Converting ldap accounts to localdb

[Duncan Smith]

Hi all,

I manage an XNAT (1.8.4.1) with around 200 users who are all using LDAP accounts. For various reasons, they would now like all of these accounts to become XNAT (localdb) ones, and detach this XNAT from their LDAP system.

Using examples given in this thread, in a testing setup I have been able to use the following SQL command to create a localdb user "dtest" for an existing LDAP account with the same name:

INSERT INTO                      
    xhbm_xdat_user_auth (created, disabled, timestamp, auth_method, auth_user, failed_login_attempts, password_updated, xdat_username)
VALUES
    (now(),'1970-01-01 00:00:00', now(), 'localdb', 'dtest', 0, now(), 'dtest');

Initially I am unable to login with the localdb method for this user, but after creating a password using the "Change User Password" function from the Users page in XNAT, I can then login. I can then see the "dtest" user has both auth methods now listed in the "View Authorization Details" page.

I wanted to check before using this approach on the production instance of this XNAT, is this the correct approach to take? Are there any issues that I may run into, or things I need to be aware of?

Secondly, after using the above SQL command and creating a localdb user like that, is there a default password that would allow authentication? Or is it the case until a password is set within the UI as explained above, it would be unusable?

Thanks for your help,

Duncan

[Rick Herrick]

Hi Duncan,

Sorry for the delay in responding. I started this reply then sorta didn’t hit send, which I guess is a pretty important part of replying?

Anyway…

Your “migration” from LDAP to localdb sounds fine.

Regarding the password, you could change the password for one user, then use the values that get set for primary_password and salt in the xdat_user table to set the same password for users as you migrate them. That said, I think it’s preferable (i.e. more secure) just to have users reset their passwords themselves.

Rick Herrick

Senior Software Developer

rickh...@flywheel.io

------ Original Message ------

From "Duncan Smith" <duno...@gmail.com>

To "xnat_discussion" <xnat_di...@googlegroups.com>

Date 1/13/2023 7:32:07 AM

Subject [XNAT Discussion] Converting ldap accounts to localdb

--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/e22e0b6a-fc5a-44d9-aad4-18c66ed17772n%40googlegroups.com.

[Duncan Smith]

Hi Rick,

Thanks for taking a look at this. Having the users reset their own passwords seems like the best approach to take here after making these changes.

Thanks,

Duncan

[akluiber]

Hi all, I was hoping to do the same because I have regular issues with my ldap service authentication account becoming locked and preventing ldap users from being able to login....

However, after using the sql above in Duncan's post, I my former ldap user account has issues logging in or getting the local password set/reset...

The sql executes fine and I also see localdb listed alongside the ldap under the user's authentication details. However, admin account is unable to change the user's password, and neither is the user able to successfully change/reset their own password. Interestingly, when the user attempts the password reset, it will complete and they're logged in. However, after they logout and attempt login again, they're prompted to download an empty "login" file. The user remains logged out.

I've attached relevant screenshots and logfile errors that I could find.

[akluiber]

Does anyone have any ideas about the errors I'm running into, or code they've successfully used to make this transition? The other, more painful option is to require users to just establish new accounts/usernames.

Thanks for any help.