LDAP Authentication / external vs internal authentication

Hi there,

i have a question concerning “better practices” in the context of using SQ with internal authentication plus external auth via LDAP with Active Directory. (in the sense of: extending the user base by integrating AD users without manually setting them up PLUS handling the current users auth via LDAP instead of local auth)

All current Users and Groups that are in use were created by hand … They have the same email-address and username that is used in AD Account BUT they are created with a manual chosen Password that is different from AD.

I have now created the possibility to lookup Users via LDAP, and that works … but now i am trying to find out more about how to configure this beast correctly.

Any helpful suggestions? I would like to not restart from scratch :innocent: :pray:


P.S.: Probably diluting to put this in here but it fits my problem:

I have played around with my own “normal” account and i am having troubles there, too

  • first i deactivated my user
  • then after activating LDAP and SQ restart i had trouble because of “email already in use” (because 10 other dummy-accounts that i put my mail in :roll_eyes: )
  • after having deleted all email-references i was able to login with AD-Credentials :ok_man:
  • but no group because handling group lookup is difficult :roll_eyes:
  • also my AD account got locked because too many invalid auth-attempts (somehow :interrobang: )

after deactivating AD-Auth i had to deactivate my user again to re-create it in local auth
when now logging in with normal user in web.log i am greeted with slightly conflicting messages:

[auth.event] login success                       [method|FORM] [provider|LOCAL|local][IP|$ipadress|][login|$username]
[auth.event] login failure [cause|wrong password][method|BASIC][provider|LOCAL|local][IP|$ipadress|][login|$username]

would someone maybe be able to explain the [method|FORM] vs [method|BASIC] thing? :nerd_face: