mjsnyder1
1 Copper

Unable to get LDAP working on InsightIQ 4.1.1

We have AD on Win3k8R2 serving up our LDAP. It has the Unix extensions installed. After entering our LDAP information...:

  • LDAP server: ldap://server.example.com
  • Base search entry: dc=example,dc=com
  • Bind entry: ldap_user
  • Bind password: ********

...And pressing Submit, I get the Configuration Saved message.

However, when I attempt to add a group, I am not able to find anything. The optional settings are left as default.

Which log should I be looking at to trace this? What might the problem be?

Labels (1)
Tags (1)
0 Kudos
14 Replies
patrick_lynch
1 Copper

Re: Unable to get LDAP working on InsightIQ 4.1.1

InsightIQ 4.1.1 introduced integrated LDAP support, but there is a known issue regarding the level of flexibility in the LDAP lookup that IIQ is performing. Since there are variances in how RFC 2307 Unix extensions can be implemented in AD (that is, there is no formal compliance required), IIQ needs to be more flexible in its lookup.

Please file a bug report with the details of your experience. This will aid our investigations and efforts to create a fix for a future maintenance release.

0 Kudos
8 Krypton

Re: Unable to get LDAP working on InsightIQ 4.1.1

Hello,

I have had the same issue integrating InsightIQ 4.1.1.3 with Windows Server 2016 Active Directory.

The issues is the Default Attributes.

For LDAP implementations the defaults are:

posixAccount

posixGroup

For Active Directory you need to change them to:

Object Class for users: user

Object Class for groups: group

This will allow you to add AD groups to Read-Only and Administrator roles but I still cannot login to IIQ using my AD account. The scope for the user and group search and group membership is correct.

isilon_guru
1 Copper

Re: Unable to get LDAP working on InsightIQ 4.1.1

I am having same issue as Mark_Strong. Its added the group as Administrator but wont' allow to login.

0 Kudos
patrick_lynch
1 Copper

Re: Unable to get LDAP working on InsightIQ 4.1.1

Just to clarify, AD is not technically supported (even with RFC2307 extensions), though there are ways to get it to work with IIQ.  This forum is a good way to share experiences, so thanks for your post!

0 Kudos
kbaryeh
1 Nickel

Re: Unable to get LDAP working on InsightIQ 4.1.1

Thanks Mark, this has been very helpful...been struggling to get it to work for a few months now. Would be nice if changing the object class was in the install document somewhere.

0 Kudos
Chris1213
1 Copper

Re: Unable to get LDAP working on InsightIQ 4.1.1

Same issue after being able to add groups with the correct objectclass (user,group). I am not able to log in, it says :

Log in attempt failed. Please try again.

I am trying to log in with my sAMAccountName, userPrincipalName. Even tried DOMAIN\username... Nothing works.

Have any idea ?

0 Kudos
arivano_ilp
1 Copper

Re: Unable to get LDAP working on InsightIQ 4.1.1

I can also add groups just fine using the modified Object Classes but none of the accounts can login.

Did anyone get this working with AD?

0 Kudos
Highlighted
8 Krypton

Re: Unable to get LDAP working on InsightIQ 4.1.1

I became curious about getting to enable AD authentication on the InsightIQ server working. A bit of googling got me to this article pointing to a similar issue with another LADP server and the shortcomings of InsightIQ’s LDAP configurations:

http://vstrong.info/2017/06/07/isilon-insightiq-and-opendj-ldap-intergration/

Essentially, to get it working. Change the python security file to look at the 'sAMAccountName' attribute instead of the hardcoded 'uid' one:

  1. Edit /usr/share/isilon/lib/python2.7/site-packages/insightiq/controllers/security.py
  2. Change the following two lines (from uid to sAMAccontName):

# Search for specified user

search_str = self.ldap_service.filter_format(

'(&(objectClass=%s)(sAMAccountName=%s))', #replace uid with sAMAccountName

#'(&(objectClass=%s)(uid=%s))', #comment out

[user_object_class, username])

search_dn = user_dn if user_dn else search_base

group_dn = group_dn if group_dn else search_base

conn.search(search_dn, search_str)

if len(conn.entries) > 0:

# Try to re-bind connection with found user

full_dist_name = conn.entries[0].entry_get_dn()

conn.user = full_dist_name

conn.password = password

if not conn.bind():

log.info('LDAP login failed: Invalid credentials by user %s.', username)

conn.unbind()

return (False, None)

# Group roles list is sorted by role with admin groups first

for group in self.ldap_service.fetch_group_roles():

# Search for membership of specified user in privileged group

# This should cover all RFC 2307 compliant AD servers

search_str = self.ldap_service.filter_format(

#'(&(objectClass=%s)(memberOf=%s)(uid=%s))', #comment out

'(&(objectClass=%s)(memberOf=%s)(sAMAccountName=%s))', #replace uid with sAMAccountName

[user_object_class, group['dn'], username])

conn.search(search_dn, search_str)

    

     3. Reboot server

- John Fjeldberg

8 Krypton

Re: Unable to get LDAP working on InsightIQ 4.1.1