Authentication - Log-in has been disabled

[ysuggs]

We are using OpenText Content Server 10. Recently we are having issues with users not able to log-in. We us the Directory Service module and IIS authentication (SSO). The administrator is able to log-in via the admin page and enable log-in. However, we have to enable the accounts daily. Please advise.
Thanks

 

[appnair]

my guess is that your Directory Synchronization query needs to be checked(or somebody changed the query that as in there,in place editing)
I would cut and paste that query and use a LDAP tool like Softerra and see if the query brings the people you want.
Also you can open a ticket and they will help you with some unsupported ways,if what I suspect is true like inadvertent tampering of the query.


Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937
Certified OT Developer,Livelink ECM Champion 2008,Livelink ECM Champion 2010

http://www.tek-tips.com/faqs.cfm?fid=2884

http://www.linkedin.com/in/appunair

http://www.livelink.in

 

[ysuggs]

Thank you. The information provided was very helpful.

 

[appnair]

It is very easy for posterity I will document here how it works.I will also use sql to show the LDAP query so it is easier to follow.Note you cannot use SQL in
the actual query.Let's say you created a Synchronization source called company_master_sync(12345) assume you did this on 01/01/2016 .The 12345 is the numeric id livelink gives to this sync source.
OK now the query to the source-"select name from Active_LDAP_Directory where name in ("appu","john","hugh","chris") if this was succesful LL will record in KUAF
all details you map to "appu","john","hugh","chris".Additionally in DS_Config tables it will keep a row for each of these for the 4 users. If more users need to cme into that no harm in editing the query so long as it is in excess of the 4 users like ("appu","john","hugh","chris","ysuggs")in this case "ysuggs" will be added.In case "appu" left the org then AD will not have it so depending on your LL setup that user can be dleted or in a login disabled status.Note in all cases the DS_CONFIG will keep the users ->owned by that number.so almost think of that "synchronization_source" owning the people.If you added another source(56789) for like this
"select name from Active_LDAP_Directory where name in ("appu","john","hugh","chris") then even though the result set is retreived you will see in logs skipping "appu" because owned by 12345 lke that.Pretty easy to understand right.

Now lets say a young turk wants to revamp all the things without totally understanding how code works he comes and says H'mmm that doesnt look right so let me efficiently make this better so the 12345 query looks like "select name from Active_LDAP_Directory where name in ("ysuggs","youngturk") etc so his thinking is why bring the existing users again and again? so the query runs and the new users get added and since the rest of the users in the source is not available LL thinks that they have left the org.so it proceeds to delete or disable them.

So the moral of the story is try not to change an existing query if needed just delete the sync source and bite the bullet and recreate a good query






Well, if I called the wrong number, why did you answer the phone?
James Thurber, New Yorker cartoon caption, June 5, 1937
Certified OT Developer,Livelink ECM Champion 2008,Livelink ECM Champion 2010

http://www.tek-tips.com/faqs.cfm?fid=2884

http://www.linkedin.com/in/appunair

http://www.livelink.in