This post is more than 5 years old
24 Posts
0
9996
NMC: LDAP authentication for Console users
Hi All,
I am trying to configure Networker(7.5.2) such that an LDAP group of users will be able to login onto the console. I have so far followed the instructions provided in Networker. However, I have become stuck whilst setting up the LDAP users and am in need of assistance as I am not sure where I'm going wrong. I'm using a Service account that's used to browse the AD.
This is how I've filled the fields:
authority name : domainename.net
provider server name: 142.28.12.1 (Domaine Controler)
distinguished name: CN=service-account,OU=myOU2,OU=MainOU,OU=JDW,OU=Asia,OU=Earth,DC=AE,DC=chevrontexaco,DC=net
password: ******************** (password of service account)
user search path: OU=Groups27,OU=Groups,OU=JDW,OU=Asia,OU=Earth,DC=AE,DC=domainename,DC=net
group search path: OU=Groups27,OU=Groups,OU=JDW,OU=Asia,OU=Earth,DC=AE,DC=domainename,DC=net
user id attribute: allowedUsers
Group Object Class: group
Group Member attribute: Member
Protocol: ldap
Port Number:389
This is the error mexssage I get:
Error Bad Search filter encounter while verifying userID "allowedUsers" attribute
Thanks in Advance for your assistance.
R_Friberg
34 Posts
0
August 24th, 2010 23:00
Hi,
We have set up NMC with AD integration and it works fine for us. The values that differ from our setup are under advanced:
User id attribute: sAMAccountName
User object class: person
Regards
Rickard
Rodders1
24 Posts
0
August 23rd, 2010 07:00
I changed the user id attribute to "uid=allowedUsers" and I am now getting the following error message:
No entry in hierarchy 'OU=Groups27,OU=Groups,OU=JDW,OU=Asia,OU=Earth,DC=AE,DC=domainename,DC=net' has an attribute "allowedUsers"
And this is all despite that group being present in the above directory.
Rodders1
24 Posts
0
August 24th, 2010 08:00
Is the fact that I am accessing the group with a service account part of the problem?
If anyone has successfully configured an LDAP authentication for the Console, could the please send me an example of the correct configutrations.
Thanks in advance.
Rodders1
24 Posts
0
August 25th, 2010 04:00
Thanks Rickard.
The information provided cleared up a few things although I have some questions regarding your setup.
Did you use a service account for distinguished name? I tried using the group name and for password one of the group's members and that didn't work.
Does sAMAccountName have to be a single string? Ours is a string with many spaces between the characters.
Does Person have to a member of that group?
Cheers and thanks in advance.
Rodney
R_Friberg
34 Posts
1
August 25th, 2010 05:00
Hi Rodders,
Yes, we use a service account for distinguished name. sAMAccountName is a single string, no spaces. Person is the name of the field in AD. As far as I understood this is not very important though. You can check out the field-help by clicking the questionmark in NMC, it describes what should go in to each field and is pretty good.
Good luck
Rickard
Rodders1
24 Posts
0
August 25th, 2010 07:00
Rickard,
It almost works! However on the last page when configuring the Console Security Administrator role, I have no idea what's the correct value to insert.
I tried:
sAMAccopuntName , console user, console application administrator and console security adminstrator without success, I also tried a username that's a member of the group in AD and all I got was External Role <> invalid.
Also I was wondering if the LDAP user had been added correctly to the Networker Administrator group as this is the format i used:
user=LDAP_riwq, host=domain.net (where the NMC is hosted) with riwq being a member of the AD group that I want to allow access to NMC via LDAP authentication.
Many thanks for the assistance youve already given me.
Regards,
Rodney
R_Friberg
34 Posts
1
August 25th, 2010 22:00
Hi,
You should only add the accounts that you want to be console security administrators. You add accounts by just writing the name of the account, one per line, with capitals. Note that the account must be in the OU you set up in the field User Search Path.
Cheers
Rickard
Rodders1
24 Posts
0
August 26th, 2010 09:00
Thanks, Configuration works.
Yury_Sazonov
7 Posts
0
January 21st, 2011 01:00
Hi everybody!
I have the same problem with LDAP authentication and Networker 7.6, so would you help me, please?
First of all, would you discribe me what is the correct value of field <<User Object Class>>?
In knowledgebase article https://solutions.emc.com/emcsolutionview.asp?id=esg105187 this value is "user" (without quotas), but R.Friberg adviced value "person" (without quotas).
Then, it's not clear for me what I must type in field <<External Role>> ? I'm understand, that here I must enter a list of users or groups, which would have admin right, but how to do it?
I tryed to enter my account name in different formats: jsazonov, jsazonov@domain.com, domain/jsazonov in lowercase and uppercase - but without any good results. I always have error message "External role is invalid".
Rodders1
24 Posts
0
January 21st, 2011 02:00
Hi Mate,
I left the User Object Class field blank.
An External Role is required because that person would have the rights to edit the Login Authentication and pretty much administer the NMC settings.
I suggest looking at the mapping you put for User Search Path, go there in Active Directory, find your account and enter it as it is.
If your User ID Attribute is sAMAccountName, then what ever you enter in the External Roles has to a sAMAccountName value.
Hope this helps, as I am also coming to terms and understanding of NMC under LDAP authentication.
P.S. Does anyone know how to debug the login process under LDAP authentication?
Yury_Sazonov
7 Posts
0
January 21st, 2011 04:00
Hi, Rodders.
As I already wrote the problem was on "External Role" page.
Thank you for help, now it works.
Best regards.
btan22
1 Message
0
April 12th, 2012 07:00
Hi, Anyone managed to resolve this? Thanks.
Bebo2k
544 Posts
0
April 12th, 2012 16:00
Hi btan22,
Would you please open a new discussion thread and mention what is the problem you are having with the error message you receieved and you can for sure reference to this Answered thread in your new discussion.
Thanks,
Ahmed Bahaa