Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The image shows a simple form using the rule above to pull the Employee's First Name, Middle Initial, Last Name, Home Phone and Email Address from Active Directory on the LDAP server.

Multi-valued Attributes

Attributes with more than one value are also supported. For example, The carLicense attribute can return multiple licenses. You can write a rule to populate dropdown options with those options. First of all, make sure the carLicense attribute is configured in the frevvo.xml file and of course, there are multiple values for the carLicense attribute set up on the LDAP server.  

...

Below are some common cases to help with troubleshooting. All of them assume that the connectivity is working, meaning that you tested, from the same box where

Frevvoproduct
 is running that the connection parameters to the LDAP server you configured in
Frevvoproduct
 are correct. 

As an admin I can't list the users or groups for the LDAP tenant

This is can be a problem with the expression you configured in com.frevvo.security.ldap.allUsersFilter (for users) and/or com.frevvo.security.ldap.allGroupsFilter (for groups). Also verify that the search bases are correct, properties com.frevvo.security.ldap.usersBase (users) and com.frevvo.security.ldap.groupsBase (groups). The LDAP Browser is useful here. Execute a search using the same expression and bases you configured in

Frevvoproduct
 and check if the result is correct. 

A user that should be a designer logs in but can't design forms

...

  1. Login to your LDAP/AD Server.
  2. Make sure you have a group defined for the designer role and it is named FrevvoDesigners.
  3. Make sure the user having the problem is a member of the FrevvoDesigners group.

Another potential issue is case sensitivity. Please refer to the topic Mixed or Upper case User Names below. 

A user that should be an administrator logs in but can't manage the tenant

 

  1. Login to your LDAP/AD Server.
  2. Make sure you have a group defined for the designer role and it is named FrevvoAdmins.
  3. Make sure the user having the problem is a member of the FrevvoAdmins group. 

Another potential issue is case sensitivity. Please refer to the topic Mixed or Upper case User Names below. 

I can authenticate against LDAP via the Live Forms login page but SSO is not working

...

  1. # In IIS:
    1. Make sure Windows Authentication is set in the Default Web App (or the web app used to send requests to
      Frevvoproduct
      )
    2. Verify that Anonymous Authentication is NOT set in the default Web App  (or the web used to send requests to
      Frevvoproduct
      )
  2. In
    Frevvoproduct
    :
    1. Open FREVVO_HOME/tomcat/conf/server.xml
    2. Look at the AJP connector configuration.
    3. Verify that it has the attribute tomcatAuthentication="false" 

Can't login via the Live Forms login page

...

A common cause is that the distinguished name attribute is incorrect. That attribute is defined by the property com.frevvo.security.ldap.distinguishedNameAttribute. If you can't determine the distinguished name attribute for your system you can try the fall back strategy described here. Some common distinguished name attributes can be found here. 

Problems with Mixed or Uppercase User Names

...

Configure frevvo.internal.baseurl in frevvo.xml for LDAP SSO

 

This parameter is needed in frevvo.xml for various activities like accessing ACL page , publishing templates , resetting tasks etc. Let's say you have a browser signed in via SSO to machine m1 (port 80).  IIS is running on m1 (port 80) redirecting /frevvo/web to frevvo running on m2:8082.   Browser submits form to m1, IIS redirects to m2:8082.  The doc action is a frevvo:// URI which gets resolved to http://m1/frevvo/... 

Frevvoproduct
POSTs to this URI  but m1 rejects the POST since it is not authenticated.

To avoid situations such as these,  set frevvo.internal.baseurl to the actual host:port of the 

Frevvoproduct
server. Follow these steps:

...

Warning

If your system is configured for LDAP SSO and the upload and video controls may exhibit the following behaviors:

  1. Uploading an image to an upload control in a form that is accessed via a Space on an iPad will not work. The "uploading...." snake image is seen continuously. This issue will be addressed in a future version of
    Frevvoproduct
    .
  2. The video control will ask for credentials again when the form is loaded, if you are using the FireFox browser. In IE9, you will see the message "This web-page wants to run the following add-on: 'Windows Media Player' from 'Microsoft Corporation'. What's the risk?" Enter your credentials or run the add-on to proceed. A potential solution is to setup IIS so that it does not require re-authentication for every single request.

 

 

Active Directory Sample Configuration

...

Code Block
languagejavascript
<Parameter name="com.frevvo.security.ldap.connection.url" value="ldap://[your server]:[port, typically the default is 389 ]" override="false"/>  
<Parameter name="com.frevvo.security.ldap.connection.name" value="cn=admin,dc=test,dc=frevvo,dc=com" override="false"/> 
<Parameter name="com.frevvo.security.ldap.connection.password" value="[user password]" override="false"/> 
<Parameter name="com.frevvo.security.ldap.usersBase" value="DC=test,DC=frevvo,DC=com" override="false"/>  
<Parameter name="com.frevvo.security.ldap.groupsBase" value="DC=test,DC=frevvo,DC=com" override="false"/> 
<Parameter name="com.frevvo.security.ldap.userIdDisplayAttribute" value="uid" override="false"/> 
<Parameter name="com.frevvo.security.ldap.groupIdDislayAttribute" value="entryDN" override="false"/> 
<Parameter name="com.frevvo.security.ldap.notifications" value="true" override="false"/>  
<Parameter name="com.frevvo.security.ldap.allGroupsFilter" value="(|(objectClass=groupOfUniqueNames)(objectClass=organizationalRole))" override="false"/> 
<Parameter name="com.frevvo.security.ldap.allUsersFilter" value="(objectClass=person)" override="false"/>        
<Parameter name="com.frevvo.security.ldap.distinguishedNameAttribute" value="entryDN" override="false"/>    
<Parameter name="com.frevvo.security.ldap.groupMemberAttribute" value="uniqueMember" override="false"/> 
<Parameter name="com.frevvo.security.ldap.userMemberOfAttribute" value="" override="false"/>    
<Parameter name="com.frevvo.security.ldap.firstNameAttribute" value="cn" override="false"/> 
<Parameter name="com.frevvo.security.ldap.lastNameAttribute" value="sn" override="false"/> 
<Parameter name="com.frevvo.security.ldap.emailAttribute" value="mail" override="false"/>  

...


LDAP Configuration Properties

These are the properties used to configure the LDAP connector. The properties in bold are required.

...