Quantcast

Active Directory Auth not working, but query OK

classic Classic list List threaded Threaded
8 messages Options
Aaron Paxson Aaron Paxson
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Active Directory Auth not working, but query OK

All, I'm integrating my Plone installation as our Worldwide Corporate Intranet.

In installed the Active Directory Multi plugin using the tutorial (http://plone.org/documentation/kb/authenticating-with-active-directory).  LDAP python support is working.

I configured Active Directory Multi plugin, and it queries the groups and users perfectly.  I can query against sAMAccountName or CN, or groups.

But, when authenticating, nothing happens (login failed).  I did a packet trace on my domain controller..... and nothing happens when I try to authenticate.  (but, what *IS* wierd, is that I see packet data to the DC when I log in as the local plone admin.  I do not have an account named 'admin' in Active Directory).

I verified that my Active Directory plugin is at the top of the "Active Authentication" plugins list and the "authentication" plugin is active.

What am I doing wrong?  I've tried to enable DEBUG logging at the zope client level, but it doesn't show anything.  Just commits stuff.

Can anyone guide me to taking the next steps for troubleshooting?  Ive tried so many different AD tutorials, but I just can't seem to get this to work.  It's an AD 2003 environment, but I don't think that matters.

I really appreciate it.  Thank you in advance!
--Aaron Paxson

integreatmedia integreatmedia
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Active Directory Auth not working, but query OK

Hi Aaron,

Sounds like you are 90% there. I think the problem might be with the format you are entering your usernames in order to authenticate..

Firstly, check what your 'Login Name Attribute' is set to in your Plone configuration e.g. sAMAccountName , then do a search (query) for yourself or other user via the Users search and check what value appears next to the same field e.g. sAMAccountName - this will be the format you need to enter your username in. You may find for example that you are used to entering your DomanName\UserName - but may need to just use UserName

Regards,
David


From: "Aaron Paxson" <[hidden email]>
Sent: 04 July 2010 04:35
To: [hidden email]
Subject: [Enterprise Plone] Active Directory Auth not working, but query OK



All, I'm integrating my Plone installation as our Worldwide Corporate
Intranet.

In installed the Active Directory Multi plugin using the tutorial
(http://plone.org/documentation/kb/authenticating-with-active-directory).
LDAP python support is working.

I configured Active Directory Multi plugin, and it queries the groups and
users perfectly. I can query against sAMAccountName or CN, or groups.

But, when authenticating, nothing happens (login failed). I did a packet
trace on my domain controller..... and nothing happens when I try to
authenticate. (but, what *IS* wierd, is that I see packet data to the DC
when I log in as the local plone admin. I do not have an account named
'admin' in Active Directory).

I verified that my Active Directory plugin is at the top of the "Active
Authentication" plugins list and the "authentication" plugin is active.

What am I doing wrong? I've tried to enable DEBUG logging at the zope
client level, but it doesn't show anything. Just commits stuff.

Can anyone guide me to taking the next steps for troubleshooting? Ive tried
so many different AD tutorials, but I just can't seem to get this to work.
It's an AD 2003 environment, but I don't think that matters.

I really appreciate it. Thank you in advance!
--Aaron Paxson


--
View this message in context: http://plone.293351.n2.nabble.com/Active-Directory-Auth-not-working-but-query-OK-tp5252463p5252463.html
Sent from the Enterprise mailing list archive at Nabble.com.
_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise

_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise
Aaron Paxson Aaron Paxson
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Active Directory Auth not working, but query OK

Thanks, David. That's the frustrating part. I can query on the sAMAccountName, but not authenticate using it. That attribute is set in my config  Then I try to login to plone, I get a login failed, but there isn't any data going from plone to my active directory. I did a packet trace, and there is *nothing* during the login.  It didn't even try to query AD.  

Almost as if the PAS plugin is not getting triggered?  Any idea how to debug or troubleshoot?

I then thought it would only work for local users, since local admin gets queried to AD. So, I created a local account same as my AD account. But, alas, no query to AD for login.

Frustrating.  

Sent from my iPad

On Jul 5, 2010, at 1:54 AM, "integreatmedia [via Plone]" <[hidden email]> wrote:

Hi Aaron,

Sounds like you are 90% there. I think the problem might be with the format you are entering your usernames in order to authenticate..

Firstly, check what your 'Login Name Attribute' is set to in your Plone configuration e.g. sAMAccountName , then do a search (query) for yourself or other user via the Users search and check what value appears next to the same field e.g. sAMAccountName - this will be the format you need to enter your username in. You may find for example that you are used to entering your DomanName\UserName - but may need to just use UserName

Regards,
David


From: "Aaron Paxson" <[hidden email]>
Sent: 04 July 2010 04:35
To: [hidden email]
Subject: [Enterprise Plone] Active Directory Auth not working, but query OK



All, I'm integrating my Plone installation as our Worldwide Corporate
Intranet.

In installed the Active Directory Multi plugin using the tutorial
(http://plone.org/documentation/kb/authenticating-with-active-directory).
LDAP python support is working.

I configured Active Directory Multi plugin, and it queries the groups and
users perfectly. I can query against sAMAccountName or CN, or groups.

But, when authenticating, nothing happens (login failed). I did a packet
trace on my domain controller..... and nothing happens when I try to
authenticate. (but, what *IS* wierd, is that I see packet data to the DC
when I log in as the local plone admin. I do not have an account named
'admin' in Active Directory).

I verified that my Active Directory plugin is at the top of the "Active
Authentication" plugins list and the "authentication" plugin is active.

What am I doing wrong? I've tried to enable DEBUG logging at the zope
client level, but it doesn't show anything. Just commits stuff.

Can anyone guide me to taking the next steps for troubleshooting? Ive tried
so many different AD tutorials, but I just can't seem to get this to work.
It's an AD 2003 environment, but I don't think that matters.

I really appreciate it. Thank you in advance!
--Aaron Paxson


--
View this message in context: http://plone.293351.n2.nabble.com/Active-Directory-Auth-not-working-but-query-OK-tp5252463p5252463.html
Sent from the Enterprise mailing list archive at Nabble.com.
_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise

_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise



View message @ http://plone.293351.n2.nabble.com/Active-Directory-Auth-not-working-but-query-OK-tp5252463p5255053.html
To unsubscribe from Active Directory Auth not working, but query OK, click here.


_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise
integreatmedia integreatmedia
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Active Directory Auth not working, but query OK

In reply to this post by Aaron Paxson
Hmm, odd. Out of interest, what port are you connecting Plone to your AD server with?

I remember I had an issue with the default port (although can't remember know the specific issue), but found that port 389 can also be used as an alternative, and have used 389 ever since. Give this a go?

David



From: "A.J. Paxson" <[hidden email]>
Sent: 05 July 2010 15:51
To: "[hidden email]" <[hidden email]>
Subject: Re: [Enterprise Plone] Active Directory Auth not working, but query OK


Thanks, David. That's the frustrating part. I can query on the sAMAccountName, but not authenticate using it. That attribute is set in my config  Then I try to login to plone, I get a login failed, but there isn't any data going from plone to my active directory. I did a packet trace, and there is *nothing* during the login.  It didn't even try to query AD.  

Almost as if the PAS plugin is not getting triggered?  Any idea how to debug or troubleshoot?

I then thought it would only work for local users, since local admin gets queried to AD. So, I created a local account same as my AD account. But, alas, no query to AD for login.

Frustrating.  

Sent from my iPad

On Jul 5, 2010, at 1:54 AM, "integreatmedia [via Plone]" <[hidden email]> wrote:

Hi Aaron,

Sounds like you are 90% there. I think the problem might be with the format you are entering your usernames in order to authenticate..

Firstly, check what your 'Login Name Attribute' is set to in your Plone configuration e.g. sAMAccountName , then do a search (query) for yourself or other user via the Users search and check what value appears next to the same field e.g. sAMAccountName - this will be the format you need to enter your username in. You may find for example that you are used to entering your DomanName\UserName - but may need to just use UserName

Regards,
David


From: "Aaron Paxson" <[hidden email]>
Sent: 04 July 2010 04:35
To: [hidden email]
Subject: [Enterprise Plone] Active Directory Auth not working, but query OK



All, I'm integrating my Plone installation as our Worldwide Corporate
Intranet.

In installed the Active Directory Multi plugin using the tutorial
(http://plone.org/documentation/kb/authenticating-with-active-directory).
LDAP python support is working.

I configured Active Directory Multi plugin, and it queries the groups and
users perfectly. I can query against sAMAccountName or CN, or groups.

But, when authenticating, nothing happens (login failed). I did a packet
trace on my domain controller..... and nothing happens when I try to
authenticate. (but, what *IS* wierd, is that I see packet data to the DC
when I log in as the local plone admin. I do not have an account named
'admin' in Active Directory).

I verified that my Active Directory plugin is at the top of the "Active
Authentication" plugins list and the "authentication" plugin is active.

What am I doing wrong? I've tried to enable DEBUG logging at the zope
client level, but it doesn't show anything. Just commits stuff.

Can anyone guide me to taking the next steps for troubleshooting? Ive tried
so many different AD tutorials, but I just can't seem to get this to work.
It's an AD 2003 environment, but I don't think that matters.

I really appreciate it. Thank you in advance!
--Aaron Paxson


--
View this message in context: http://plone.293351.n2.nabble.com/Active-Directory-Auth-not-working-but-query-OK-tp5252463p5252463.html
Sent from the Enterprise mailing list archive at Nabble.com.
_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise

_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise



View message @ http://plone.293351.n2.nabble.com/Active-Directory-Auth-not-working-but-query-OK-tp5252463p5255053.html
To unsubscribe from Active Directory Auth not working, but query OK, click here.


_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise
Aaron Paxson Aaron Paxson
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Active Directory Auth not working, but query OK

Yes, it's 389 by default. Again, I can query manually fine. Even if it was wrong, I would see some kind of traffic on my packet capture. Plone just doesn't try.....

Sent from my iPad

On Jul 5, 2010, at 10:06 AM, "[hidden email]" <[hidden email]> wrote:

Hmm, odd. Out of interest, what port are you connecting Plone to your AD server with?

I remember I had an issue with the default port (although can't remember know the specific issue), but found that port 389 can also be used as an alternative, and have used 389 ever since. Give this a go?

David



From: "A.J. Paxson" <[hidden email]>
Sent: 05 July 2010 15:51
To: "[hidden email]" <[hidden email]>
Subject: Re: [Enterprise Plone] Active Directory Auth not working, but query OK


Thanks, David. That's the frustrating part. I can query on the sAMAccountName, but not authenticate using it. That attribute is set in my config  Then I try to login to plone, I get a login failed, but there isn't any data going from plone to my active directory. I did a packet trace, and there is *nothing* during the login.  It didn't even try to query AD.  

Almost as if the PAS plugin is not getting triggered?  Any idea how to debug or troubleshoot?

I then thought it would only work for local users, since local admin gets queried to AD. So, I created a local account same as my AD account. But, alas, no query to AD for login.

Frustrating.  

Sent from my iPad

On Jul 5, 2010, at 1:54 AM, "integreatmedia [via Plone]" <[hidden email]> wrote:

Hi Aaron,

Sounds like you are 90% there. I think the problem might be with the format you are entering your usernames in order to authenticate..

Firstly, check what your 'Login Name Attribute' is set to in your Plone configuration e.g. sAMAccountName , then do a search (query) for yourself or other user via the Users search and check what value appears next to the same field e.g. sAMAccountName - this will be the format you need to enter your username in. You may find for example that you are used to entering your DomanName\UserName - but may need to just use UserName

Regards,
David


From: "Aaron Paxson" <[hidden email]>
Sent: 04 July 2010 04:35
To: [hidden email]
Subject: [Enterprise Plone] Active Directory Auth not working, but query OK



All, I'm integrating my Plone installation as our Worldwide Corporate
Intranet.

In installed the Active Directory Multi plugin using the tutorial
(http://plone.org/documentation/kb/authenticating-with-active-directory).
LDAP python support is working.

I configured Active Directory Multi plugin, and it queries the groups and
users perfectly. I can query against sAMAccountName or CN, or groups.

But, when authenticating, nothing happens (login failed). I did a packet
trace on my domain controller..... and nothing happens when I try to
authenticate. (but, what *IS* wierd, is that I see packet data to the DC
when I log in as the local plone admin. I do not have an account named
'admin' in Active Directory).

I verified that my Active Directory plugin is at the top of the "Active
Authentication" plugins list and the "authentication" plugin is active.

What am I doing wrong? I've tried to enable DEBUG logging at the zope
client level, but it doesn't show anything. Just commits stuff.

Can anyone guide me to taking the next steps for troubleshooting? Ive tried
so many different AD tutorials, but I just can't seem to get this to work.
It's an AD 2003 environment, but I don't think that matters.

I really appreciate it. Thank you in advance!
--Aaron Paxson


--
View this message in context: http://plone.293351.n2.nabble.com/Active-Directory-Auth-not-working-but-query-OK-tp5252463p5252463.html
Sent from the Enterprise mailing list archive at Nabble.com.
_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise

_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise



View message @ http://plone.293351.n2.nabble.com/Active-Directory-Auth-not-working-but-query-OK-tp5252463p5255053.html
To unsubscribe from Active Directory Auth not working, but query OK, click here.


_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise
Larry Pitcher Larry Pitcher
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Active Directory Auth not working, but query OK

On 7/5/2010 8:12 AM, A.J. Paxson wrote:

> Yes, it's 389 by default. Again, I can query manually fine. Even if it
> was wrong, I would see some kind of traffic on my packet capture. Plone
> just doesn't try.....
>
> Sent from my iPad
>
> On Jul 5, 2010, at 10:06 AM, "[hidden email]
> <mailto:[hidden email]>" <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>> Hmm, odd. Out of interest, what port are you connecting Plone to your
>> AD server with?
>>
>> I remember I had an issue with the default port (although can't
>> remember know the specific issue), but found that port 389 can also be
>> used as an alternative, and have used 389 ever since. Give this a go?
>>
>> David
>>
>> ------------------------------------------------------------------------
>> *From*: "A.J. Paxson" <[hidden email] <mailto:[hidden email]>>
>> *Sent*: 05 July 2010 15:51
>> *To*: "[hidden email] <mailto:[hidden email]>"
>> <[hidden email] <mailto:[hidden email]>>
>> *Subject*: Re: [Enterprise Plone] Active Directory Auth not working,
>> but query OK
>>
>> Thanks, David. That's the frustrating part. I can query on the
>> sAMAccountName, but not authenticate using it. That attribute is set
>> in my config Then I try to login to plone, I get a login failed, but
>> there isn't any data going from plone to my active directory. I did a
>> packet trace, and there is *nothing* during the login. It didn't even
>> try to query AD.
>>
>> Almost as if the PAS plugin is not getting triggered? Any idea how to
>> debug or troubleshoot?
>>
>> I then thought it would only work for local users, since local admin
>> gets queried to AD. So, I created a local account same as my AD
>> account. But, alas, no query to AD for login.
>>
>> Frustrating.
>>
>> Sent from my iPad
>>
>> On Jul 5, 2010, at 1:54 AM, "integreatmedia [via Plone]" <
>> <mailto:[hidden email]>[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>> Hi Aaron,
>>>
>>> Sounds like you are 90% there. I think the problem might be with the
>>> format you are entering your usernames in order to authenticate..
>>>
>>> Firstly, check what your 'Login Name Attribute' is set to in your
>>> Plone configuration e.g. sAMAccountName , then do a search (query)
>>> for yourself or other user via the Users search and check what value
>>> appears next to the same field e.g. sAMAccountName - this will be the
>>> format you need to enter your username in. You may find for example
>>> that you are used to entering your DomanName\UserName - but may need
>>> to just use UserName
>>>
>>> Regards,
>>> David
>>>
>>> ------------------------------------------------------------------------
>>> *From*: "Aaron Paxson" <[hidden email]
>>> </user/SendEmail.jtp?type=node&node=5255053&i=0>>
>>> *Sent*: 04 July 2010 04:35
>>> *To*: [hidden email] </user/SendEmail.jtp?type=node&node=5255053&i=1>
>>> *Subject*: [Enterprise Plone] Active Directory Auth not working, but
>>> query OK
>>>
>>>
>>> All, I'm integrating my Plone installation as our Worldwide Corporate
>>> Intranet.
>>>
>>> In installed the Active Directory Multi plugin using the tutorial
>>> (
>>> <http://plone.org/documentation/kb/authenticating-with-active-directory>http://plone.org/documentation/kb/authenticating-with-active-directory).
>>>
>>> LDAP python support is working.
>>>
>>> I configured Active Directory Multi plugin, and it queries the groups and
>>> users perfectly. I can query against sAMAccountName or CN, or groups.
>>>
>>> But, when authenticating, nothing happens (login failed). I did a packet
>>> trace on my domain controller..... and nothing happens when I try to
>>> authenticate. (but, what *IS* wierd, is that I see packet data to the DC
>>> when I log in as the local plone admin. I do not have an account named
>>> 'admin' in Active Directory).
>>>
>>> I verified that my Active Directory plugin is at the top of the "Active
>>> Authentication" plugins list and the "authentication" plugin is active.
>>>
>>> What am I doing wrong? I've tried to enable DEBUG logging at the zope
>>> client level, but it doesn't show anything. Just commits stuff.
>>>
>>> Can anyone guide me to taking the next steps for troubleshooting? Ive
>>> tried
>>> so many different AD tutorials, but I just can't seem to get this to
>>> work.
>>> It's an AD 2003 environment, but I don't think that matters.
>>>
>>> I really appreciate it. Thank you in advance!
>>> --Aaron Paxson

Aaron,

You may have seen it already, but I've written a small article about
Active Directory and Plone here:
http://www.catapultsolutions.net/resources/plone-cms-talks-w-ms-active-directory.html

It may have some tips that could help you. I found it was a necessity to
use the Apache Directory Studio tool to figure out the AD properties,
but it sounds like you may already have that figured out.

I don't know why Plone wouldn't be trying to authenticate against AD if
the auth plugin is enabled and at the top of the list...

You might just double-check that if you haven't already.

HTH,

--
Larry Pitcher
Catapult Solutions

Web:    www.catapultsolutions.net
Email:  [hidden email]
Skype:  larry.pitcher
Phone:  509.849.2660
_______________________________________________
Enterprise mailing list
[hidden email]
http://lists.plone.org/mailman/listinfo/enterprise
Alexander Limi Alexander Limi
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Active Directory Auth not working, but query OK

This post has NOT been accepted by the mailing list yet.
In reply to this post by Aaron Paxson
I know this is an older thread, but it seems to get a high pagerank, so I'd like to point out, if you're still using this as a reference, stop and use plone.app.ldap -- it's a simple installable add-on that obsoletes most of the above documentation. Just install it and specify your LDAP configuration in the Plone control panel.

Alexander Limi ยท http://limi.net

msmith64 msmith64
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Active Directory Auth not working, but query OK

This post has NOT been accepted by the mailing list yet.
In reply to this post by Aaron Paxson
I know this is an older post, but it still seems to get high search engine rankings, so I thought I'd point out plone.app.ldap, which obsoletes all of the above. It's just install-and-go.
Loading...