LDAP - Active Directory Integration

> Hi,
>
> 1.)  Using JXplorer with the following connection parameters:-   :working:
>
> Base DN:           ou=it,ou=head-office,dc=domain*,dc=co,dc=uk
> User DN:            cn=John Doe,ou=it,ou=head-office,dc=domain*,dc=co,dc=uk
>
>       I get the Windows 2000 Server's Active Directory entries starting from
> the "Base DN:" as mentioned above
>
>        (**** I noticed that the short username i.e. "John" does not work!
> One has to specify the whole user name i.e "John Doe" to get AD access ****)
>
> 2.) Now on to OFBIZ ...
>
>      When I however, substitute the "User DN:" within ${ofbiz install
> dir}/framework/security/config/jndiLdap.properties as follows:-
>
>       ldap.dn.template=cn=%u,OU=IT,OU=head-office,DC=domain*,DC=co,DC=uk
>
>       Active Directory authentication for OFBIZ fails, with the following in
> the logs:-
>
> 2008-07-21 14:13:12,470 (http-0.0.0.0-8443-1) [    
> RequestHandler.java:243:INFO ] [Processing Request]: login
> sessionId=D2EB68F2022C7F9076581E957EF5376D.jvm1
> 2008-07-21 14:13:12,498 (http-0.0.0.0-8443-1) [    
> LoginServices.java:363:INFO ] [LoginServices.userLogin] : Invalid User :
> User not found.
> 2008-07-21 14:13:12,498 (http-0.0.0.0-8443-1) [
> ServiceDispatcher.java:522:ERROR] Error in Service [userLogin]: User not
> found.
> 2008-07-21 14:13:12,499 (http-0.0.0.0-8443-1) [  
> TransactionUtil.java:275:ERROR]
>
>        I have tried logging into OFBIZ with all of the following options:-
>
>           a.) John
>           b.) John Doe
>           c.) John@domain*.co.uk
>           d.) domain*.co.uk\John
>           e.) domain*\John
>
>        It just keeps on stating that it cannot find the user .......  
> :confused:
>
>        (What is the correct syntax to use for logon ?? - domain*\John is
> what I presume)
>
> 3.)   One more Q please: When adjusting ANY of OFBIZ's configuration files,
> is it sufficient to (restart ofbiz via) ./stopofbiz and ./startofbiz for the
> changes to take effect?....
>
>
>
>

> Hi Adrian,
>
> Errrr; no users have been created within OFBIZ. (except for Admin etc  @
> present)
>
> I was under the impression that users would be created automagically within
> OFBIZ (the Postgres SQL database) once they are authenticated via the LDAP
> server (or Active Directory in this case)
>
> Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
> LDAP authentication can take place...?

> Wicus wrote:
>> Hi Adrian,
>>
>> Errrr; no users have been created within OFBIZ. (except for Admin etc  @
>> present)
>>
>> I was under the impression that users would be created automagically
>> within
>> OFBIZ (the Postgres SQL database) once they are authenticated via the
>> LDAP
>> server (or Active Directory in this case)
>>
>> Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
>> LDAP authentication can take place...?
>
> That's correct. The current integration implementation is not that
> sophisticated. It was created to address a single need: allow OFBiz
> users to use the same login name and password that they use for logging
> into the network.
>
> Even if the OFBiz user was created automatically, what would that
> accomplish? Without additional permissions and roles, the user wouldn't
> be able to do anything in OFBiz.
>
> There has been some discussion on the dev mailing list about a more
> comprehensive LDAP integration, but no agreement has been reached on how
> to implement it.
>
> -Adrian
>
>
>
>

> Hi Adrian,
>
> Errrr; no users have been created within OFBIZ. (except for Admin etc  @
> present)
>
> I was under the impression that users would be created automagically within
> OFBIZ (the Postgres SQL database) once they are authenticated via the LDAP
> server (or Active Directory in this case)
>
> Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
> LDAP authentication can take place...?
>
>  

> So the current design is ambiguous.
>
> If you want LDAP to be the source db of user management, then the user
> info should be synchronized from LDAP to OFBiz when he/she wants to
> login OFBiz.
>
> Shi Jinghai/Beijing Langhua Ltd.
>
> 在 2008-07-21一的 10:50 -0700，Wicus写道：
>> Hi Adrian,
>>
>> Errrr; no users have been created within OFBIZ. (except for Admin etc  @
>> present)
>>
>> I was under the impression that users would be created automagically within
>> OFBIZ (the Postgres SQL database) once they are authenticated via the LDAP
>> server (or Active Directory in this case)
>>
>> Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
>> LDAP authentication can take place...?
>>
>>  
>
>
>
>

> it is more that people don't understand that ofbiz is not a db driven
> application. This had me going when I first got started.
>
> Ofbiz generates the DB from the entityengine. So if you could have an
> LDAP db source it would be populated by Ofbiz.
> http://ofbiz.apache.org/docs/entity.html
>
> Therefore the DB would have the ofbiz type of security.
> Without User Login, and Security defined by Ofbiz. the DB should not be
> accessible.
>
> Having access to the LDAP db thru any other channel would break the
> ofbiz security.
>
> To my knowledge, LDAP has not advanced that far in ofbiz yet.
>
> Shi Jinghai sent the following on 7/21/2008 9:52 PM:
>> So the current design is ambiguous.
>>
>> If you want LDAP to be the source db of user management, then the user
>> info should be synchronized from LDAP to OFBiz when he/she wants to
>> login OFBiz.
>>
>> Shi Jinghai/Beijing Langhua Ltd.
>>
>> 在 2008-07-21一的 10:50 -0700，Wicus写道：
>>> Hi Adrian,
>>>
>>> Errrr; no users have been created within OFBIZ. (except for Admin etc  @
>>> present)
>>>
>>> I was under the impression that users would be created automagically within
>>> OFBIZ (the Postgres SQL database) once they are authenticated via the LDAP
>>> server (or Active Directory in this case)
>>>
>>> Soooo, all OFBIZ users needs to be created manually within OFBIZ, before
>>> LDAP authentication can take place...?
>>>
>>>  
>>
>>
>>
>
>
>

> I had suggested an approach that was a little less drastic, but would
> still require a lot of work: instead of switching the entire OFBiz
> database to LDAP, just switch all of the OFBiz security, permissions
> checking, etc over to Apache Directory (an open source LDAP library).
> The rest of the OFBiz entities would remain unchanged. There would have
> to be considerable interest in making that change before anything would
> happen though.
>
> -Adrian
>
> BJ Freeman wrote:
>> it is more that people don't understand that ofbiz is not a db driven
>> application. This had me going when I first got started.
>>
>> Ofbiz generates the DB from the entityengine. So if you could have an
>> LDAP db source it would be populated by Ofbiz.
>> http://ofbiz.apache.org/docs/entity.html
>>
>> Therefore the DB would have the ofbiz type of security.
>> Without User Login, and Security defined by Ofbiz. the DB should not be
>> accessible.
>>
>> Having access to the LDAP db thru any other channel would break the
>> ofbiz security.
>>
>> To my knowledge, LDAP has not advanced that far in ofbiz yet.
>>
>> Shi Jinghai sent the following on 7/21/2008 9:52 PM:
>>> So the current design is ambiguous.
>>>
>>> If you want LDAP to be the source db of user management, then the user
>>> info should be synchronized from LDAP to OFBiz when he/she wants to
>>> login OFBiz.
>>>
>>> Shi Jinghai/Beijing Langhua Ltd.
>>>
>>> 在 2008-07-21一的 10:50 -0700，Wicus写道：
>>>> Hi Adrian,
>>>>
>>>> Errrr; no users have been created within OFBIZ. (except for Admin
>>>> etc  @
>>>> present)
>>>>
>>>> I was under the impression that users would be created automagically
>>>> within
>>>> OFBIZ (the Postgres SQL database) once they are authenticated via
>>>> the LDAP
>>>> server (or Active Directory in this case)
>>>>
>>>> Soooo, all OFBIZ users needs to be created manually within OFBIZ,
>>>> before
>>>> LDAP authentication can take place...?
>>>>  
>>>
>>>
>>>
>>
>>
>>
>
>
>