documentation/kb/authenticating-with-active-directory).
LDAP python support is working.
I configured Active Directory Multi plugin, and it queries the groups and
users perfectly. I can query against sAMAccountName or CN, or groups.
But, when authenticating, nothing happens (login failed). I did a packet
trace on my domain controller..... and nothing happens when I try to
authenticate. (but, what *IS* wierd, is that I see packet data to the DC
when I log in as the local plone admin. I do not have an account named
'admin' in Active Directory).
I verified that my Active Directory plugin is at the top of the "Active
Authentication" plugins list and the "authentication" plugin is active.
What am I doing wrong? I've tried to enable DEBUG logging at the zope
client level, but it doesn't show anything. Just commits stuff.
Can anyone guide me to taking the next steps for troubleshooting? Ive tried
so many different AD tutorials, but I just can't seem to get this to work.
It's an AD 2003 environment, but I don't think that matters.
I really appreciate it. Thank you in advance!
--Aaron Paxson
--
View this message in context: http://plone.293351.n2.nabble.com/Active-Directory-Auth-not-working-but-query-OK-tp5252463p5252463.html
Sent from the Enterprise mailing list archive at Nabble.com.
_______________________________________________
Enterprise mailing list
Enter...@lists.plone.org
http://lists.plone.org/mailman/listinfo/enterprise
da...@integreatmedia.com
Sounds like you are 90% there. I think the problem might be with the format you are entering your usernames in order to authenticate..
Firstly, check what your 'Login Name Attribute' is set to in your Plone configuration e.g. sAMAccountName , then do a search (query) for yourself or other user via the Users search and check what value appears next to the same field e.g. sAMAccountName - this will be the format you need to enter your username in. You may find for example that you are used to entering your DomanName\UserName - but may need to just use UserName
Regards,
David
From: "Aaron Paxson" <a...@thepaxson5.org>
Sent: 04 July 2010 04:35
To: enter...@lists.plone.org
Subject: [Enterprise Plone] Active Directory Auth not working, but query OK
A.J. Paxson
Sent from my iPad
Hi Aaron,
Sounds like you are 90% there. I think the problem might be with the format you are entering your usernames in order to authenticate..
Firstly, check what your 'Login Name Attribute' is set to in your Plone configuration e.g. sAMAccountName , then do a search (query) for yourself or other user via the Users search and check what value appears next to the same field e.g. sAMAccountName - this will be the format you need to enter your username in. You may find for example that you are used to entering your DomanName\UserName - but may need to just use UserName
Regards,
David
From: "Aaron Paxson" <[hidden email]>
Sent: 04 July 2010 04:35
To: [hidden email]
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise
_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise
View message @ http://plone.293351.n2.nabble.com/Active-Directory-Auth-not-working-but-query-OK-tp5252463p5255053.html
To unsubscribe from Active Directory Auth not working, but query OK, click here.
da...@integreatmedia.com
I remember I had an issue with the default port (although can't remember know the specific issue), but found that port 389 can also be used as an alternative, and have used 389 ever since. Give this a go?
David
From: "A.J. Paxson" <a...@thepaxson5.org>
Sent: 05 July 2010 15:51
To: "enter...@lists.plone.org" <enter...@lists.plone.org>
Subject: Re: [Enterprise Plone] Active Directory Auth not working, but query OK
A.J. Paxson
Sent from my iPad
Larry Pitcher
> Yes, it's 389 by default. Again, I can query manually fine. Even if it
> was wrong, I would see some kind of traffic on my packet capture. Plone
> just doesn't try.....
>
> Sent from my iPad
>
> On Jul 5, 2010, at 10:06 AM, "da...@integreatmedia.com
> <mailto:da...@integreatmedia.com>> wrote:
>
>> Hmm, odd. Out of interest, what port are you connecting Plone to your
>> AD server with?
>>
>> I remember I had an issue with the default port (although can't
>> remember know the specific issue), but found that port 389 can also be
>> used as an alternative, and have used 389 ever since. Give this a go?
>>
>> David
>>
>> *From*: "A.J. Paxson" <a...@thepaxson5.org <mailto:a...@thepaxson5.org>>
>> *Sent*: 05 July 2010 15:51
>> *To*: "enter...@lists.plone.org <mailto:enter...@lists.plone.org>"
>> <enter...@lists.plone.org <mailto:enter...@lists.plone.org>>
>> *Subject*: Re: [Enterprise Plone] Active Directory Auth not working,
>> but query OK
>>
>> Thanks, David. That's the frustrating part. I can query on the
>> sAMAccountName, but not authenticate using it. That attribute is set
>> in my config Then I try to login to plone, I get a login failed, but
>> there isn't any data going from plone to my active directory. I did a
>> packet trace, and there is *nothing* during the login. It didn't even
>> try to query AD.
>>
>> Almost as if the PAS plugin is not getting triggered? Any idea how to
>> debug or troubleshoot?
>>
>> I then thought it would only work for local users, since local admin
>> gets queried to AD. So, I created a local account same as my AD
>> account. But, alas, no query to AD for login.
>>
>> Frustrating.
>>
>> Sent from my iPad
>>
>> On Jul 5, 2010, at 1:54 AM, "integreatmedia [via Plone]" <
>> <mailto:ml-node+5255053-...@n2.nabble.com>> wrote:
>>
>>> Hi Aaron,
>>>
>>> Sounds like you are 90% there. I think the problem might be with the
>>> format you are entering your usernames in order to authenticate..
>>>
>>> Firstly, check what your 'Login Name Attribute' is set to in your
>>> Plone configuration e.g. sAMAccountName , then do a search (query)
>>> for yourself or other user via the Users search and check what value
>>> appears next to the same field e.g. sAMAccountName - this will be the
>>> format you need to enter your username in. You may find for example
>>> that you are used to entering your DomanName\UserName - but may need
>>> to just use UserName
>>>
>>> Regards,
>>> David
>>>
>>> *From*: "Aaron Paxson" <[hidden email]
>>> </user/SendEmail.jtp?type=node&node=5255053&i=0>>
>>> *Sent*: 04 July 2010 04:35
>>> *To*: [hidden email] </user/SendEmail.jtp?type=node&node=5255053&i=1>
>>> *Subject*: [Enterprise Plone] Active Directory Auth not working, but
>>> query OK
>>>
>>>
>>> All, I'm integrating my Plone installation as our Worldwide Corporate
>>> Intranet.
>>>
>>> In installed the Active Directory Multi plugin using the tutorial
>>> (
>>>
>>> LDAP python support is working.
>>>
>>> I configured Active Directory Multi plugin, and it queries the groups and
>>> users perfectly. I can query against sAMAccountName or CN, or groups.
>>>
>>> But, when authenticating, nothing happens (login failed). I did a packet
>>> trace on my domain controller..... and nothing happens when I try to
>>> authenticate. (but, what *IS* wierd, is that I see packet data to the DC
>>> when I log in as the local plone admin. I do not have an account named
>>> 'admin' in Active Directory).
>>>
>>> I verified that my Active Directory plugin is at the top of the "Active
>>> Authentication" plugins list and the "authentication" plugin is active.
>>>
>>> What am I doing wrong? I've tried to enable DEBUG logging at the zope
>>> client level, but it doesn't show anything. Just commits stuff.
>>>
>>> Can anyone guide me to taking the next steps for troubleshooting? Ive
>>> tried
>>> so many different AD tutorials, but I just can't seem to get this to
>>> work.
>>> It's an AD 2003 environment, but I don't think that matters.
>>>
>>> I really appreciate it. Thank you in advance!
>>> --Aaron Paxson
Aaron,
You may have seen it already, but I've written a small article about
Active Directory and Plone here:
http://www.catapultsolutions.net/resources/plone-cms-talks-w-ms-active-directory.html
It may have some tips that could help you. I found it was a necessity to
use the Apache Directory Studio tool to figure out the AD properties,
but it sounds like you may already have that figured out.
I don't know why Plone wouldn't be trying to authenticate against AD if
the auth plugin is enabled and at the top of the list...
You might just double-check that if you haven't already.
HTH,
--
Larry Pitcher
Catapult Solutions
Web: www.catapultsolutions.net
Email: larry....@gmail.com
Skype: larry.pitcher
Phone: 509.849.2660