This forum is no longer open and is for reading/searching only.
Please use our new MachForm Community Forum instead.
MachForm Community Forums » MachForm 4
LDAP Integration not working correctly
Started 8 years ago by MichaelWheeler | 14 posts |
-
I am trying to setup LDAP authentication with MachForm 4.3.
We are using ActiveDirectory and LDAPS on port 636.
Our user structure in AD is similar to:
OU=Employees,OU=Organization Users,DC=example,DC=com
OU=Interns,OU=Organization Users,DC=example,DC=comSo for example a user's distinguished name could be either:
CN=user1,OU=Employees,OU=Organization Users,DC=example,DC=com
CN=user2,OU=Interns,OU=Organization Users,DC=example,DC=comWe have two Groups setup for MachForm users and require that MachForm users be a member of one of them:
MachForm Admins
MachForm non-AdminsThe distinguished name of those groups are:
CN=MachForm Admins,OU=Org Groups,DC=example,DC=com
CN=MachForm non-Admins,OU=Org Groups,DC=example,DC=comIn MachForm our LDAP settings are:
LDAP Server: Active Directory
LDAP Hostname: ad.example.com
LDAP Port: 636
Encryption Method: SSL (ldaps://)
Base DN: OU=Organization Users,DC=example,DC=com
Account Suffix:
Required Groups: MachForm Admins,MachForm non-AdminsWhen I try to login as user2@interns.example.com who is a member of "MachForm non-Admins" I get the error:
Incorrect login credentials! (LDAP)
Which I expect because the user principle name is user2@example.com even though the email address is user2@interns.example.com.When I try to login with the correct name of user2@example.com I get the error:
You're not in an authorized group! (LDAP)However, if remove everything from the "Required Groups" setting in MachForm I can login.
So it seems MachForm is not doing something correctly or else I don't understand the format of what MachForm wants the groups to be specified.
Yuniar can you help?
Thanks,
-Mike
Also:
This may not be related to the above problem but it seems MachForm is also making the common mistake of thinking that email address and user principle name are the same thing. They are not even though in many organizations they are set to the same value. Ours is different for some of our users but not all of them. For example it's different for interns but not employees.
For example email addresses are like either:
user1@example.com
user2@interns.example.com
but their user principle names are:
user1@example.com
user2@example.comMachForm shouldn't make the assumption that they must be the same.
Posted 8 years ago # -
@MichaelWheeler: I have been told by Yuniar that Machform 4.4 will have more flexible handling of LDAP authentication; these changes may solve your problems. I don't know when 4.4 will be coming out, but I hope it will be soon.
Posted 8 years ago # -
It would be great if MachForms could use the sAMAccountName instead of the email address. I would also like to specify a specific security group.
Posted 8 years ago # -
yuniar
@MichaelWheeler -- make sure to fill the "Account Suffix" setting. It should be "@example.com"
MachForm Founder
Posted 8 years ago # -
The behavior still seems broken. The prompt says "Username or Email Address" but the email address won't always work since it can be different than the user principle name. Also before adding the suffix to the setting I specified the suffix in the username box and while it let me login it didn't fill out the "Name" portion of the email account. However, when I added the suffix to the setting it works as long as I specify just the username but not the email address. If I specify user2@interns.example.com it changes it to user2@interns.example.com@example.com. Why are you asking for the suffix in the settings? Our other LDAP applications don't ask for that but allow us to specify multiple locations in which to check/search for users. For example:
If the password check fails for:
CN=username,OU=Employees,OU=Organization Users,DC=example,DC=com
Then try the next location:
CN=username,OU=Interns,OU=Organization Users,DC=example,DC=comAlso when LDAP is enabled there is no way to delete a user from MachForm. We would like to be able to delete their account in MachForm without deleting their account from our entire organization. A user may no longer need access to MachForm but there is no need in leaving their account in the MachForm DB.
Posted 8 years ago # -
@MichaelWheeler: The fact that you can no longer suspend Machform accounts when LDAP is chosen as the authentication method is definitely a bug. I would think that delete should also be an option, but suspend definitely should be. I will report this to Appnitro.
Posted 8 years ago # -
I just got ldap authentication working for our 4.3 upgrade. Authentication works, but it's not yet usable for us in production. Our email addresses in AD (and what we used for local machform accounts) are not what is in userPrincipalName. I also couldn't login with a local email address because it kept adding the "Account Suffix" setting value to the end of the email address on the sign in form.
Posted 8 years ago # -
yuniar
Ok, so when you are using AD, the one being used for authentication is the "User logon name" (which consist of username part and the domain name, similar as email format), but this is not the email address.
I attached the screenshot to clarify:
So, in the example above, you'll need to use "sales@machform.com" to login or just use "sales" if you already specified the Account Suffix within your settings.
If you look into the attributes of the user, you'll see that the login is associated with the "userPrincipalName" attribute.
@MichaelWheeler: Once you've specified the Account Suffix, you can login using the username only or use the principal name, such as "user2@example.com". Using "user2@intern.example.com" won't work, as this is not the principal name.
MachForm Founder
Posted 8 years ago # -
yuniar
Regarding the functionality to edit users (suspend, delete, etc). It is being disabled when you have LDAP being turned on indeed. This is by design.
Since the main idea of LDAP is to let you manage users from centralized place, which is your LDAP server.However, many doesn't seems to be working strictly like that and we'll be adjusting this a bit for the next update. It will work like this:
- When you have LDAP turned ON and the option "Use LDAP Exclusively" is OFF, you'll be able to suspend/delete users from MachForm as normal.
- When you have LDAP turned ON and the option "Use LDAP Exclusively" is ON, you won't be able to suspend/delete users from MachForm.If, for some reason, you have the "Use LDAP Exclusively" turned ON and need to delete users from MachForm panel (which is not necessarily needed, since the user won't be able to login already), you can temporarily turned off LDAP and delete the user.
MachForm Founder
Posted 8 years ago # -
I don't like that design decision as it's not just about them not being able to login but having a huge list of users that are no longer active to wade through in MachForm. If I turn off LDAP temporarily as you suggest to delete a user then no users will be able to login while I'm doing that, correct? We have around 30,000 accounts in LDAP and the turn-over in MachForm users will cause the user DB to just keep growing. It seems to me there should always be an option to delete a user from the MachForm DB instead of just letting it bloat.
Also about your screen shots and explanation of using the principle name is appreciated but it is going to confuse our users because the login prompt instructs them to use their email address and as you said that won't work. Users have no concept of a user principle name. Many of them don't even understand that there is a difference between a username and their email address.
Could the software be modified so that doesn't need the suffix setting? Changing it from the user principle name to the sAMAccountName should fix that provided we could specify in the settings a list of multiple locations in LDAP for it to try when attempting to authenticate the account as I said earlier:
If the password check fails for:
CN=username,OU=Employees,OU=Organization Users,DC=example,DC=com
Then try the next location:
CN=username,OU=Interns,OU=Organization Users,DC=example,DC=comPosted 8 years ago # -
yuniar
Thanks for the insight. Let me take a look further into our code and see what I can do to make it even more flexible. It seems there are many variations between organizations in regard of LDAP usage.
If you have more suggestions or feedback, please let me know.
Others using LDAP and have some requirements to work with MachForm, please feel free to post it here as well. We'll need it to improve the code.MachForm Founder
Posted 8 years ago # -
Hi in our organisation we use LDAP and its not working with machforms. The reason we think is because to use the LDAP we need to have a user to authenticate with. I don't see any fields for adding a user and password to do this.
Posted 8 years ago # -
Hi in our organisation we use LDAP and its not working with machforms. The reason we think is because to use the LDAP we need to have a user to authenticate with. I don't see any fields for adding a user and password to do this.
Posted 8 years ago # -
@nicholasdring: Things may be different for your LDAP setup, and I am not sure I completely understand the problem you are describing. but perhaps my experience may help you. At my institution, I do not see any of our LDAP users in the list of Machform users in the Users Manager screen in the Machform web interface until after they log in to Machform once. (The default settings for Machform allow new users to create forms. I have changed this so that new users cannot create new forms and have no rights to any form. Once they have logged on, I see them in the User Manager and can assign them the rights they need.)
If this isn't helpful, perhaps you could supply more details about your orgainization's LDAP setup and your Machform LDAP configuration.
Posted 8 years ago #
Reply
You must log in to post.