I'm trying to set up an LDAP connection to our Active Directory, and I keep getting a "Unable to connect" message. This is not particularly useful as it doesn't tell me what the problem is, only that it has one. Is it possible to get more information on why this is falling down somehow? I know the LDAP package is operating correctly, as Avi set one up for us previously and it's still connected.
I've spoken to my Systems Administrator and ensured that the hostname for the LDAP server is correct (it's a global catalogue server), and the base and bind DN's are correct.
I'm unsure as to why it's falling down and the error message gives me nothing…
edit - Does it matter if the DC's are in native or mixed mode?
Cheers,
K.
I have no idea what native and mixed mode is, but I can tell you that the "Unable To Connect" error is all you will get without hacking the code (if that does result in a better message anyway).
I would suggest trying to use another LDAP tool from the server Matrix is on and making sure that can connect. Otherwise, I can ofer instructions on how to get at the error message through PHP.
Regarding native and mixd mode, I was just referring to the domain controller I'm trying to connect to - The previous LDAP bridges were created to link to servers that ran in Windows mixed mode, the new domain controller I'm trying to connect to runs in Windows native mode. Thought that might be an issue as to why it won't connect…
I can't access the Matrix server box directly at the moment, as it's not located here with me. I'll get one of my Sydney team members to get on the box and test out the LDAP connection from there. If we have no luck, I'll get back in contact for the error message instructions. But I know it does connect to our AD, just not the new domain controller.
I did notice something else this morning however - Because I had a faulty LDAP bridge set up, logging into the admin interface was failing for everybody this morning, even though the accounts we are using are set up as System Administrator accounts. Why does a failing LDAP bridge cause login issues for these accounts? If I didn't have a window to the admin interface already open in my laptop, it seems we all would have been locked out, and not able to remove the offending bridge. That's not a good scenario to be in.
With regard to this, why would a bridge with problems, 3rd down the list after 2 other bridges that work correctly, cause this kind of issue?
While I'm on the LDAP subject anyway, is there a way to get more attributes to display in the LDAP User Setup asset? For example I'd like things like phonenumber and office etc to be available, but I can't see how. I found the LDAP Package documentation was a little light on for information. Is there another document resource I can reference for LDAP concerns?
Thanks,
K.
If an LDAP bridge is failing and killing PHP, then the auth process will continue to fail. If it just cant connect and continues on, the other auth systems will be tried.
As a general rule, I'd reorder your authentication systems so that the default one is on top. Then any Matrix users will get logged in without trying to connect to LDAP. The only time you wouldnt want this is if you have usernames in Matrix that are the same as usernames in your LDAP directories and you want the LDAP users logged in instead of the Matrix ones.
As for the user attributes, the only one's you can display are those that Matrix can auto-discover. All Matrix does is check the user you are binding as and supply a list of that user's attributes. So if you want to add phonenumber, you'd have to ensure the user you bind as has that attribute. There is currently no way to add attributes manually.
Avi came in to give me some advice on my LDAP bridge, and it turned out that I was using a binding account that was not in the same domain as the one I was trying to connect to.
So for everyone's information, the binding account MUST be in the domain that you are trying to connect to, otherwise you will not be able to retreive any information from AD.
On another note, now that I have the bridge working, how can I access the details of a user account? For example, I may want to put the logged in users' dn into a variable, or print it to the screen. How would I go about this?
[quote]On another note, now that I have the bridge working, how can I access the details of a user account? For example, I may want to put the logged in users’ dn into a variable, or print it to the screen. How would I go about this?
[right][post=“8457”]<{POST_SNAPBACK}>[/post][/right][/quote]
On the LDAP Attributes screen of the Bridge, you can configure which attributes are made visible for a user account. Then, the attributes set as visible will be displayed on the details screen of the LDAP User.
Also, I’ve updated the LDAP documentation to include words to make it clear that the Base DN must include the full AD domain and that the Bind DN user must exist somewhere underneath the Base DN. Hopefully this will make it easier for future LDAP users to setup their own bridge.
Another important point is that if you have a multiple-domain AD (i.e. a Forest with multiple domains), you will need an LDAP bridge for each domain. In v3.6, you would need to configure permissions for each bridge, while in v3.8, you will be able to combine multiple LDAP groups into a single Matrix group to make applying permissions easier.
Thanks Avi - I've got that configured, and can see the details. However, I was referring to being able to 'read' them from a bodycopy or something. For example, having thier samaccount name, email address, dn etc displayed for the logged in user.
Essentially, I'm planning on using a show_if design area to show certain details depending on what their dn is (a back door way of separating content depending on which AD bridge the user authenticated through...), and I need to know how to access this user information
[quote]Essentially, I’m planning on using a show_if design area to show certain details depending on what their dn is (a back door way of separating content depending on which AD bridge the user authenticated through…), and I need to know how to access this user information
[right][post=“8459”]<{POST_SNAPBACK}>[/post][/right][/quote]
This is not possible with Matrix at the moment: LDAP attributes are not available to the show_if design area (as far as I know). However, you could probably do something similar using permissions, by applying permissions to an “All Users” group from each bridge to specific assets. Thus, if a user is authenticated from Bridge A and are a member of “Bridge A All Users” then they’ll see the content that only has read access for the “Bridge A All Users” group.
Hope that makes sense.
This seems like a workable solution, but from what you mentioned previously, I thought you couldn't add LDAP users to a user group in 3.6... Or am I misunderstanding you?
[quote]This seems like a workable solution, but from what you mentioned previously, I thought you couldn’t add LDAP users to a user group in 3.6… Or am I misunderstanding you?
[right][post=“8462”]<{POST_SNAPBACK}>[/post][/right][/quote]
Perhaps: I mean that you need to create the “All Users” group in Active Directory itself (or even use the Domain Users group that already exists).
[quote]Perhaps: I mean that you need to create the “All Users” group in Active Directory itself (or even use the Domain Users group that already exists).
[right][post=“8464”]<{POST_SNAPBACK}>[/post][/right][/quote]
Ahhhh, I see. I was on the wrong track. I’ll talk to my AD Administrator here and work on that. Cheers!
I'm trying to use the Domain Users group, as all of our AD accounts should be a member of that group. The problem now is that when I look at a users account in our Active Directory they are a member of the Domain Users group, but when I view that same account under the LDAP bridge, they are not a member of that group. It seems to list all other group memberships, but not the Domain Users membership.
Anyone know why this may be happening?
[quote]Anyone know why this may be happening?
[right][post=“8512”]<{POST_SNAPBACK}>[/post][/right][/quote]
Yes – the Domain Users group is a special case group in AD (the “Default” group) and doesn’t appear as a group via LDAP. Complain to Microsoft, because I don’t know of a way around this (other than to create another group for All Users).
I've created an AllStaff group in AD and have added a couple of accounts to it for testing purposes. The group and the accounts show up fine in the LDAP bridge. But I'm not sure where to go from here... I can't add permissions to the LDAP group, so I tried creating a Matrix User Group, and cloning the LDAP group under it, but it won't let me. I keep getting an error:
Error While Refreshing Assets
Error While Requesting:error while getting response:[ASSET EXCEPTION][string]"1754%3ACN%3DAllStaff%2C*edited for security*" is not a valid asset ID (LINE 790 IN [SYSTEM_ROOT]/core/include/asset_manager.inc) [SYS0270]
File: [SYSTEM_ROOT]/core/include/assertions.inc
Line: 504
The line I edited above contains the DN of the object.
So, am I going about this completely the wrong way, or is there another problem here?
[quote]So, am I going about this completely the wrong way, or is there another problem here?
[right][post=“8722”]<{POST_SNAPBACK}>[/post][/right][/quote]
You’re going about it completely the wrong way. 
You assign permissions to the assets, not the users/groups. So, navigate to the Permissions screen of your Site asset (for example). Lock that screen and then you can apply Read, Write or Admin Permission to a particular user or group. On this screen, you are able to select an LDAP group to assign permissions to. So, to give your LDAP users Write access to your entire site, you’d click the “Change” button and target the LDAP Group you want to assign the permission to.
Make sense?
(Remember, you can’t link LDAP groups with real Matrix assets in v3.6. You are able to do a limited version of this in v3.8).
When you put it that way, it makes perfect sense!! 
Thanks for that!!
Yay! My work here is done.