Cyn.in Active Directory Integration

greg — Mon, 15 Apr 2013 16:13:21 +0000

Hello,

Following this tutorial, im still facing some trouble with user's email address import from the AD. Basically, cyn.in imports the CN and groups but no email address :(
It's a bit strange cause under Zope, when i search for an user info, i do have his email address, displayName...etc
I put everything i could under /cynin/portal_metadata/properties (CN,mail...etc)
What could be wrong?

Cyn.in Active Directory Integration

Dhiraj Gupta — Mon, 15 Apr 2013 16:13:18 +0000

Get to ZMI Screen for your site.

Login with admin user (password: Whatever you changed it to, from the default of "secret") at http://<siteURL OR IP address>:8080/manage to get ZMI screen

Open up your site (cynin link) and click portal_quickinstaller

Install LDAP Support

Check the product shown and hit the Install button

Go to /cynin/acl_users and add ACL plugin

For Microsoft Active Directory, this must be : Plone Active Directory plugin, for other services, Plone LDAP plugin would be first choice

Fill in the details for the AD connection...

This is the crucial step, and must be done right, because without successful connection, the plugin will not install and all you'll get is an Error screen. If you do get an error screen, hit Back in your browser, and change what is needed to fix, and try again.

More details follow in further screenshots.

Get details from your AD

For doing this with MSAD specifically, I recommend the SysInternals tool, AD Explorer. You need to use a tool only to determine the values of your DNs for the AD hookup. If you're well versed with your configuration, then just follow along and fill in appropriate values.

So install AD Explorer, open it up, connect to your Active Directory, and go to the DC, navigate to the place where you're storing User data. This is typically (at least in the out-of-box setup), going to be the one highlighted in the screenshot.

Pick up the base DN and paste

The default AD setup has users and groups in the same DN, Users, so do a right-click on the Folder, and copy the value of Distinguished Name, and paste it into both, the Users Base DN and the Groups Base DN fields. Adjust as required for your own setup, if different.

Pick up the DN of the Administrator user and paste

The Plone AD plugin will use this user to connect to your AD, so if you're not particular about it, the Administrator user will do (right click->properties on the Admnistrator user), else substitute any user's DN as appropriate, just make sure at least Read access to the Base DN that you're selecting is available.

Paste the DN into... you guessed it, the Manager DN field. :)

Fill in the remaining fields

Fill in the password for the Admin user.
Fill in the hostname and port of the AD server in the LDAP Server:port field. The format of this must be either IPAddress:port (as shown), or hostname:port, as per your needs.
Check on Read Only unless you want users to be able to modify their AD profile through their Cyn.in profile.
Change the default user roles from Anonymous, Member to just Member
Fill in an ID and a Title. Whatever you want in this, it doesn't really matter, just as long as you remember it.

... And hit Save

Now depending on validation of the info you filled in, you'll either get the screen shown below, with your newly added item showing in the list, or you'll get an error, if the connection to your AD failed. Diagnose and adjust accordingly, if so by hitting back in your browser and changing what's necessary. Passing this step is crucial for the integration to work.

Turn on all the plugin's methods, hit Update

Click the Properties plugin and move it higher in priority

Select the AD plugin

and click the Up arrow to move it up.

Fix the incorrect Group ID Attribute in Properties Tab

Change from groupid_attr = ObjectGUID to...

... to groupid_attr = sAMAccountName and hit Save.

Yes, the case of the value is important, you have to type it exactly as shown.

Open the Contents tab

...and then open up the nested acl_users object.

Fix the User Object Classes

Change from pilotPerson, uidObject to...

..... to organizationalPerson, as shown. Again, CaSe is important.

Check the Groups tab

You should see all the groups in your AD showing up here, now. Verify that all looks ok, don't change anything.

Verify User lookup

Click the Users tab, fill in a known value and choose the appropriate field, and hit Search.

Verify the Search Results

Click a result and ensure correct Group assignment

The user should have appropriate Groups checked as per "belongs to" relationship.

Login should now be working with AD :)

But you still have to do Schema mapping...

The fullname of the user, the email address is not being mapped to the user yet. You need to map this up properly so that things like notification emails, etc. work properly. Read on...

Go to LDAP Schema tab...

Add displayName as FullName

Add mail as email

Refer to /cynin/portal_metadata and map other fields

Navigate out to /cynin and then to portal_metadata object. Here, you'll see the fields that Cyn.in currently stores against all users.

Note: Some fields are not wired up yet, use this screen for reference only.

The idea is that you can map things like phone numbers, job titles (designation), etc., by matching these fields against the ones stored and in use, in your AD. To add a new mapping, see the name here, compare it with your AD field's name and add a new mapping in LDAP schema screen, as shown for displayName and mail. The rest of the fields are left up to you as per your requirements and usage.

If you don't map a field, it won't get filled automatically, but your users will be able to use it normally from their Cyn.in edit profile
If you do map a field, and your AD connection is set to Read Only, then users will not be able to edit it
If you do map a field, and you AD connection is not set to Read Only, then changes users will make, will make it back to your AD, if the username/password combination you put in the Manager DN field has write permssions

Clear Cache and revisit

If you, like me, wanted to login first to see if it works, then you get to visit the Caches tab to purge all caches, after you do the schema mapping.

Logins are cached as per the setting in the Caches tab, so that your AD is not looked up constantly. Tweak here only if necessary.

Once you map up the schema as per above, your People Directory will come pre-populated with the users from your AD, as shown. If you're setting up a complex Space structure, do note that you can

map groups from AD to local roles on the Sharing tab of a Space - and it should work fine.

So set your Cyn.in's up, let's see if you can get it to work properly. :)

Let us know if you have any ideas, suggestions about this or if you get stuck in a problem with the AD integration, just post up a new discussion with the details.

Abhinandan Sankolli — Mon, 24 Dec 2012 08:57:28 +0000

Our AD structure is defined as follows
domain.com
> Location1.OU
    > Computers
    > Users
> Location2.OU
    > Computers
    > Users
.....
> LocationN.OU
    > Computers
    > Users

I can not use the root dn as it has sensitive information. Is there a way to define multiple Location OUs to grab all users?

Jason Weber — Thu, 29 Nov 2012 06:43:31 +0000

Is it possible at all to filter groups?
Our AD has all our security groups in one OU, but I only need a few of them for this and the rest just cause mess.

Jason Weber — Thu, 29 Nov 2012 06:43:27 +0000

Is it possible at all to filter groups?
Our AD has all our security groups in one OU, but I only need a few of them for this and the rest just cause mess.

Jason Weber — Thu, 29 Nov 2012 06:43:20 +0000

Is it possible at all to filter groups?
Our AD has all our security groups in one OU, but I only need a few of them for this and the rest just cause mess.

David Overton — Thu, 15 Nov 2012 21:55:55 +0000

tgelhardt, how did you fix the problem? I have having the same issue.

Tim Gelhardt — Thu, 04 Oct 2012 19:41:26 +0000

Fixed!

Tim Gelhardt — Tue, 02 Oct 2012 21:31:47 +0000

I followed each step to the point. I have reached the end of the guide and my "People Directory" is still blank. I'm able to log in using AD credentials. I have go back through step by step and everything appears to be set correctly. Please help!

amit gupta — Sat, 25 Aug 2012 07:57:10 +0000

Interesting post. I have been wondering about this issue,so thanks for posting.
<a href="http://exampost.net/[…]/a>"thanks"

Daniel Godoy — Thu, 05 Jul 2012 15:03:54 +0000

Hi there.
I am testin the product, but when I go to address:8080/manage asks for a passwd. I tried "siteadmin"/"secret" and tried to create a new user inside cynin to give "admin rights" to him.
None user can auth in this screen. What I have to do? Any sugestion?

Thanks for help.

Patrick Mischler — Thu, 12 Apr 2012 11:12:34 +0000

When I wan't to change something in LDAPUserFolder at /ipo/acl_users/corproot.net/acl_users I get this error:

Traceback (innermost last):
  Module ZPublisher.Publish, line 119, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 42, in call_object
  Module Products.LDAPUserFolder.LDAPUserFolder, line 464, in manage_edit
  Module Products.LDAPUserFolder.LDAPDelegate, line 262, in connect
INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece', 'desc': 'Invalid credentials'}

Need help!!!!!

Darren Handler — Tue, 17 Jan 2012 14:13:05 +0000

I am having an issue with my MS AD groups. After following the directions I am able to query and display the AD users, but get an error when trying to show the groups (I think I have too many?). In my AD, the groups and users are in the same container (CN=USERS,DN=CORP,DN=MyCompany,DN=NET)
Has anybody had a similar problem. Unfortunately, after messing around with it, I completed borked my install and couldn't even login anymore to get the error details to share, so I did a reinstall. Before I go and start mucking around again, I was looking to see if anybody had a similar experience and how they might have gotten past it. Maybe using the generic LDAP connection instead of the specific AD.

Thanks in advance.

Huy Bonds — Fri, 21 Oct 2011 19:55:21 +0000

Does anyone know why a user fat finger their password only once and his/her account would be locked out on the first failed attempt when we integrate Cyn.in with AD? Is there a setting to avoid this? Our AD is setup to lock out the account after 3 failed attempts.

Peter Carr — Thu, 29 Sep 2011 09:33:51 +0000

Great write up of the AD install, the "Additional user search filter" field : (&(objectCategory=person)(objectClass=user)) filtered out all the unwanted computer accounts just leaving the users.