Marco_UK1
1 Copper

DPA 6 using Windows Domain Authentication

Jump to solution

Hi to all

I am trying to get our new DPA 6.x server to use AD as authentication like we did with version 5.8, however it is not working properly.

The folowing error message is show inside the log:

2014-02-18 11:21:02,049 WARN  [com.emc.apollo.command.ldapconfig.LDAPAuthenticationStrategy] (Thread-51476 (HornetQ-client-global-threads-3  71363177)) Error occurred while testing user authentication.: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0  C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name   'DC=XXXX,DC=XXXXXX,DC=XXXX'

Any susggestions ?

Regards,

Marco

0 Kudos
1 Solution

Accepted Solutions
Marco_UK1
1 Copper

Re: DPA 6 using Windows Domain Authentication

Jump to solution

Hi

Hi Roland

Many thanks for the tips.

I believe the documentation of the product must be improved - I always suffer with DPA regarding its documentation and end up in here for help - what is not a bad thing (i.e. being in here on the forum), however I think EMC should improve the documentation of the product.  (Thumbs down for EMC on this respect - see my other post about Firewall Ports)

We need to use Anonymous Bind because our user names must  change their password very frequently and putting a user on "User Properties" will become unmanageable (i.e. the user password gets changed, authentication on DPA for everybody gets compromised, etc).

Ok, I've managed to get this working for now (more tests needed and I will be doing this very soon):

1) Reason one that it wasn’t working:

The documentation explicitly states, and I quote:

"If you have installed DPA on a UNIX environment and are authenticating to a Microsoft Active Directory LDAP server, you cannot connect to the Windows machine using SSL."

I assume the LINUX installation can be considered as "UNIX" in this context.

However, no matter whatever I’ve put in place on the fields and Anonymous Bind or not, Auto Login or not  it didn’t work.

So, when using/ticking ”Use SSL" , even though we were said that “we cannot connect” from the documentation , that was the ONLY way the Domain Controller (in our environment) accepted the connection (DPA version 6.1.0 Build 81945)

2) The use of  “username or DN of the user”

The user name doesn’t work, it must be the DN - what a pain this is EMC!

But is working (for now!) so I forgive you guys!

3) Auto Login

No need (and for now we are not going to use it anyway)

4) How it works in our environment

As per 3, we will not be using (and I repeat for now) auto login

So, to work properly we add the user locally on DPA with Authentication Type LDAP

ISSUE: the Logon Name doesn’t support the "_" character - that we use a lot around here and matching the "local login" and the DN name became impossible - EMC could you please look at that please?

Example that works for our environment ( DPA 6.1.0 Build 81945 running on Linux 64 bits)

Admin -> User & Security (tab) -> Manage Users -> Create user

Name = John Smith

Logon Name = E123457ADM    -->>> John Domain Name as ADM is  E123457_ADM but "_ " is not permitted in here!

External Name = CN=John Smith,OU=Admin Accounts,OU=Admin,OU=MSP01,DC=xxx,DC=xxxx,DC=xxxx

                          If you are wondering: no the CN= E123457_ADM    doesn’t work

Role = Administrator   ( We need John to be a local Admin on DPA)

Authentication Type = LDAP

The configuration under "Manage External Authentication"

Use LDAP Authentication = ticked

Host Properties

    Server =   x.x.x.x  I've used the IP of the Domain

   Use SSL = ticked

   Port = 636

   LDAP Version = 2

   Base Name=  DC=xxx,DC=xxxx,DC=xxx      (put your domain name in here)

   Idetification Attribute = sAMAccountName

   Anonymous Bind = ticked

   User Properties = all clear

Auto Login Properties

  Enable Auto Login = this is UNTICKED!

When clicking the "Test User" button:

Username = CN=John Smith,OU=Admin Accounts,OU=Admin,OU=MSP01,DC=xxx,DC=xxxx,DC=xxxx
Password = put Johns password in here

I hope this will help when someone is searching on the subject.

Thank you all

Regards,


Marco


0 Kudos
3 Replies
Highlighted
RLIM
1 Copper

Re: DPA 6 using Windows Domain Authentication

Jump to solution

Hi Marco,

I did run into issues setting this up myself and found that I ran into problems when using the Anonymous Bind.

Can you please advise if you are using Anonymous Bind and if you have been able to validate the User specified in the User Properties fields.

I did also find that the Auto Login Properties were required to be set to ensure that a Test User could be established correctly.

1 more thing that I had to double check was the correct specifications used in the Base Name, User Name in User Properties and in the Auto Log in Properties the Group Base Name.  I had checked these against the Item Properties within AD.

An example for the Base Name: "OU=Client Users,OU=Users,DC=Example,DC=Domain,DC=COM".

An example for the Username for User Properties: "CN=Admin,OU=Users,DC=Example,DC=Domain,DC=COM".

An example for the Group Base within the Auto log in: "OU=Users,DC=Example,DC=Domain,DC=COM".

Hope the above information helps and you can resolve validating a user.

If you are still having issues, please provide your configuration details.

Regards

Roland

Marco_UK1
1 Copper

Re: DPA 6 using Windows Domain Authentication

Jump to solution

Hi

Hi Roland

Many thanks for the tips.

I believe the documentation of the product must be improved - I always suffer with DPA regarding its documentation and end up in here for help - what is not a bad thing (i.e. being in here on the forum), however I think EMC should improve the documentation of the product.  (Thumbs down for EMC on this respect - see my other post about Firewall Ports)

We need to use Anonymous Bind because our user names must  change their password very frequently and putting a user on "User Properties" will become unmanageable (i.e. the user password gets changed, authentication on DPA for everybody gets compromised, etc).

Ok, I've managed to get this working for now (more tests needed and I will be doing this very soon):

1) Reason one that it wasn’t working:

The documentation explicitly states, and I quote:

"If you have installed DPA on a UNIX environment and are authenticating to a Microsoft Active Directory LDAP server, you cannot connect to the Windows machine using SSL."

I assume the LINUX installation can be considered as "UNIX" in this context.

However, no matter whatever I’ve put in place on the fields and Anonymous Bind or not, Auto Login or not  it didn’t work.

So, when using/ticking ”Use SSL" , even though we were said that “we cannot connect” from the documentation , that was the ONLY way the Domain Controller (in our environment) accepted the connection (DPA version 6.1.0 Build 81945)

2) The use of  “username or DN of the user”

The user name doesn’t work, it must be the DN - what a pain this is EMC!

But is working (for now!) so I forgive you guys!

3) Auto Login

No need (and for now we are not going to use it anyway)

4) How it works in our environment

As per 3, we will not be using (and I repeat for now) auto login

So, to work properly we add the user locally on DPA with Authentication Type LDAP

ISSUE: the Logon Name doesn’t support the "_" character - that we use a lot around here and matching the "local login" and the DN name became impossible - EMC could you please look at that please?

Example that works for our environment ( DPA 6.1.0 Build 81945 running on Linux 64 bits)

Admin -> User & Security (tab) -> Manage Users -> Create user

Name = John Smith

Logon Name = E123457ADM    -->>> John Domain Name as ADM is  E123457_ADM but "_ " is not permitted in here!

External Name = CN=John Smith,OU=Admin Accounts,OU=Admin,OU=MSP01,DC=xxx,DC=xxxx,DC=xxxx

                          If you are wondering: no the CN= E123457_ADM    doesn’t work

Role = Administrator   ( We need John to be a local Admin on DPA)

Authentication Type = LDAP

The configuration under "Manage External Authentication"

Use LDAP Authentication = ticked

Host Properties

    Server =   x.x.x.x  I've used the IP of the Domain

   Use SSL = ticked

   Port = 636

   LDAP Version = 2

   Base Name=  DC=xxx,DC=xxxx,DC=xxx      (put your domain name in here)

   Idetification Attribute = sAMAccountName

   Anonymous Bind = ticked

   User Properties = all clear

Auto Login Properties

  Enable Auto Login = this is UNTICKED!

When clicking the "Test User" button:

Username = CN=John Smith,OU=Admin Accounts,OU=Admin,OU=MSP01,DC=xxx,DC=xxxx,DC=xxxx
Password = put Johns password in here

I hope this will help when someone is searching on the subject.

Thank you all

Regards,


Marco


0 Kudos
ElvinKan
2 Iron

Re: DPA 6 using Windows Domain Authentication

Jump to solution

Hi Marco

Thanks for the update, I will notify the doc writers with your feedback.

-E

0 Kudos