LDAP login fails when users move to new OU
Users cannot login after their account moves to a new OU.
Set up:
Version 8.2
1. LDAP_BO : business object group with 3 LDAP BOs. One for each of 3 OUs
2. RegularUser_BO : with LDAP attribute referencing the LDAP_BO
Login setup: LDAP_BO.userPrincipalName matching RegularUser.LDAP
Login set to auto create user.
Everything works when I add my first user. A new RegularUser is created and RegularUser_BO.LDAP is DEFINED
Then I move this user to a new OU. ... wait a few minutes
Now I try to log in again with this user. First I get a rule error "duplicate login name". Then a few minutes later I try again and I can log in ... But only because AwareIM created a NEW user.
So, now I have two users with the same loginname but different LDAP. The original user's LDAP attribute is now UNDEFINED. The new user's LDAP attribute points to the new OU.
I've tried to point my LDAP_BO to the root OU but seems that AwareIM LDAP implementation doesn't do a recursive lookup (or whatever). I've tried to change the OU (in AD) then go into AwareIM, find the user who moved and update the LDAP attribute but AwareIM seems to cache the incorrect LDAP setting and won't let me change it to the new OU. Further, if I move the user's OU, then any shortcuts in the RegularUser_BO that link to the LDAP_BO are now invalid and prevents AwareIM from querying RegularUsers. So, now, short of assigning values, I can't even shortcut into the LDAP mail attribute to link to the RegularUser.EmailAddress (so I can run a rule like SEND <...> TO RegularUser)
User accounts do move between OUs so what is a solution to this predicament?
Thanks
LDAP ... user moves to new OU. Now can't log in
Re: LDAP ... user moves to new OU. Now can't log in
Further testing, no further forward.
Set login to NOT create users on login.
Manually added a RegularUser and associated the LDAP_BO with this user. (on my form it's just a check-box dropdown using userprincipalname for the displayed attribute). All good.
test a log in with this 'new' user. Works. Great. Log this user out.
Now I move the account in AD to one of the other OUs. Wait a few minutes for AD to propagate state.
I log into the Business space with admin account and edit the user created earlier. I notice that when I'm editing this user that the LDAP_BO field is now empty (presumably becasue AwareIM has figured out that the user is no longer in that OU). So, I move to the check-box field and type in the user's userprincipalname. Search finds it. I hit save and I get a popup ERROR "Internal error. Error reading LDAP entry <user's former DN>".
So, can't update the LDAP_BO reference and AwareIM is (maybe) caching the incorrect value somewhere preventing me from updating it.
There is no documentation to explain what should be happening now.
Set login to NOT create users on login.
Manually added a RegularUser and associated the LDAP_BO with this user. (on my form it's just a check-box dropdown using userprincipalname for the displayed attribute). All good.
test a log in with this 'new' user. Works. Great. Log this user out.
Now I move the account in AD to one of the other OUs. Wait a few minutes for AD to propagate state.
I log into the Business space with admin account and edit the user created earlier. I notice that when I'm editing this user that the LDAP_BO field is now empty (presumably becasue AwareIM has figured out that the user is no longer in that OU). So, I move to the check-box field and type in the user's userprincipalname. Search finds it. I hit save and I get a popup ERROR "Internal error. Error reading LDAP entry <user's former DN>".
So, can't update the LDAP_BO reference and AwareIM is (maybe) caching the incorrect value somewhere preventing me from updating it.
There is no documentation to explain what should be happening now.
-
- Posts: 7523
- Joined: Sun Apr 24, 2005 12:36 am
- Contact:
Re: LDAP ... user moves to new OU. Now can't log in
Code: Select all
So, I move to the check-box field and type in the user's userprincipalname. Search finds it. I hit save and I get a popup ERROR "Internal error. Error reading LDAP entry <user's former DN>".
What is the output of the server when you get this error?
Aware IM Support Team
Re: LDAP ... user moves to new OU. Now can't log in
Not sure what this checkbox field is.
I should have written Combo-Box, because I tested with Combo-Boxes, not a checkbox
Yes, There is one LDAP BO related as a "peer" to a RegularUser BO. Example, to reference the LDAP BO from the RU BO I use RegularUser_BO.LDAP_BO.Are you talking about a dropdown for single-reference attributes?
My options to represent single-reference BOs are “Grid”, “Combo-box”, “Checkboxes”, “Tree” and “Form”.Have you tried representing a reference to the LDAP user as a table?
How do I represent the LDAP BO as a table. Note I have > 1500 LDAP users. This is why I'm not using a Grid.
But getting back to the problem, Does AwareIM support the case where the underlying AD object moves to a new OU. Naturally, should an AD object move, I would want AwareIM to accept that, and not complain. As long as I provide pointers to all my OUs, then I would expect AwareIM to locate the AD object in whatever OU it has happened to move to.
-
- Posts: 7523
- Joined: Sun Apr 24, 2005 12:36 am
- Contact:
Re: LDAP ... user moves to new OU. Now can't log in
Code: Select all
How do I represent the LDAP BO as a table
Code: Select all
But getting back to the problem, Does AwareIM support the case where the underlying AD object moves to a new
Aware IM Support Team