13-11-2024 05:03 PM
Hello,
users have been unable to connect to the application because there is a problem between the application and the AD.
Explanation:
When a user tries to connect to the application, the user receives this error message
This error message is due to the fact that when the application queries the AD, it cannot find the authentication groups allowing users to connect to the correct environment (ITA or ITPM or etc...).
Context for a user to log in :
To connect, we decided to use user accounts on the AD. On the AD, groups have been set up to manage access rights to the application.
Here, the authentication groups on the application correspond to the AD groups to which the users belong.
(Example: a user in the DL_MEGA_PROD_ITA and DL_MEGA_PROD_ITPM groups will have access to ITA and ITMP data only)
Network :
- Everything is OK at network level. Requests reach AD server, SQL server, etc..
AD:
- No changes have been made to the AD and the teams don't see anything suspicious.
- Only the user that authenticates to the AD is locked when you connect to it with an AD account.
So we tested with a new authentication account (we just created an SRV_LDAP_MEGA2 account (iso of the old SRV_LDAP_MEGA account) and the problem was no longer present.
- The strange thing is that even after changing the user to connect the application to the AD, the old account locked up for no reason, since we were no longer using it in the LDAP server authentication settings. Is it used anywhere other than in the LDAP server authentication settings ?
Application :
- When configuring LDAP server authentication on the application, I use the server name to target the right server.
- When I test the connection between the application and LDAP via the “Verify LDAP” button, it tells me “OK”.
- We wanted to test adding an authentication group, but I don't know how to add one. I can't figure out how to do it
Questions:
- Is this a known anomaly?
- Is the LDAP_MEGA user used elsewhere than in the LDAP server authentication parameters? After changing it, can it still be present in a conf file on the server?
- Is it possible to have documentation on how to add/modify authentication groups?