This post is more than 5 years old
5 Practitioner
•
274.2K Posts
0
4605
PolicyManager 6.6 with AD integration
Hi all,
have anybody successfully install PM 6.6 with AD integration? Yes, I have the product guide and I follow it step by step.
I face several problems, but the good thing I recreate it in my Lab with the same issues :
1. any change in the AD (adding User to the APS* groups) corrupt the local DB, after stopping and starting the "EMC SRS Policy Manager Database", the aps.log shows
"ERROR 2014-08-12 10:15:11,166 [InitializationFilter]: Error in initialization com.axeda.apm.services.managers.users.UserNotFoundException: apsadmin"
2. the PM show "LDAP is in "Read Only" state. Axeda Policy Server will be unable to make changes to users until "Write" access is granted"
the Apsadmin and the installation account have the write access on the LDAP (for sure, both are Domain Admins)
Any hints are welcome...
Thanks and regards,
Ludger
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
August 13th, 2014 01:00
Thanks Doxx,
the hint, do "NOT define Roles and Profiles" are very helpfull, now the local DB looks much more stable
Regards,
Ludger
Doxx2
25 Posts
1
August 12th, 2014 12:00
Per the documentation ( Policy Manager 6.6 Operations Guide ) the Policy Manager needs to have write access to AD to be able p manage the ( create ) users and Groups to do this it MUST be using Windows AD over SSL ( LDAPS ) AND Must also have write access to AD. this means that the user used to bind to AD must have the write permissions the process for configuring this is in the Policy Manager Operations Guide. Also you MUST have the following Groups in AD before installing the Policy Manager APSAdmins; APSUsers; & APSRoles. unless you are using custom groups .
The use of customer defined groups is also explained in the Policy Manager Operations Guide. The Policy Manager Operations Guide is available at support.emc.com
NOTE: All members of APSAdmins group must also be members of APSUsers group
The Simplest implementation of using Policy Manager with AD is to have all users as embers of the APSAdmins Groups and NOT define users roles and profiles if this is acceptable
For further assistance please open a service request
vogie563
14 Posts
0
May 12th, 2016 09:00
I found this post as I was having the same error when implementing policy manager, and was able to resolve it so I wanted to add it to the thread to share. Our Storage Admins need Admin to the Policy Server while our NOC only needs Remote Session access approval for after hours if EMC dial in requests, so Profiles and Roles were needed in my setup. Read only is definitely easier.
The guide first has you install Policy Manger with AD Authentication using LDAP (not LDAPS) and Port 389. This by default is the read only way of getting it going. Then you then can move to LDAPS over port 636 which then let's you create roles. Policy manager wont write to AD until it is using LDAPS. (I also used the default groups APS*) to get started.
To move to LDAPS over SSL for AD start on page 106 of the Policy Manger Operations Guide. It guides you through testing to make sure you can bind to AD with SSL. You need to make sure your Policy Server has a signed certificate for this. After that works it walks you though importing your CA and possibly subordinate certificates into the Java Keystore so you can establish trust with the Domain Controller certificates. Once that is done you update the server.xml in Apache to connect to your Domain Controllers over LDAPS via Port 636 instead of 389. Restart the Policy Server and now you should have access to Roles.
I created my profiles and roles and I am all set. The roles you create in Policy Manger are being created as AD groups as well and being nested into the Original APS* groups. Once I was all set I removed the elevated access for my bind account and just gave it rights to those groups in hope I wouldn't need to elevate the access again.