Subsonic Forum

[sir2u]

What kind of server is this (i.e. Windows, Ubuntu, Redhat)?

[HerrNilsson]

Finally got it working. My DNS didnt found my domain.local. So i edited the host file.

Anyhow. Could i disable the option where the user authenticate towards the subsonic-server?
Cause if i lock an AD account it still works. And if i change password in the AD it is still the old one.

Ubuntu Server btw.

[sir2u]

I suspected it was a DNS thing. A better solution is to check /etc/nsswitch.conf and edit the line for hosts so that the first 2 entries are files and dns.
By default mdns4_minimal is before dns, so this will break domains with a .local suffix. You want the line to look like this:
hosts: files dns mdns4_minimal [NOTFOUND=return] mdns4

I posted a tutorial for LDAPS, AD, and Ubuntu at http://forum.subsonic.org/forum/viewtopic.php?f=6&t=9426. Step 13 addresses the issue with user accounts.

[HerrNilsson]

I see. Thanks!

I've lowered the sync to 30 secs.

How does it work with password recovering?
If a AD integrated user restore his password. Will it automaticly change to the AD password again after the sync?
Cause the manageaccount i use is just a domain user and cannot change anything in my AD.

[sir2u]

30 seconds might be too low. I think it gets very spammy in your subsonic log file. There might be a way to turn down the verbosity, but I haven't looked for it.

Subsonic is using LDAP to read account information from your domain controller. Users won't be able to perform any kind of AD account management through subsonic. The user cache option controls how frequently subsonic will pull a record from AD rather than relying on its internal cache. In your case, it could take subsonic up to 30 seconds to reflect any password changes.

[HerrNilsson]

Exactly. Therefor i've deleted the Forgott password link .

Thank you for all your help!

[djriffic]

what is the useraccountcontrol part of you filter supposed todo
[quote="HerrNilsson"
I have a test account called "testaccount" under DOMAIN.LOCAL --> Domain --> Accounts
And i have a group called "test" under DOMAIN.LOCAL --> Domain --> Groups
The test account is a member of the test group.

I've specified the following in Subsonic:

LDAP URL: ldap://dc01.domain.local:389/dc=domain,dc=local
LDAP search filter: (&(sAMAccountName={0})(&(objectCategory=user)(!(userAccountControl=514))(memberof=cn=test,ou=Groups,ou=domain,dc=spofify,dc=local)))
LDAP manager DN; cn=ldap,ou=Accounts,ou=Domain,dc=domain,dc=local
.[/quote]

[djriffic]

I just wanted to share what was working for me. Maby it will help someone.

Code: Select all

LDAP URL:            ldap://dc0.thegeek.mobi:/dc=thegeek,dc=mobi
LDAP search filter:  (&(sAMAccountName={0})(&(objectCategory=user)(memberof=cn=subsonic,ou=security_groups,dc=thegeek,dc=mobi)))
Ldap manager:        cn=subuserauth,ou=secs,dc=thegeek,dc=mobi

i have my search filter modified to only allow user that belong to the group subsonic to be allowed to use subsonic.
i haven't messed with ldaps yet but when i get that successfully finished i will.

HOWEVER things that ive noticed during testing that don't work

user must have "domain user" group along with subsonic group to be authenticated

once user is created in subsonic if you, deactivate, remove subsonic group or do anything in the DC to prohibit access. access is still granted. - i think this is because user is already authorized to use subsonic by subsonic so its not re questioning the if in group.

[sir2u]

The account is cached by Subsonic for a ridiculous amount of time. You have to change the cache time value to something more reasonable in order for changes to take effect in a shorter amount of time. You could also restart the Subsonic service and the changes will take effect immediately.

[djriffic]

Wow that's awesome to know do you know where those changes should be made?

[sir2u]

Read a few posts up in this thread. I explained it there. Hopefully that solves your issue.