I’m probably missing something simple here but I can’t figure it out. When I run auth_test.php on AD credentials, I get a successful authentication with “Roles: global-read; admin.” When I delete my user account via the web UI and log in to recreate it, the same account has no roles. Is there anything I should be checking?
perhaps toggle * auth_ad_debugfalse and have another crack?
How do you know the account has no roles when you log in?
In theory if auth_ad_require_groupmembership is true and you didn’t have a group/role you would not be able to log in …
It might not show up in the user-management display bit if it is not writing that back to the db, but if you look at the user preferences there is a roles section …
Toggling debug hasn’t provided much since I’m not getting any errors. auth_test.php still shows a successful login with two roles, and logging into the web gui still provides no roles. I’m not seeing any roles when I look at user management via another account, and when I look through My Settings I see “Roles No roles!”
We could circumvent the issue if global read were enabled by default, but the setting I’m seeing in the docs is coming back invalid
“you may set auth_ad_global_read to 1 and all users will have read only access unless otherwise specified.”
$ lnms config:set auth_ad_global_read 1
This is not a valid setting. Please check your input
Not finding anything about that setting being changed so I might be doing something wrong. ActiveDirectoryAuthorizer.php does check for it. Any way to force the setting into my config?
Worth noting that my install is out of date; I haven’t been able to run daily.sh for a couple months due to corporate security policies.
Ah. Some of the roles stuff is pretty new … so might be worth getting and update in, or setting up a debugging instance and doing your active investigation there.
I don’t have AD in my environment so I can’t attempt to replicate your issue.
It feels like perhaps the roles/groups are not being persisted in the database … or something else.
./lnms config:set --help
will give you option --ignore-checks which will let you set anything you want …
I appreciate that, but I ended up changing a couple lines to get things going. I’ll revisit when corp IT relents. I remember having the same issue when we tried to implement AD authentication last year.