July 4, 2016 at 1:15 pm #11805
I have imported user store from LDAP to OpenDJ.
“mail”: “[email protected]”,
In LDAP Authentication field was “mail”
To enable login using “mail” i have changed “Authentication” and “Search” attributes to “mail” in OpenAM->DataStore settings. And authentication mechanism working successfully.
I can add new users. instead of listing users using uid these new users are showing as listed using mail attributes when checking OpenDJ entru with directory studio UI.
When i try to add new users to a group it doesn’t allows and shows error. But it allows to add old users who are seems as listed using mail attribute.
I added some users in groups using uid. Created policy which permits these group members. When executes API it fails. It’s success if i change authentication and search attribute to uid.
One soloution is to change all LDAP UIDs to mail ID, difficulty is around 500 entries are there and these UIDs may use in some other places by application.
What is the solution?July 6, 2016 at 4:19 pm #11863Peter MajorModerator
The authentication naming attribute in the data store configuration should *always* be the attribute that is used as the RDN.
You could’ve just configured your LDAP module to search for users using both uid and mail, and then always return “mail” to the data store, and then in the data store you would have configured “mail” as the search attribute..July 8, 2016 at 1:16 pm #11933
I changed user search attribute to “mail” in OpenAM. Then login shows error message “User Requires Profile to Login”.
Reason may be i haven’t gone through all the steps you mentioned.
I am not sure how to do steps specified in your reply i.e, “You could’ve just configured your LDAP module to search for users using both uid and mail, and then always return “mail” to the data store”
So how to configured OpenDJ module to search for users using both uid and mail, and then always return “mail” to the data store ?
I am using “DataStore” not “LDAP” module
July 11, 2016 at 1:41 pm #11952
- This reply was modified 6 years, 1 month ago by Firos.
Thanks Peter, Got it and is working using LDAP module.July 12, 2016 at 12:09 pm #11963
Its working with LDAP module alone in chain.
But it shows “Authentication Failed” when adding OAUTH in chain. It successfully accepts mail as userid and password in first level, shows “Authentication Failed” message after entering TOTP.
Its working with uid if i set “LDAP Users Search Attribute=uid” in DataStore
Its working with mail if i set “LDAP Users Search Attribute=mail” in DataStore
Not accepts uid/mail together as options in login.
OAUTH working fine with DataStore module and uid/mail as userid.
Whats the issue?
July 13, 2016 at 7:51 am #11992
- This reply was modified 6 years ago by Firos.
LDAP module is able to perform authentication using UID/email.
But OAUTH module is not. i.e, OAUTH module works based on “LDAP Users Search Attribute” in DataStore.
If i set “LDAP Users Search Attribute=mail” in DataStore OAUTH module output is success if i input “mail” as username, if i input “uid” OAUTH module fails(LDAP module output is success).
i.e, I can see Error in debug/Authentication file,
ERROR: OATH.getIdentity: error searching Identities with username : test
Message:OATH.getIdentity : User test is not found
I think OAUTH module is not able to search using “uid” if i set “LDAP Users Search Attribute=mail” in DataStore,
Any solution pls……….July 14, 2016 at 12:39 pm #12018
Also its not working with “ForgeRock Authenticator (OATH)” in Multi-Factor Authentication
You must be logged in to reply to this topic.