Re: [CODE4LIB] LDAP Issues
On 10/6/2010 10:44, Amy wrote: We are having a problem with a single student whose account was deleted from LDAP by Technology, and then had her account re-established. She has the same username and status as she used to have. She is now unable to login to any of the library resources that use LDAP to authenticate patrons. This includes our catalog e-resources (through III) and a Ruby on Rails group study room web application that uses LDAP authentication. In situations like these, I find you just have to keep digging at it until you figure out what the problem is. If you have access to the LDAP queries in III and the RoR app, check them to make sure there isn't anything the systems are expecting to find that wasn't regenerated. Like when the record was created, or some default settings or something. Also, check whatever mechanism is used for batch-creation (assuming there is one) to see if it sets anything differently than whoever did the re-creation. -- Yitzchak Schaffer Systems Manager Touro College Libraries (212) 463-0400 x5230 http://www.tourolib.org/ Access Problems? Contact systems.libr...@touro.edu
Re: [CODE4LIB] LDAP Issues
Is there a unique ID delivered by your LDAP that is different from the username, and could the apps be using that unique ID to match to accounts instead of username? Some weird alphanumeric string that is only used internally, but when they recreated her account she got a different one? That is just a brainstorming guess; I am not familiar with LDAP, but have written non-LDAP SSO solutions that sometimes run into this issue. Jonathan Yitzchak Schaffer wrote: On 10/6/2010 10:44, Amy wrote: We are having a problem with a single student whose account was deleted from LDAP by Technology, and then had her account re-established. She has the same username and status as she used to have. She is now unable to login to any of the library resources that use LDAP to authenticate patrons. This includes our catalog e-resources (through III) and a Ruby on Rails group study room web application that uses LDAP authentication. In situations like these, I find you just have to keep digging at it until you figure out what the problem is. If you have access to the LDAP queries in III and the RoR app, check them to make sure there isn't anything the systems are expecting to find that wasn't regenerated. Like when the record was created, or some default settings or something. Also, check whatever mechanism is used for batch-creation (assuming there is one) to see if it sets anything differently than whoever did the re-creation.
Re: [CODE4LIB] LDAP Issues
On Wed, 6 Oct 2010, Amy wrote: We are having a problem with a single student whose account was deleted from LDAP by Technology, and then had her account re-established. She has the same username and status as she used to have. She is now unable to login to any of the library resources that use LDAP to authenticate patrons. This includes our catalog e-resources (through III) and a Ruby on Rails group study room web application that uses LDAP authentication. Has anyone had any experiences like this before or any thoughts/speculation on how to fix? .. this is why it's a good idea to lock accounts for a period before they're deleted fully. But anyway ... LDAP's used for authentication, but what's used for authorization? (ie, we use a login password to confirm they're who they say they are, but what says that person's allowed to use the system?) Sometimes it's stored in a field withing LDAP, sometimes it's stored in a separate system with a foreign key into LDAP. (which *might* be the login / uid / cn (common name) / dn (distinguished name), etc.) I've seen a few systems that use an assigned ID as the user component of the DN, rather than the UID / login, so should the user ever need to change the name of the account (eg, they get a name change, and want to change their login), they don't have to re-authorize them in all of the systems. (of course, this means that a delete recreate, even with the same name has issues). If I were trying to debug it, I'd try to get an ldif dump of their entry, and compare that to someone created through 'normal' means, and see if there's anything that looks strange (missing fields, random serial numbers, something incremented (eg. John-Smith-2). -Joe