Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
carLicense.options=JSON.parse(_data.getParameter('subject.carLicense'));

LDAP Troubleshooting

If things are not working as you expected:

  1. The primary source of information is the
    Frevvoproduct
     log file. In most cases, the LDAP connector will try to indicate what the problem is in the logs. In the log file, look for lines with LDAPSecurityManager or FrevvoJNDIRealm.
  2. It is useful to have an LDAP browser at hand, for instance, the Apache Directory Studio. With the browser you can:
    1.  Check if the connection parameters that you configured in
      Frevvoproduct
       are correct.
    2.  Run queries against LDAP and make sure that the expressions you configured in
      Frevvoproduct
        are correct and returning what you expect.
  3. If you can't spot the problem and need to contact frevvo support:
    1. Stop
      Frevvoproduct
    2. Go to <frevvo-home>/tomcat/logs/frevvo.log.
    3. Follow these steps to change the log level from INFO to DEBUG
    4. Restart
      Frevvoproduct
    5. Execute the steps that is causing problems.
    6. Send the log file (zip) to Live Forms support (support@frevvo.com) with a description of the problem.
    7. Restore the log level to INFO.

Below are some common cases to help with troubleshooting. All of them assume that the connectivity is working, meaning that you tested, from the same box where

Frevvoproduct
 is running that the connection parameters to the LDAP server you configured in
Frevvoproduct
 are correct. 

As an admin I can't list the users or groups for the LDAP tenant

This is can be a problem with the expression you configured in com.frevvo.security.ldap.allUsersFilter (for users) and/or com.frevvo.security.ldap.allGroupsFilter (for groups). Also verify that the search bases are correct, properties com.frevvo.security.ldap.usersBase (users) and com.frevvo.security.ldap.groupsBase (groups). The LDAP Browser is useful here. Execute a search using the same expression and bases you configured in

Frevvoproduct
 and check if the result is correct.

A user that should be a designer logs in but can't design forms

  1. Login to your LDAP/AD Server.
  2. Make sure you have a group defined for the designer role and it is named FrevvoDesigners.
  3. Make sure the user having the problem is a member of the FrevvoDesigners group.

Another potential issue is case sensitivity. Please refer to the topic Mixed or Upper case User Names below. 

A user that should be an administrator logs in but can't manage the tenant

  1. Login to your LDAP/AD Server.
  2. Make sure you have a group defined for the designer role and it is named FrevvoAdmins.
  3. Make sure the user having the problem is a member of the FrevvoAdmins group. 

Another potential issue is case sensitivity. Please refer to the topic Mixed or Upper case User Names below. 

I can authenticate against LDAP via the Live Forms login page but SSO is not working

  1. # In IIS:
    1. Make sure Windows Authentication is set in the Default Web App (or the web app used to send requests to
      Frevvoproduct
      )
    2. Verify that Anonymous Authentication is NOT set in the default Web App  (or the web used to send requests to
      Frevvoproduct
      )
  2. In
    Frevvoproduct
    :
    1. Open FREVVO_HOME/tomcat/conf/server.xml
    2. Look at the AJP connector configuration.
    3. Verify that it has the attribute tomcatAuthentication="false" 

Can't login via the Live Forms login page

A common cause is that the distinguished name attribute is incorrect. That attribute is defined by the property com.frevvo.security.ldap.distinguishedNameAttribute. If you can't determine the distinguished name attribute for your system you can try the fall back strategy described here. Some common distinguished name attributes can be found here

Problems with Mixed or Uppercase User Names

 

Info

Frevvoproduct
 user names are case sensitive; the user name johndoe'' is not the same as JohnDoe. Several LDAP systems are case insensitive. Thus the two user names would resolve to the same LDAP account but to different
Frevvoproduct
 user accounts.

To avoid case issues follow these three steps described in more detail below:

  1. Set com.frevvo.security.ldap.ignoreCase to true.
  2. Set frevvo.login.userid.case to lower.
  3. Convert control values to lower case if they are used in workflow routing to a specific user.

The first issue is cased by the user login in. For instance, John Stevens LDAP account is JStevens but he logs in as jstevens, he will be recognized by case insensitive LDAP and thus granted access but will not be recognized as a designer or as a tenant admin by

Frevvoproduct
. To solve this, set the property com.frevvo.security.ldap.ignoreCase to true.

To prevent issues you could always login to
Frevvoproduct
 using lower case jstevens. LDAP will grant access as it is case insensitive and
Frevvoproduct
 will know that you may have the designer or admin special permission. However users can forget to do this. To force this configure
Frevvoproduct
's web.xml parameter frevvo.login.userid.case by adding the <context-param> lines you see below. You can specify a value of either lower or upper.

Code Block
languagejavascript
<context-param>     
    <param-name>frevvo.login.userid.case</param-name>     
    <param-value>lower</param-value>     
    <description>Force all login user ids to upper or lower case</description> 
</context-param>

...