I've been setting up a new instance of DFM on Linux, and have started configuring up DFM.
I've finally figured out why it's not been working though - it's because the 'CN' for all our accounts contains a bracket.
CN=Full Name (unixID)
This leaves me in a bit of an irritating position. I can't change my account config across my active directory - at least not very easily.
Can I do 'LDAP auth' via the local system somehow? I can log in to my DFM box as me, and when I add my user... it recognises the account. But it doesn't seem to allow a password auth (not unless I set a local account, which is a route that'll mean having to wrangle with security).
Anyone else run into this problem or got a line of investigation?
(I have a ticket open, but this feels like the sort of thing that's irritatingly difficult to 'fix' on the fly).
What exactly do you mean by it recognizes the account but does not seem to allow password auth?
Can you run “dfm user add -r GlobalFullControl <ldap user>” (or whatever permissions make sense for this user)
If not, you should be able to configure /etc/nsswitch.conf to check if a local account exists look locally before going out to ldap. It sounds like you might have been going down that trail already.
--JMS
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Edward Rolison Sent: Tuesday, April 14, 2015 6:56 AM To: toasters@teaparty.net Subject: DFM LDAP auth/Linux
I've been setting up a new instance of DFM on Linux, and have started configuring up DFM.
I've finally figured out why it's not been working though - it's because the 'CN' for all our accounts contains a bracket.
CN=Full Name (unixID)
This leaves me in a bit of an irritating position. I can't change my account config across my active directory - at least not very easily.
Can I do 'LDAP auth' via the local system somehow? I can log in to my DFM box as me, and when I add my user... it recognises the account. But it doesn't seem to allow a password auth (not unless I set a local account, which is a route that'll mean having to wrangle with security).
Anyone else run into this problem or got a line of investigation?
(I have a ticket open, but this feels like the sort of thing that's irritatingly difficult to 'fix' on the fly).
Sorry, should have been a little clearer - I tried switching off LDAP:
if I do 'dfm user add -r GlobalFullControl someuser' it reports 'does not exist, login disabled'. If I do so for _my_ user account on the linux host (which is LDAP integrated) it doesn't complain.
However, DFM won't let me login as this user.
On 14 April 2015 at 13:25, Jordan Slingerland < Jordan.Slingerland@independenthealth.com> wrote:
What exactly do you mean by it recognizes the account but does not seem to allow password auth?
Can you run “dfm user add -r GlobalFullControl <ldap user>” (or whatever permissions make sense for this user)
If not, you should be able to configure /etc/nsswitch.conf to check if a local account exists look locally before going out to ldap. It sounds like you might have been going down that trail already.
--JMS
*From:* toasters-bounces@teaparty.net [mailto: toasters-bounces@teaparty.net] *On Behalf Of *Edward Rolison *Sent:* Tuesday, April 14, 2015 6:56 AM *To:* toasters@teaparty.net *Subject:* DFM LDAP auth/Linux
I've been setting up a new instance of DFM on Linux, and have started configuring up DFM.
I've finally figured out why it's not been working though - it's because the 'CN' for all our accounts contains a bracket.
CN=Full Name (unixID)
This leaves me in a bit of an irritating position. I can't change my account config across my active directory - at least not very easily.
Can I do 'LDAP auth' via the local system somehow? I can log in to my DFM box as me, and when I add my user... it recognises the account. But it doesn't seem to allow a password auth (not unless I set a local account, which is a route that'll mean having to wrangle with security).
Anyone else run into this problem or got a line of investigation?
(I have a ticket open, but this feels like the sort of thing that's irritatingly difficult to 'fix' on the fly).
There’s probably a way to adjust the LDAP schema in DFM to do a lookup of an attribute other than CN, such as gecos, sAMAccountName or something similar.
I’d make that the focus of your efforts. That way, you don’t have to re-arrange architecture.
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Edward Rolison Sent: Tuesday, April 14, 2015 8:35 AM To: Jordan Slingerland Cc: toasters@teaparty.net Subject: Re: DFM LDAP auth/Linux
Sorry, should have been a little clearer - I tried switching off LDAP: if I do 'dfm user add -r GlobalFullControl someuser' it reports 'does not exist, login disabled'. If I do so for _my_ user account on the linux host (which is LDAP integrated) it doesn't complain.
However, DFM won't let me login as this user.
On 14 April 2015 at 13:25, Jordan Slingerland <Jordan.Slingerland@independenthealth.commailto:Jordan.Slingerland@independenthealth.com> wrote: What exactly do you mean by it recognizes the account but does not seem to allow password auth?
Can you run “dfm user add -r GlobalFullControl <ldap user>” (or whatever permissions make sense for this user)
If not, you should be able to configure /etc/nsswitch.conf to check if a local account exists look locally before going out to ldap. It sounds like you might have been going down that trail already.
--JMS
From: toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.netmailto:toasters-bounces@teaparty.net] On Behalf Of Edward Rolison Sent: Tuesday, April 14, 2015 6:56 AM To: toasters@teaparty.netmailto:toasters@teaparty.net Subject: DFM LDAP auth/Linux
I've been setting up a new instance of DFM on Linux, and have started configuring up DFM.
I've finally figured out why it's not been working though - it's because the 'CN' for all our accounts contains a bracket.
CN=Full Name (unixID)
This leaves me in a bit of an irritating position. I can't change my account config across my active directory - at least not very easily.
Can I do 'LDAP auth' via the local system somehow? I can log in to my DFM box as me, and when I add my user... it recognises the account. But it doesn't seem to allow a password auth (not unless I set a local account, which is a route that'll mean having to wrangle with security).
Anyone else run into this problem or got a line of investigation?
(I have a ticket open, but this feels like the sort of thing that's irritatingly difficult to 'fix' on the fly).
I think my problem is looking up the 'member' field in my groups. That seems to be populated with CNs.
On 14 April 2015 at 15:24, Parisi, Justin Justin.Parisi@netapp.com wrote:
There’s probably a way to adjust the LDAP schema in DFM to do a lookup of an attribute other than CN, such as gecos, sAMAccountName or something similar.
I’d make that the focus of your efforts. That way, you don’t have to re-arrange architecture.
*From:* toasters-bounces@teaparty.net [mailto: toasters-bounces@teaparty.net] *On Behalf Of *Edward Rolison *Sent:* Tuesday, April 14, 2015 8:35 AM *To:* Jordan Slingerland *Cc:* toasters@teaparty.net *Subject:* Re: DFM LDAP auth/Linux
Sorry, should have been a little clearer - I tried switching off LDAP:
if I do 'dfm user add -r GlobalFullControl someuser' it reports 'does not exist, login disabled'. If I do so for _my_ user account on the linux host (which is LDAP integrated) it doesn't complain.
However, DFM won't let me login as this user.
On 14 April 2015 at 13:25, Jordan Slingerland < Jordan.Slingerland@independenthealth.com> wrote:
What exactly do you mean by it recognizes the account but does not seem to allow password auth?
Can you run “dfm user add -r GlobalFullControl <ldap user>” (or whatever permissions make sense for this user)
If not, you should be able to configure /etc/nsswitch.conf to check if a local account exists look locally before going out to ldap. It sounds like you might have been going down that trail already.
--JMS
*From:* toasters-bounces@teaparty.net [mailto: toasters-bounces@teaparty.net] *On Behalf Of *Edward Rolison *Sent:* Tuesday, April 14, 2015 6:56 AM *To:* toasters@teaparty.net *Subject:* DFM LDAP auth/Linux
I've been setting up a new instance of DFM on Linux, and have started configuring up DFM.
I've finally figured out why it's not been working though - it's because the 'CN' for all our accounts contains a bracket.
CN=Full Name (unixID)
This leaves me in a bit of an irritating position. I can't change my account config across my active directory - at least not very easily.
Can I do 'LDAP auth' via the local system somehow? I can log in to my DFM box as me, and when I add my user... it recognises the account. But it doesn't seem to allow a password auth (not unless I set a local account, which is a route that'll mean having to wrangle with security).
Anyone else run into this problem or got a line of investigation?
(I have a ticket open, but this feels like the sort of thing that's irritatingly difficult to 'fix' on the fly).
-
Edward Rolison -
Jordan Slingerland -
Parisi, Justin