• 2 replies
  • Latest Post - ‏2011-10-28T19:58:20Z by JQG7_Adam_Gottstein
13 Posts

Pinned topic FSM 4.5 ADS Auth and FSM groups

‏2011-10-28T16:45:58Z |
Now that I have my Production install working in spite of daylight savings settings, I have another issue.

I have configured my FSM 4.5 server for external authentication using ADS. It is looking up users using CN=Users,DC=<mydomain>DC=com. I have noticed through debugging that using CN=Users behaves differently than using OU=<MyOU> and working my way up the tree to DC,DC. The biggest difference I have seen is that CN=Users returns only authenticated or not, but no AD user groups. If I provide the full OU path I get groups from AD as well (or at least I do in the debug info while installing FSM).

Anyway, I'm not sure if the above is the cause of my issue, but I wanted to mention that setup and difference that I've noticed so far. Unfortunately our directory is setup poorly and users that may be accessing the FSM console are split over multiple OU's directly under DC,DC.
*bold*My problem is:bold I can create a group in FSM User Management and assign it the permissions I want users of that group to have. I can then create an user with internal/FSM authentication, assign it to the group, and everything works as I want when I login as that user.

However, I want to do the above but select "External Authentication", and assign the user to the same group. When I do this it saves properly and everything looks fine. When I log in, though, the user account successfully authenticates to ADS and logs into FSM, but I get a blank page with it set as Event Management under Window>Consoles. Logging back in as admin I see the group has been stripped from the user setup.

In short, under AD/External authentication I can assign a user to groups, but when I log on as the user (and login IS successful) the group assignment is stripped from the user. How do I get this to work properly?

For now I'm going to play with various alternate configurations to make this work (substitutes come to mind), though I really would like this to follow the "assign rights to groups and grant group memberships to users" model.
Updated on 2011-10-28T19:58:20Z at 2011-10-28T19:58:20Z by JQG7_Adam_Gottstein
  • JQG7_Adam_Gottstein
    13 Posts

    Re: FSM 4.5 ADS Auth and FSM groups

    Ok, this was a "duh" moment. I've figured it out.

    Just as the userid must exist in AD, the group must exist in AD as well. It works fine.
  • JQG7_Adam_Gottstein
    13 Posts

    Re: FSM 4.5 ADS Auth and FSM groups

    The group name was only part of my problem. I found the fix for the rest.
    By default you cannot search Active Directory (I'm not sure about other LDAP servers) from the top of the tree (DC=X,DC=Y). With the current FSM 4.5 installer you just need to install it with something simple, such as CN=Users,DC=X,DC=Y.

    After it is installed, stop all of the services and do the following:

    In <FSM_ROOT>/cala_rex/cala_rex_srv_auth.cfg
    Change <property name="group.provider.url" value="CN=Users,DC=X,DC=Y"/> (or whatever you put)
    TO <property name="group.provider.url" value="DC=X,DC=Y"/>

    Add the following with the other java.naming.* properties:
    <property name="java.naming.referral" value="follow" />

    In <FSM_ROOT>/login.conf
    Change group.provider.url="CN=Users,DC=X,DC=Y" (or whatever you put)
    TO group.provider.url="DC=X,DC=Y"

    Add the following with the other initial.context.env.*"follow"

    Start the server processes back up.

    One thing to note -- and possibly the reason why this option was left out -- the larger your directory the longer the query will take. As with most things, the more specific location you can provide, the better the performance.