Hi guys,
is there a viable way to remove an existing Continua CI installation from an Active Directory? Our ContinuaCI installation is connected to an Active Directory domain and all users log in using their Windows domain credentials. We have to disconnect Continua CI from our domain and switch to form based authentication. Are there any caveats that would prevent this or would require a fresh install with an empty database?
Kind regards
Kay Zumbusch
Hi Kay,
You can switch to forms based authentication by editing the server configuration file (%ProgramFiles%VSoft Technologies\ContinuaCI\Server\Continua.Server.Service.exe.config). Locate the authentication node under configuration -> continua-configuration and change the mode attribute to “Forms”.
e.g.
<authentication mode=“Forms” />After restarting the Continua CI Server service, the users linked to Active Directory will be disabled. If there are no current forms authentication administrators then Continua CI will show the Welcome page in the web browser allowing you to create a new administrator account.
The list of Active Directory users will then be shown greyed out on the Users administration page. You can then edit these users to un-link from Active Directory or delete them and add new forms authentication users.
If you have a lot of users and you want to keep their user preferences, permissions and group membership, then you can run the following SQL query on the database to change the existing Active Directory user accounts to forms authentication user accounts.
PostgreSQL:
UPDATE core_user SET ldapsid = NULL, username = LEFT(username, POSITION(’@’ in username)-1) WHERE archived = falseAND ldapsid IS NOT NULLAND POSITION(’@’ in username) > 0 AND LEFT(username, POSITION(’@’ in username)-1) NOT IN (SELECT username FROM core_user)SQL Server:
UPDATE core_user SET ldapsid = NULL, username = LEFT(username, CHARINDEX(’@’, username)-1) WHERE archived = 0 AND ldapsid IS NOT NULLAND CHARINDEX(’@’, username) > 0 AND LEFT(username, CHARINDEX(’@’, username)-1) NOT IN (SELECT username FROM core_user)This query will remove the link to Active Directory and cut the domain from the end of the username. Each user will then need to reset their password before logging in, so ensure that the email publisher is set up and working.
Note: We recommend that you take a backup of the database first, so you can roll back if there are any problems.
Hi Dave,
thanks for the info and especially the database scripts. That removes the guessing work on my side. I did not consider keeping users’ privileges until now. During a test run I just reinstalled Continua CI and changed the authentication type using the setup wizard. I guess I will still do that after manually changing the authentication method as the setup will properly configure the local user for the ContinuaCI services.
Kind regards
Kay Zumbusch
Hi Kay,
You can either rerun the installer or set the service account directly in the Services control panel. The user account will need “log on as service” permissions which the installer will automatically set. The installer requires the format domain\user for the service user - you can enter a local user as machinename\username.
Note that the Server service user will needs full access to the data share folder and Agent service user(s) will need read and write access to the data share via UNC.