cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Issues

Go to solution
Former Member

on ‎08-09-2007 11:49 PM

0 Kudos

Running 11.5.3...

I have xMII talking to Active Directory using LDAP and Windows Domain Policy. I am able to login to xMII as any domain user. The problem I am having is that after I login (as any user), I do not have any navigation menu items. This did work at one time. I'm not sure what happened or when it happened?

I suspect one (or more) of the LDAP configuration queries is incorrect. I have tested many of them and they return correct data. I've tested the queries that are not "wild-carded" with a "?".

A bit more information...

My login "rmiller" is a member of the Domain. On the domain, "rmiller" is a member of "Domain Admins". In the Navigation editor, I can browser Roles and I see the "Domain Admins" role. I have defined a menu structure for Domain Admins. However, when I login to xMII my navigation menu is completely blank - there is nothing - no links. This is the same for every domain user. If I login as the xMII user "Admin", I get the default navigation bar.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jcgood25
Active Contributor
‎08-10-2007 1:54 PM
0 Kudos

Ryan,

Does this show you any 'NavigationItems' in the xml?

<a href="http://<servername>/Lighthammer/Illuminator?Service=SystemInfo&Mode=CurrentProfile">http://<servername>/Lighthammer/Illuminator?Service=SystemInfo&Mode=CurrentProfile</a>

Have you customized any of the theme stylesheets that might be causing this? Do any of your 'Roles' have a theme assigned? How about the rmiller user?

Any errors in the logs?

Best Regards,

Jeremy Good

Show replies
Show replies
Former Member
‎08-10-2007 6:48 PM
0 Kudos

That URL returns a blank page on both the problem server and a working server (and yes I did replace <servername> with the correct server name ;*)).

I do not have any customer stylesheets. The user and roles have no themes assigned to them.

The logs don't show any errors that I can see. I saw a bunch of entries calling the LDAP queries during login, but I didn't see any LDAP query result log entries.

jcgood25
Active Contributor
‎08-10-2007 8:04 PM
0 Kudos

So - you have both a Policy configured and the LDAP User Configuration settings or just the LDAP?

On the Role Mapping tab of the LDAP User Config screen do you have a standard role mapped to the Everyone role? Do you have the "Domain Admins" role mapped to the Administrators role? This would have implications for the Data Access and System Security Access standard setup where the 'Everyone' role can use the IlluminatorService, Simulator data server, etc.

Regards,

Jeremy

Former Member
‎08-10-2007 8:34 PM
0 Kudos

I do have both a Policy (Windows Domain) and the LDAP User Configuration configured.

I do have Domain Admins mapped to All available Roles (left side) in the Role Mapping tab of the LDAP User Config screen.

jcgood25
Active Contributor
‎08-10-2007 9:08 PM
0 Kudos

After logging in and getting the blank Personalization area, what does it say for the 'IllumLoginRoles' session attribute when you go to: /Lighthammer/PropertyAccessServlet?Mode=List

Have you looked at the active sessions inside the ServletExec admin application to see the behind the scenes info?

Former Member
‎08-10-2007 9:36 PM
0 Kudos

Using /Lighthammer/ProjectAccessServlet?Mode=List verifies that there are no Roles defined for the logged in user. This proves my thought that there are no roles defined, hence no navigation menu. Question is, why not?

Do you know which one (or ones) of the LDAP queries I can verify to make sure the proper Role Information is working?

I did look in the active sessions, and it shows several users, including my own.

jcgood25
Active Contributor
‎08-10-2007 9:45 PM
0 Kudos

Check the LHSecurity help for more discussion, but basically the 'Select Roles for User' query should get all the roles that the 'rmiller' account belongs to and then passes the distinguished name result into the 'Select Role by Distinguished Name' query.

Do you see valid info here when you test the queries in the LDAP config screen?

Former Member
‎08-10-2007 10:02 PM
0 Kudos

Yes, this is what I was thinking. My current Select Roles for User is:

select name from * where objectCategory=group and sAMAccountName=?

If I modify it to:

select name from * where objectCategory=group and sAMAccountName=rmiller

and test, I get an empty result set. This could very well be my problem. So, without knowing details of the LDAP tree, does anything in this query look incorrect? I think this was the standard Select Roles for User query.

jcgood25
Active Contributor
‎08-10-2007 10:12 PM
0 Kudos

Try 'Select Roles for User': select distinguishedName from cn=Users where objectClass=user and sAMAccountName=?

You need the distinguishedName for the member=? in the 'Select Role by Distinguished Name' query.

Former Member
‎08-10-2007 10:24 PM
0 Kudos

No dice.

... shift change bell blowing!

jcgood25
Active Contributor
‎08-10-2007 10:26 PM
0 Kudos

Maybe you are not as distinguished as you thought...

Former Member
‎08-10-2007 10:30 PM
0 Kudos

My fans speak for me ;*)

jcgood25
Active Contributor
‎08-13-2007 3:15 PM
0 Kudos

Have you enabled Debug in LHSecurity and watched the attempted login process to see if any helpful info is there?

Answers (0)

Ask a Question