Please login or register to participate.
Wiki Page

Cyn.in Active Directory Integration

.

Get to ZMI Screen for your site. 

Login with admin user (password: Whatever you changed it to, from the default of "secret") at http://<siteURL OR IP address>:8080/manage to get ZMI screen

msadldapsetup001

Open up your site (cynin link) and click portal_quickinstaller

msadldapsetup002

Install LDAP Support

Check the product shown and hit the Install button

 

msadldapsetup003

Go to /cynin/acl_users and add ACL plugin

For Microsoft Active Directory, this must be : Plone Active Directory plugin, for other services, Plone LDAP plugin would be first choice

msadldapsetup004

Fill in the details for the AD connection...

This is the crucial step, and must be done right, because without successful connection, the plugin will not install and all you'll get is an Error screen. If you do get an error screen, hit Back in your browser, and change what is needed to fix, and try again.

More details follow in further screenshots.

msadldapsetup005

Get details from your AD

For doing this with MSAD specifically, I recommend the SysInternals tool, AD Explorer. You need to use a tool only to determine the values of your DNs for the AD hookup. If you're well versed with your configuration, then just follow along and fill in appropriate values.

So install AD Explorer, open it up, connect to your Active Directory, and go to the DC, navigate to the place where you're storing User data. This is typically (at least in the out-of-box setup), going to be the one highlighted in the screenshot.

msadldapsetup006

Pick up the base DN and paste

The default AD setup has users and groups in the same DN, Users, so do a right-click on the Folder, and copy the value of Distinguished Name, and paste it into both, the Users Base DN and the Groups Base DN fields. Adjust as required for your own setup, if different.

msadldapsetup007

Pick up the DN of the Administrator user and paste

The Plone AD plugin will use this user to connect to your AD, so if you're not particular about it, the Administrator user will do (right click->properties on the Admnistrator user), else substitute any user's DN as appropriate, just make sure at least Read access to the Base DN that you're selecting is available.

Paste the DN into... you guessed it, the Manager DN field. :)

 

msadldapsetup008

Fill in the remaining fields

  • Fill in the password for the Admin user.
  • Fill in the hostname and port of the AD server in the LDAP Server:port field. The format of this must be either IPAddress:port (as shown), or hostname:port, as per your needs.
  • Check on Read Only unless you want users to be able to modify their AD profile through their Cyn.in profile.
  • Change the default user roles from Anonymous, Member to just Member
  • Fill in an ID and a Title. Whatever you want in this, it doesn't really matter, just as long as you remember it.

msadldapsetup009

... And hit Save

Now depending on validation of the info you filled in, you'll either get the screen shown below, with your newly added item showing in the list, or you'll get an error, if the connection to your AD failed. Diagnose and adjust accordingly, if so by hitting back in your browser and changing what's necessary. Passing this step is crucial for the integration to work.

msadldapsetup010

Turn on all the plugin's methods, hit Update

msadldapsetup011

Click the Properties plugin and move it higher in priority

Select the AD plugin

msadldapsetup012

and click the Up arrow to move it up.

msadldapsetup013

Fix the incorrect Group ID Attribute in Properties Tab

Change from groupid_attr = ObjectGUID to...

msadldapsetup014

... to groupid_attr = sAMAccountName and hit Save.

Yes, the case of the value is important, you have to type it exactly as shown.

msadldapsetup015

Open the Contents tab

...and then open up the nested acl_users object.

msadldapsetup016

Fix the User Object Classes

Change from pilotPerson, uidObject to...

msadldapsetup017

..... to organizationalPerson, as shown. Again, CaSe is important.

msadldapsetup018

Check the Groups tab

You should see all the groups in your AD showing up here, now. Verify that all looks ok, don't change anything.

msadldapsetup019

Verify User lookup

Click the Users tab, fill in a known value and choose the appropriate field, and hit Search.

msadldapsetup020

Verify the Search Results

msadldapsetup021

Click a result and ensure correct Group assignment

The user should have appropriate Groups checked as per "belongs to" relationship.

msadldapsetup022

Login should now be working with AD :)

msadldapsetup023

But you still have to do Schema mapping...

The fullname of the user, the email address is not being mapped to the user yet. You need to map this up properly so that things like notification emails, etc. work properly. Read on...

msadldapsetup024

Go to LDAP Schema tab...

Add displayName as FullName

msadldapsetup025

Add mail as email

msadldapsetup026

Refer to /cynin/portal_metadata and map other fields

Navigate out to /cynin and then to portal_metadata object. Here, you'll see the fields that Cyn.in currently stores against all users.

Note: Some fields are not wired up yet, use this screen for reference only.

The idea is that you can map things like phone numbers, job titles (designation), etc., by matching these fields against the ones stored and in use, in your AD. To add a new mapping, see the name here, compare it with your AD field's name and add a new mapping in LDAP schema screen, as shown for displayName and mail. The rest of the fields are left up to you as per your requirements and usage.

  • If you don't map a field, it won't get filled automatically, but your users will be able to use it normally from their Cyn.in edit profile
  • If you do map a field, and your AD connection is set to Read Only, then users will not be able to edit it
  • If you do map a field, and you AD connection is not set to Read Only, then changes users will make, will make it back to your AD, if the username/password combination you put in the Manager DN field has write permssions

msadldapsetup027

Clear Cache and revisit

If you, like me, wanted to login first to see if it works, then you get to visit the Caches tab to purge all caches, after you do the schema mapping.

Logins are cached as per the setting in the Caches tab, so that your AD is not looked up constantly. Tweak here only if necessary.

Once you map up the schema as per above, your People Directory will come pre-populated with the users from your AD, as shown. If you're setting up a complex Space structure, do note that you can

map groups from AD to local roles on the Sharing tab of a Space - and it should work fine.

msadldapsetup028

So set your Cyn.in's up, let's see if you can get it to work properly. :)

Let us know if you have any ideas, suggestions about this or if you get stuck in a problem with the AD integration, just post up a new discussion with the details.

Description
A stepwise walkthrough for setting up integrated authentication with MSAD for authentication, group assignment and user schema field synchronization.
Comments (33)
gump103 Nov 09, 2009 06:39 PM
Just wondering if its posible to configure cynin for SSO as well.
dhiraj Nov 10, 2009 09:08 AM
SSO. Hmm... as you can see with the Cynapse.com sites it's definitely possible. It does require quite a bit of varied expertise and know-how, though. SSO setup is a no-no for the easily intimidated. :)

Please start a new discussion topic for this and tell us what you want to accomplish, in as much detail as possible.

For Cynapse.com we currently have an SSO between Drupal 6.x, Redmine and Cyn.in.
mgarner Dec 15, 2009 11:21 PM
Using MSAD i can only get a hand full of users to show up and a portion of my groups.
mgarner Dec 16, 2009 12:34 AM
Problem Fixed. My OU's are stuctured different from the instructions. I had a sub OU that all my users are in. I was using this bind (CN=Users,DC=mydomain,DC=us)i switched to this one and it worked.OU=Standard Users,OU=Dept Groups,DC=mydomain,DC=us. Great tutorial BTW.
dhiraj Dec 30, 2009 09:17 AM
Thanks! :)

So you had pointed the Users and Group OUs to the top-level and it was not working fully?

Weird. The normal behavior mode is "SUBTREE" where any matches from any descending structure should be returned, for all queries.

Or was it some other top-level branch of the AD tree altogether?
andrebrown Feb 04, 2010 05:29 AM
I noticed that if I delete an LDAP user account from Cynin, it delete's the account in the LDAP directory. However, if I create an account in Cynin, it doesn't create an account in the LDAP directory. Why does this only work one way?
dhiraj Feb 04, 2010 09:44 AM
Hmmm.... that's easily explained: There is no LDAP user account *create* facility, yet. I do believe I'd seen a plone product that would allow user management - but since we're recommending read-only MSAD ATM, this hasn't been looked into.

The reason that delete works is because Cyn.in knows that it's an AD user and when you administratively ask to delete the user, the choice is either to say not-can-do, or to go ahead and delete it.

In the case of create user, Cyn.in will create a "normal" user, one that it can manage fully, in the internal source_users implementation.
tomasz May 26, 2010 12:06 PM
I use this guide to add openLDAP support (also our openldap acts as domain controler with samba). I succesfully added plone openldap plugin. But when i get to this step ""Fix the incorrect Group ID Attribute in Properties Tab from groupid_attr = ObjectGUID to sAMAccountName", view from guide is different one I have. So, what file i edit by hand to change this manually ?
tomasz May 26, 2010 12:23 PM
Im adding Cyn.in (v313) OpenLDAP plugin. Seems like this guide is for older version. Because picture for "Fix the incorrect Group ID Attribute in Properties Tab" step is completely diferent for v313. What is other way to change groupid_attr ?
amandahla May 31, 2010 08:06 PM
Does "User Object Classes" is right? The organizationalPerson doesnt work for me...Any help?
ymhing Jun 08, 2010 05:06 AM
For those that wanted to exclude other objects within the AD, i.e just User profile only, you can put the following at the "Additional user search filter" field : (&(objectCategory=person)(objectClass=user))
pac22 Jun 17, 2010 10:10 PM
Hi, i am running a Test Pilot in our University (UTN) in Campana, Argentina.
I have everything working properly with AD, I wanted to see if he could give access (login) only to a group of AD, such that only group members of GG_CynFRD group can log into Cyn.In

Thanks in advance, Cristian.
ybizeul Jul 29, 2010 10:40 AM
I just noticed a BIG issue, I'd like to know if people using accents have the same issue :
For a user having an accent in his CN, If I look at his properties and the list of groups he belongs to, that's ok.
But if I go the the group properties, I only see users NOT having accents in their name. The effect is that the effective privileges of the user when he logs in ignores this group belonging.

That is a very big issue if I'm not alone !
physikal Aug 27, 2010 07:53 PM
My AD structure is as follows:
domain.com
 > Location1.OU
    > Computers
    > Users
> Location2.OU
    > Computers
    > Users

And so on. So in order to grab all users, I have to enter the root dn. so dc=domain, dc=com. So it is grabbing ALL users. But my problem is it is grabbing all objects, computers, servers, etc. So when browsing the "People" section of cyn.in it is showing a bunch of computer names and server names. Any way around this?
deadlines Nov 23, 2010 08:49 PM
You would need to either restructure your AD OU's, or use a search filter as ymhing suggests above. Search filters were the one thing I was hoping to see more documentation on. Otherwise, these instructions work great for MSAD.
simeonhiq Mar 09, 2011 05:23 AM
Hi, Just working through this How-To, and I'm at the part 'Fix the incorrect Group ID Attribute in Properties Tab'. My freshly installed copy doesn't show these attributes.

I have only [Optional Prefix] and [title]. I tried adding the attributes in but get an 'Invalid or duplicate property id' error. This suggests that the property does exist, but I just can't see it? I am (admin) so??

Any ideas? Pushing on down the how-to, I can evaluate the list of groups okay, but can't bring back any users.

Thanks.
ldavim May 31, 2011 02:01 PM
 have the same problem as simeonhiq :(
tango Sep 07, 2011 12:48 AM
Thank you very much for the guide.

I have setup as mentioned, under the cynin page (special care not to do it under the root page). I am pretty sure that everything is done as described (tried 5 times), I can query both users and groups successfully without any problems. But when I try to login, cynin says that username or password is incorrect. Somehow it does not get activated on the logon page.

Can you help me on how to diagnose? Cannot find where to look.

Regards.
fjgsols Sep 29, 2011 11:33 AM
Great write up of the AD install, the "Additional user search filter" field : (&(objectCategory=person)(objectClass=user)) filtered out all the unwanted computer accounts just leaving the users.
huy0007 Oct 21, 2011 09:55 PM
Does anyone know why a user fat finger their password only once and his/her account would be locked out on the first failed attempt when we integrate Cyn.in with AD? Is there a setting to avoid this? Our AD is setup to lock out the account after 3 failed attempts.
dhandler Jan 17, 2012 04:13 PM
I am having an issue with my MS AD groups. After following the directions I am able to query and display the AD users, but get an error when trying to show the groups (I think I have too many?). In my AD, the groups and users are in the same container (CN=USERS,DN=CORP,DN=MyCompany,DN=NET)
Has anybody had a similar problem. Unfortunately, after messing around with it, I completed borked my install and couldn't even login anymore to get the error details to share, so I did a reinstall. Before I go and start mucking around again, I was looking to see if anybody had a similar experience and how they might have gotten past it. Maybe using the generic LDAP connection instead of the specific AD.

Thanks in advance.
patmis Apr 12, 2012 01:12 PM
When I wan't to change something in LDAPUserFolder at /ipo/acl_users/corproot.net/acl_users I get this error:

Traceback (innermost last):
  Module ZPublisher.Publish, line 119, in publish
  Module ZPublisher.mapply, line 88, in mapply
  Module ZPublisher.Publish, line 42, in call_object
  Module Products.LDAPUserFolder.LDAPUserFolder, line 464, in manage_edit
  Module Products.LDAPUserFolder.LDAPDelegate, line 262, in connect
INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece', 'desc': 'Invalid credentials'}

Need help!!!!!
bakchy Jul 05, 2012 05:03 PM
Hi there.
I am testin the product, but when I go to address:8080/manage asks for a passwd. I tried "siteadmin"/"secret" and tried to create a new user inside cynin to give "admin rights" to him.
None user can auth in this screen. What I have to do? Any sugestion?

Thanks for help.
amitgupta Aug 25, 2012 09:57 AM
Interesting post. I have been wondering about this issue,so thanks for posting.
<a href="http://exampost.net/[…]/a>"thanks"
tgelhardt Oct 02, 2012 11:31 PM
I followed each step to the point. I have reached the end of the guide and my "People Directory" is still blank. I'm able to log in using AD credentials. I have go back through step by step and everything appears to be set correctly. Please help!
doverton Nov 15, 2012 11:55 PM
tgelhardt, how did you fix the problem? I have having the same issue.
lurch Nov 29, 2012 08:43 AM
Is it possible at all to filter groups?
Our AD has all our security groups in one OU, but I only need a few of them for this and the rest just cause mess.
lurch Nov 29, 2012 08:43 AM
Is it possible at all to filter groups?
Our AD has all our security groups in one OU, but I only need a few of them for this and the rest just cause mess.
lurch Nov 29, 2012 08:43 AM
Is it possible at all to filter groups?
Our AD has all our security groups in one OU, but I only need a few of them for this and the rest just cause mess.
asankolli Dec 24, 2012 10:57 AM
Our AD structure is defined as follows
domain.com
 > Location1.OU
    > Computers
    > Users
> Location2.OU
    > Computers
    > Users
.....
> LocationN.OU
    > Computers
    > Users

I can not use the root dn as it has sensitive information. Is there a way to define multiple Location OUs to grab all users?
gr3go1r3 Apr 15, 2013 06:13 PM
Hello,

  Following this tutorial, im still facing some trouble with user's email address import from the AD. Basically, cyn.in imports the CN and groups but no email address :(
It's a bit strange cause under Zope, when i search for an user info, i do have his email address, displayName...etc
I put everything i could under /cynin/portal_metadata/properties (CN,mail...etc)
What could be wrong?
juliom Jan 16, 2014 04:32 AM
I have AD working great but problem is now how the heck do I delete user from Cynin? I remove the user from AD but yet they remain on the site in "people directory" even though they no longer exist. Help? The whole "delete" button is greyed out and I think that only work when its a local user not AD user.
 
Loading