When using LDAP the user does not get the userGroups assigned

<p>Hello,</p>
<p> </p>
<p>I have configured IHub 3.1 to use LDAP for the users management.</p>
<p>When I look in IHub Administration I see all groups and users that I defined in LDAP. And looking at the group it appears to be correctly. But looking at the user it is not. </p>
<p> </p>
<p>When I go to a group I see all the users for that group (see group.png) as they are added in LDAP but when I go to the user (see user.png where there are no assigned usergroups) I would expect to see the userGroups for that user but there are none...</p>
<p> </p>
<p>Consequently my ACL authorization is not working correctly and also allow a group access to a directory on the server does nothing because the user has no userGroups...! I have tested this.</p>
<p> </p>
<p>Is this expected behaviour?</p>
<p>I have add the users as members of the group in LDAP. </p>
<p> </p>
<p>It is for me at least a bit an urgent matter ... If somebody can enlighten me to where I am going wrong I would really appreciate an answer. If more information is needed please let me know...</p>
<p> </p>
<p> </p>
<p> </p>

Find more posts tagged with

Comments

JFreeman

<p>Hmm that is interesting.</p>
<p> </p>
<p>As far as I know, that should not be expected behavior of an environment properly configured to use an LDAP. I have a test environment that is connected to an LDAP and the users that were part of a group show up as having that group assigned just the same as the show up as part of the group.</p>
<p> </p>
<p>How did you configure and setup the LDAP connection?</p>
<p>Are you using the built in LDAP Adapter or have you created a custom RSSE?</p>
<p> </p>
<p>My guess, is this is either related to how the LDAP itself is configured or how the adapter that connects the iHub to the LDAP is configured.</p>

jar

<p>Hello Jesse,</p>
<p> </p>
<p>Thanks for your response.</p>
<p>I forgot to mention that I am testing this with IHub 3.1 F-type virtual Image and the user utility (<a data-ipb='nomediaparse' href='http://developer.actuate.com/community/forum/index.php?/files/file/1104-utility-to-enable-ldap-with-birt-ihub-f-type/'>http://developer.actuate.com/community/forum/index.php?/files/file/1104-utility-to-enable-ldap-with-birt-ihub-f-type/</a>) for configuring IHub 3.1 with LDAP. While writing this I am downloading the Trial version of Ihub as I understood from my system administrator that on our production server there is a gui for it. For instance in the user utility there is a setting = isRecursive and in the GUI there is a setting RecursiveGroups. We are now wondering if these settings are the same.</p>
<p> </p>
<p>I am going to try with trial version and see if the result is the same. I will share the result here.</p>
<p> </p>
<p>Jeroen</p>

jar

<p>Hello,</p>
<p> </p>
<p>I installed the trial edition (vmware) and it seems that in the trial the sysconsole is not available? </p>
<p> </p>
<p>I tried using the utility from my previous post (was for F-type) and this is not working while it was working on an F-type vmware I had (3.1).</p>
<p> </p>
<p>Is there a way to test using LDAP for user management and groups in the trialversion. As the utility is not working and sysconsole seems not to be working. Any advice how to proceed is much appreciated. </p>
<p> </p>
<p>Jeroen</p>

jar

<p>Hello,</p>
<p> </p>
<p>I use the following configuration (I have changed a few setting with ???? for privacy) : </p>
<p> </p>
<div> </div>
<div># Utility Configuration Properties</div>
<div>ihubServerName=?????</div>
<div>provPmdSoapPort=8100</div>
<div>provSoapPort=8010</div>
<div>logDir=C:/tmp</div>
<div>logLevel=INFO</div>
<div>#reset=true</div>
<div>#systemPassword=</div>
<div> </div>
<div># Search Setting</div>
<div>searchCacheOnly=false</div>
<div> </div>
<div># Connection Settings</div>
<div>server=????</div>
<div>port=389</div>
<div>queryAccount=cn=????</div>
<div>queryPassword=????</div>
<div>ssl=false</div>
<div>isActiveDirectory=false</div>
<div>isRecursive=true</div>
<div>timeout=300000</div>
<div>maxPoolSize=20</div>
<div>fetchLimit=500</div>
<div>preferredPoolSize=20</div>
<div>cacheTimeout=60</div>
<div>principalDNPrefix=uid=</div>
<div>principalDNSuffix=,ou=people,ou=BI,dc=????,dc=????</div>
<div> </div>
<div># Mapping</div>
<div># LDAP properties that should be matched to each of the following iHub values. </div>
<div># Some properties can be mapped to more than one value; separate multiple</div>
<div># values with commas</div>
<div>userBaseDN=ou=people,ou=BI,dc=????,dc=????</div>
<div>userLoginNameAttr=uid</div>
<div>userFullNameAttr=cn</div>
<div>userDescriptionAttr=</div>
<div>userObject=inetOrgPerson</div>
<div>userSearchFilter=</div>
<div>emailAttr=mail</div>
<div>groupBaseDN=ou=reg,ou=BI,dc=????,dc=????;ou=hosp,ou=BI,dc=????,dc=????</div>
<div>groupDescAttr=cn</div>
<div>groupObject=groupOfNames</div>
<div>groupSearchFilter=</div>
<div>memberListAttr=member</div>
<div>memberIDType=DN</div>
<div>homeFolderAttr=</div>
<div>homeFolderDefault=/home</div>
<div>userVolumeFilterAttr=</div>
<div>groupVolumeFilterAttr=</div>
<div>adminGroup=MyAdminGroup</div>
<div> </div>
<div>Seems fine with me. And now the groups are presented with the user but when I remove/add a user from a group in LDAP (memeber) then that change is not reflected in IHub. Even with the searchCacheOnly = false setting. </div>
<div> </div>
<div>I use the ConfigureDirService.bat to apply the above settings to IHub. And when I run that utility again the changes are applied in IHub but I assume you do not have to run that utility after each set of changes?</div>
<div> </div>
<div>Jeroen</div>

jar

<p>Hello,</p>
<p> </p>
<p>I have partially solved my problem by setting the cacheTimeout to 1 (minute). </p>
<p>It seems that when adding or deleting a user as a member from a group in LDAP, the list of members for that group in IHub is immediately updated (with the setting searchCacheOnly=false). But the assigned userGroups you can see in the userProfle is not updated accordingly. </p>
<p> </p>
<p>Apparently this listing is only updated after the cacheTimeout value is passed (which defaults to 60 minutes). As I had the searchCacheOnly setting set to false I assumed all lists would be updated immediately. When setting it to one minute it was listed correctly after the 1 minute. </p>
<p> </p>
<p>I am not sure is this should be defined as a bug or that it works-as-designed, but if it does please add it to your internal tracking system. </p>
<p> </p>
<p>The real problem is that for users in a subfolder of the userBaseDN the groups in the userProfile are not updated. And as the ACL security uses the groups from the userProfile for grant/deny access to folders, files and content this is kind of a problem for me. </p>
<p> </p>
<p>We have a people tree (like ou=persons,dc=Actuate,dc=com) and have subfolders (120) in this tree and in that subfolders are the users.</p>
<p> </p>
<p>I set the settings: </p>
<p>principalDNPrefix=uid=</p>
<p>principalDNSuffix=,ou=persons,dc=Actuate,dc=com</p>
<p> </p>
<p>And this works for all users that are in the ou=persons,dc=Actuate,dc=com tree.</p>
<p>But when a user is in a submap for example "ou=Org_A,ou=persons,dc=Actuate,dc=com" than this user is added correctly to the users in IHub and also to the group where they belong, but this group is not listed when looking at the userProfile. And the ACL security does use just that. </p>
<p> </p>
<p>As I am working with an already used LDAP server with 1000+ user that are located in subfolders in the people tree (about 120 of them), I am looking for a way to correct this. The LDAP administrator says it is very normal to have a subfolder structure in the people tree. </p>
<p> </p>
<p>Any idea's how to fix this ... :-)</p>
<p> </p>
<p>Jeroen</p>
<p> </p>
<p>UPDATE : Is there anybody that has this kind of configuration (subfolders in people tree in LDAP) working with IHub. Just so I know that what I want is possible. </p>

JFreeman

<p>I do not personally know of somebody actively using an LDAP configuration like that with the iHub. However, those type of LDAP details are not something I frequently get insight into.</p>
<p> </p>
<p>You mentioned before your production environment is configured with the LDAP adapter using the System Console. Is this configured against an LDAP with the same structure as the one you are working within test?</p>
<p> </p>
<p>If so, are the users/groups populating correctly or do you get the same behavior in prod?</p>

jar

<p>Hello,</p>
<p> </p>
<p>Yesterday we tested it with our production server (at the moment migration server) and the same problem. The tested configuration is a small subset of the production LDAP server but the structure is the same. </p>

actuser9

<p>Hello <span style="color:rgb(40,40,40);font-family:'Source Sans Pro', sans-serif;">Jeroen</span>,</p>
<p> </p>
<p>Were you able to get this issue resolved? I am having the same issue in my environment where I can see the users and the user groups but the user groups are not being assigned to the individual users, though the users are being seen as part of the user groups.</p>
<p> </p>
<p>Major issue is that the I am not able to get the folder privileges applied based on the user groups. Any help is appreciated.</p>
<p> </p>
<p>Thank you!</p>

jar

<p>Hello actuser9,</p>
<p> </p>
<p>We got confirmed that it is a known issue with an unknown solution date.</p>
<p>We ended up removing the sub-folder structure in our LDAP User Base DN an have the original sub-folder name added as a attribute for each user. You can use ldif to do that. This worked OK for us.</p>
<p> </p>
<p>If this is not an option for you and the number of sub-folders is limited I guess it is working when you add multiple DN to the User Base DN config but I have not tested that.</p>
<p> </p>
<p>Good luck ...</p>
<p> </p>
<p>Jeroen</p>

actuser9

<p>Thanks again, Jeroen!</p>
<p> </p>
<p>Before I saw the other post, I have responded here, but adding the URL here as they seem to be related and the details will be helpful for others having the same issue. </p>
<p> </p>
<p><a data-ipb='nomediaparse' href='http://developer.actuate.com/community/forum/index.php?/topic/38843-windows-ad-user-management-settings/'>http://developer.actuate.com/community/forum/index.php?/topic/38843-windows-ad-user-management-settings/</a></p>