LDAP ... user moves to new OU. Now can't log in

craigd

LDAP login fails when users move to new OU

Users cannot login after their account moves to a new OU.

Set up:
Version 8.2

LDAP_BO : business object group with 3 LDAP BOs. One for each of 3 OUs
RegularUser_BO : with LDAP attribute referencing the LDAP_BO

Everything works when I add my first user. A new RegularUser is created and RegularUser_BO.LDAP is DEFINED

Then I move this user to a new OU. ... wait a few minutes

Now I try to log in again with this user. First I get a rule error "duplicate login name". Then a few minutes later I try again and I can log in ... But only because AwareIM created a NEW user.

So, now I have two users with the same loginname but different LDAP. The original user's LDAP attribute is now UNDEFINED. The new user's LDAP attribute points to the new OU.

I've tried to point my LDAP_BO to the root OU but seems that AwareIM LDAP implementation doesn't do a recursive lookup (or whatever). I've tried to change the OU (in AD) then go into AwareIM, find the user who moved and update the LDAP attribute but AwareIM seems to cache the incorrect LDAP setting and won't let me change it to the new OU. Further, if I move the user's OU, then any shortcuts in the RegularUser_BO that link to the LDAP_BO are now invalid and prevents AwareIM from querying RegularUsers. So, now, short of assigning values, I can't even shortcut into the LDAP mail attribute to link to the RegularUser.EmailAddress (so I can run a rule like SEND <...> TO RegularUser)

User accounts do move between OUs so what is a solution to this predicament?

Thanks

craigd

Further testing, no further forward.

Set login to NOT create users on login.
Manually added a RegularUser and associated the LDAP_BO with this user. (on my form it's just a check-box dropdown using userprincipalname for the displayed attribute). All good.
test a log in with this 'new' user. Works. Great. Log this user out.

Now I move the account in AD to one of the other OUs. Wait a few minutes for AD to propagate state.

I log into the Business space with admin account and edit the user created earlier. I notice that when I'm editing this user that the LDAP_BO field is now empty (presumably becasue AwareIM has figured out that the user is no longer in that OU). So, I move to the check-box field and type in the user's userprincipalname. Search finds it. I hit save and I get a popup ERROR "Internal error. Error reading LDAP entry <user's former DN>".

So, can't update the LDAP_BO reference and AwareIM is (maybe) caching the incorrect value somewhere preventing me from updating it.

There is no documentation to explain what should be happening now.

aware_support

So, I move to the check-box field and type in the user's userprincipalname. Search finds it. I hit save and I get a popup ERROR "Internal error. Error reading LDAP entry <user's former DN>".

Not sure what this checkbox field is. Are you talking about a dropdown for single-reference attributes? Have you tried representing a reference to the LDAP user as a table?

What is the output of the server when you get this error?

craigd

Not sure what this checkbox field is.

I should have written Combo-Box, because I tested with Combo-Boxes, not a checkbox

Are you talking about a dropdown for single-reference attributes?

Yes, There is one LDAP BO related as a "peer" to a RegularUser BO. Example, to reference the LDAP BO from the RU BO I use RegularUser_BO.LDAP_BO.

Have you tried representing a reference to the LDAP user as a table?

My options to represent single-reference BOs are “Grid”, “Combo-box”, “Checkboxes”, “Tree” and “Form”.
How do I represent the LDAP BO as a table. Note I have > 1500 LDAP users. This is why I'm not using a Grid.

But getting back to the problem, Does AwareIM support the case where the underlying AD object moves to a new OU. Naturally, should an AD object move, I would want AwareIM to accept that, and not complain. As long as I provide pointers to all my OUs, then I would expect AwareIM to locate the AD object in whatever OU it has happened to move to.

aware_support

How do I represent the LDAP BO as a table

A table is "grid".

But getting back to the problem, Does AwareIM support the case where the underlying AD object moves to a new

Not automatically. What you did (the second attempt) was correct and it should have worked in theory. So check the output of the server for any clues. Also try "grid" just for experiment's sake.