Unable to get LDAP working on InsightIQ 4.1.1

InsightIQ 4.1.1 introduced integrated LDAP support, but there is a known issue regarding the level of flexibility in the LDAP lookup that IIQ is performing. Since there are variances in how RFC 2307 Unix extensions can be implemented in AD (that is, there is no formal compliance required), IIQ needs to be more flexible in its lookup.

Please file a bug report with the details of your experience. This will aid our investigations and efforts to create a fix for a future maintenance release.

Hello,

I have had the same issue integrating InsightIQ 4.1.1.3 with Windows Server 2016 Active Directory.

The issues is the Default Attributes.

For LDAP implementations the defaults are:

posixAccount

posixGroup

For Active Directory you need to change them to:

Object Class for users: user

Object Class for groups: group

This will allow you to add AD groups to Read-Only and Administrator roles but I still cannot login to IIQ using my AD account. The scope for the user and group search and group membership is correct.

I am having same issue as Mark_Strong. Its added the group as Administrator but wont' allow to login.

Just to clarify, AD is not technically supported (even with RFC2307 extensions), though there are ways to get it to work with IIQ.  This forum is a good way to share experiences, so thanks for your post!

Thanks Mark, this has been very helpful...been struggling to get it to work for a few months now. Would be nice if changing the object class was in the install document somewhere.

Same issue after being able to add groups with the correct objectclass (user,group). I am not able to log in, it says :

Log in attempt failed. Please try again.

I am trying to log in with my sAMAccountName, userPrincipalName. Even tried DOMAIN\username... Nothing works.

Have any idea ?

I can also add groups just fine using the modified Object Classes but none of the accounts can login.

Did anyone get this working with AD?

I became curious about getting to enable AD authentication on the InsightIQ server working. A bit of googling got me to this article pointing to a similar issue with another LADP server and the shortcomings of InsightIQ’s LDAP configurations:

http://vstrong.info/2017/06/07/isilon-insightiq-and-opendj-ldap-intergration/

Essentially, to get it working. Change the python security file to look at the 'sAMAccountName' attribute instead of the hardcoded 'uid' one:

1. Edit /usr/share/isilon/lib/python2.7/site-packages/insightiq/controllers/security.py
2. Change the following two lines (from uid to sAMAccontName):

# Search for specified user

search_str = self.ldap_service.filter_format(

'(&(objectClass=%s)(sAMAccountName=%s))', #replace uid with sAMAccountName

#'(&(objectClass=%s)(uid=%s))', #comment out

[user_object_class, username])

search_dn = user_dn if user_dn else search_base

group_dn = group_dn if group_dn else search_base

conn.search(search_dn, search_str)

if len(conn.entries) > 0:

# Try to re-bind connection with found user

full_dist_name = conn.entries[0].entry_get_dn()

conn.user = full_dist_name

conn.password = password

if not conn.bind():

log.info('LDAP login failed: Invalid credentials by user %s.', username)

conn.unbind()

return (False, None)

# Group roles list is sorted by role with admin groups first

for group in self.ldap_service.fetch_group_roles():

# Search for membership of specified user in privileged group

# This should cover all RFC 2307 compliant AD servers

search_str = self.ldap_service.filter_format(

#'(&(objectClass=%s)(memberOf=%s)(uid=%s))', #comment out

'(&(objectClass=%s)(memberOf=%s)(sAMAccountName=%s))', #replace uid with sAMAccountName

[user_object_class, group['dn'], username])

conn.search(search_dn, search_str)

     3. Reboot server

- John Fjeldberg

Thank you John1978

I will update the article...

Isilon InsightIQ and OpenDJ LDAP integration | vStrong.info

Thank you John1978
It is the same approach, you need to amend the Object Class for users and groups for IIQ to read AD properly and then edit the config file for IIQ to query the right parameters.

Will publish detailed article shortly.

Will be glad to see  that article when it is released.

Thanks, John1978.

Exactly what I needed to get this working!

InsightIQ 4.1.2 released:

https://support.emc.com/docu87838_Isilon-InsightIQ-4.1.2-Release-Notes.pdf?request=akamai

Quite a few improvements RE LDAP and Active Directory integration: