LDAP Authentication

Matt · August 8, 2012, 3:58pm

I just got Percussion installed and running. How do I set it up to where it is using LDAP authentication for login? Can I tell it which people are “admins”?

Nathaniel · August 8, 2012, 4:14pm

Matt,

Take a look at this help document for instructions on how to import users from LDAP:
https://help.percussion.com/percussion-cm1/governance/users/configuring-ldap/index

Once you have this configured, through the CM1 user interface go to Admin > Workflow, hit the Users tab, and from there you can press the “Import Users” button (the “+” icon with the silhouette of threes heads). Once your LDAP users have been imported, through that same menu you can assign your new users with specific roles (such as Admin, etc.).

Let me know if you need any further assistance.

Nathaniel

Matt · August 8, 2012, 6:29pm

Okay, I have worked with my IT department and still cannot get the import icon to activate. I’m not quite sure what we are doing wrong. I deleted the Sun setup and just left the Microsoft AD information in the ldap…xml document.

Nathaniel · August 8, 2012, 6:54pm

Matt,

After making any changes to the LDAP XML file you will need to restart the Percussion service in order for the changes to take effect. Can you confirm that you have done this? Also note that you don’t need to delete the Sun entry as it is commented out by default, which is also the case for the Active Directory entry. Can you quickly confirm that the comment tags around the Active Directory entry in the XML file have been properly removed?

If everything above has been covered, could you please copy the entire contents of your ldapserver.xml over here (minus your password) for me to review? Note that you will have to wrap your XML content in Code tags for it to display properly on here, like this: .

Thanks,
Nathaniel

Matt · August 8, 2012, 6:58pm

 <?xml version="1.0" encoding="UTF-8"?>   
 <ldapconfig> <br>
<!-- Example configuration for Active Directory. --> <br>
<ldapserver> <br>
 <host>10.0.8.67</host> <br>
 <port>389</port> <br>
 <user>CN=webadquery,OU=Webmaster,OU=Public Information and Marketing,OU=University Advancement and Public Affairs,DC=admin,DC=msu</user> <br>
 <password> ********* </password> <br>
 <catalog>deep</catalog> <br>
 <objectattributename>samaccountname</objectattributename> <br>
 <emailattributename>emailaddress</emailattributename> <br>
 <organizationalunit>DC=admin,DC=msu</organizationalunit> <br>
</ldapserver> <br> </ldapconfig>

Matt · August 8, 2012, 7:01pm

I also forgot to put that I did restart the service after modifying the xml document. I do not have any comments around any code except at the top where it is stating that it is an example.

Matt · August 8, 2012, 7:14pm

I just got an error message from PercussionCM.exe.

Error [PSUserService] Failed to connect to Directory Server: An unknown naming expcepion was cought. The error message was: [LDAP: error code 49 - 80090308: Ldaperror: DSID-0C0903A9, comment: AcceptSecurityContent error, data 52e, v1db1]

Matt · August 8, 2012, 7:44pm

I also wanted to let you know that our users are not located in a central container under admin.msu. Each department has it’s own container where it’s employees credentials reside.

Nathaniel · August 8, 2012, 8:19pm

Matt,

As to you last question, as long as the user “webadquery” authenticates above the containers where the other users are located in the active directory structure, you will be able to catalog and find those users without any problem.

You have an open ticket for this issue through our support portal. I’m going to send you a message through that ticket with our next troubleshooting steps.

Nathaniel

Nathaniel · August 9, 2012, 11:49pm

We were able to isolate the issue and find a resolution. The first error message posted above indicated invalid credentials (as outlined here: https://confluence.atlassian.com/disp… ), so we went through and verified that everything in the LDAP XML file matched the credentials in a working connection through an LDAP browser.

Once we did that, we encountered a new “Unprocessed Continuation Reference” LDAP error in the server log. This is an error which can come up when you configure the LDAP XML file to point to the root of a directory as Matt did in his XML file above. What can happen when you do this is CM1 attempts to draw user data from directory trees which house information types other than strictly user information, causing CM1 to throw that “Unprocessed Continuation Reference” error.

To fix this we had Matt change the organizational unit node in the XML file to be more specific, like this: <organizationalunit>OU=University Advancement and Public Affairs,DC=admin,DC=msu</organizationalunit> Once we tested that this worked, we instructed Matt to use multiple organizational unit nodes (pointing to specific organizational units, like in the example above) in his XML file, and used them to tell CM1 to draw user information from only the specific organizational units on his Active Directory which house user information.

Here’s an example of such an LDAP XML file with multiple organizational unit nodes:

<ldapserver> <host>e2srv</host> <port>390</port> <user>cn=Directory Manager</user> <password></password> <catalog>deep</catalog> <objectattributename>cn</objectattributename> <emailattributename>emailaddress</emailattributename> <organizationalunit>ou=MA_Users,ou=Users,dc=percussion,dc=com</organizationalunit><organizationalunit>ou=UK_Users,ou=Users,dc=percussion,dc=com</organizationalunit></ldapserver>