Versions Compared

Old Version 1

changes.mady.by.user Gary Parden

Saved on

compared with

New Version 2

changes.mady.by.user Gary Parden

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

While editing an Active Directory user some fields are invisible. Login name cannot be changed. The domain of the User is shown in the header of the editor.

Logging in as a Active Directory user

There is a new Domain field on the PhixFlow login screen. The value this will have by default is set in System Configuration (see above).

To log in, users must select the domain they need - if this is not the default, they can select one from the drop down list, which will show all configured domains.

After choosing a domain, the suffix will be added to the username automatically:

Image Removed

While logging as an Active Directory user, the user must use their Active Directory password, which cannot be changed through PhixFlow.

If the Active Directory user is not a member of an Active Directory group authorised to use PhixFlow (see above), they will get a standard failure to login message.

If the user is in an Active Directory Group authorised to use PhixFlow, but none of their Active Directory groups are mapped to PhixFlow user groups, they will be able to successfully log in, but will have no access.

Use the encrypted connection

...

The AD server’s certificate must be installed in the Java Certification Store on the PhixFlow application server. To do this you must obtain a certificate file from the AD server and install it.

One way of installing the certificate on the PhixFlow Application server is using keytool. In the command prompt type:

Code Block
keytool -import -alias example -keystore  /path/to/java/cacerts -file example.der

keytool is provided as part of the standard Java installation.

Troubleshooting

Enhanced diagnostics can be generated by adding the lines

Code Block
# detailed logging for AD connection attempts
log4j.logger.org.springframework.security=debug
log4j.logger.com.accipia.centerview.util.ContextUserExtractor=debug
log4j.logger.com.accipia.centerview.util.security=debug
log4j.logger.com.accipia.centerview.model.POJOImpl=debug

to your log4j.properties file - see Server Logging for details on controlling logging options with this file, and where to find the results.

Note that with all options applied, the log files generated will be very large. You must switch off these options as soon as you have completed your tests. You can comment out the lines in the log4j.properties file, if you want to keep them in the file, by placing a # at the beginning of each line.

You could also consider applying a more limited set of debugging options, e.g.

Code Block
log4j.logger.org.springframework.security=debug
log4j.logger.com.accipia.centerview.util.security=debug

This will not give you as complete a log of what is happening during a login attempt, but the log files generated will be smaller. In particular, this reduced set of debugging options will include messages from

Code Block
com.accipia.centerview.util.security.ActiveDirectoryLdapAuthenticationProvider

which provides information about what groups the user attempting to login belongs to.