How to configure multiple users and group bases ?
The Users Base and Groups Base fields on the LDAP configuration screen define a root node to search for entries. The searches are recursive and will traverse the hierarchy starting from those nodes. If your multiple paths share a common base you can configure that value in these properties. For instance, lets assume the following bases:
CN=Sales,CN=Users,DC=test,DC=windows,DC=frevvo,DC=com CN=HR,CN=Users,DC=test,DC=windows,DC=frevvo,DC=com CN=Marketing,CN=Users,DC=test,DC=windows,DC=frevvo,DC=com
A common path among these is CN=Users,DC=test,DC=windows,DC=frevvo,DC=com and that is what you can configure in the Users Base field.
Can I have more than one LDAP tenant ?
Yes, you can configure as many tenants as you want but they will all share the same configuration.
Can I connect to more than one LDAP Server ?
That is not supported. You can only connect to one server.
How can I configure the Live Forms designers ?
The designers will be whatever members are returned by the LDAP filter configured in the property com.frevvo.security.ldap.frevvoDesignersFilter. It can essentially be any valid LDAP filter. One approach used by some customers is to create a group of designers in LDAP (Active Directory for instance), associate members to that group using whatever client is typically used to manage the names in your organization and configure that group in . For instance:
<Parameter name="com.frevvo.security.ldap.frevvoDesignersFilter" value="(memberOf=CN=FrevvoDesigners,CN=Users,DC=test,DC=windows,DC=frevvo,DC=com)" override="false"/>
This is only one way of approaching this and as stated before you can write any valid LDAP here. The only restriction is that the collection of entries returned is expected to contain only users and objects of other types (such as groups) are ignored.
If cache is enabled (it is enabled by default), you may need to restart the server for the changes to take effect
LDAP Troubleshooting
If things are not working as you expected:
- The primary source of information is the log file. In most cases, the LDAP connector will try to indicate what the problem is in the logs. In the log file, look for lines with LDAPSecurityManager or FrevvoJNDIRealm.
- It is useful to have an LDAP browser at hand, for instance, the Apache Directory Studio. With the browser you can:
- Check if the connection parameters that you configured in are correct.
- Run queries against LDAP and make sure that the expressions you configured in are correct and returning what you expect.
- If you can't spot the problem and need to contact frevvo support:
- Stop
- Go to <frevvo-home>/tomcat/logs/frevvo.log.
- Follow these steps to change the log level from INFO to DEBUG
- Restart
- Execute the steps that is causing problems.
- Send the log file (zip) to Live Forms support (support@frevvo.com) with a description of the problem.
- Restore the log level to INFO.
Below are some common cases to help with troubleshooting. All of them assume that the connectivity is working, meaning that you tested, from the same box where is running and that the connection parameters to the LDAP server you configured in are correct.
As an admin I can't list the users or groups for the LDAP tenant
This is can be a problem with the expression you configured in All Users Filter (for users) and/or All Groups Filter (for groups) on the LDAP configuration screen.. Also verify that the search bases are correct in the Users Base (users) and Groups Base (groups) fields. The LDAP Browser is useful here. Execute a search using the same expression and bases you configured in and check if the result is correct.
A user that should be a designer logs in but can't design forms
- Login to your LDAP/AD Server.
- Make sure you have a group defined for the designer role and it is named frevvo.Designers.
- Make sure the user having the problem is a member of the frevvo.Designers group.
Another potential issue is case sensitivity. Please refer to the topic Mixed or Upper case User Names topic.
A user that should be an administrator logs in but can't manage the tenant
- Login to your LDAP/AD Server.
- Make sure you have a group defined for the designer role and it is named FrevvoAdmins.
- Make sure the user having the problem is a member of the FrevvoAdmins group.
Another potential issue is case sensitivity. Please refer to the topic Mixed or Upper case User Names.
I can authenticate against LDAP via the Live Forms login page but SSO is not working
- # In IIS:
- Make sure Windows Authentication is set in the Default Web App (or the web app used to send requests to )
- Verify that Anonymous Authentication is NOT set in the default Web App (or the web used to send requests to )
- In :
- Open FREVVO_HOME/tomcat/conf/server.xml
- Look at the AJP connector configuration.
- Verify that it has the attribute tomcatAuthentication="false"
Can't login via the Live Forms login page
A common cause is that the distinguished name attribute is incorrect. That attribute is defined by the property com.frevvo.security.ldap.distinguishedNameAttribute. If you can't determine the distinguished name attribute for your system you can try the fall back strategy described here. Some common distinguished name attributes can be found here.