Unsolved
This post is more than 5 years old
3 Posts
0
6473
Unable to get LDAP working on InsightIQ 4.1.1
We have AD on Win3k8R2 serving up our LDAP. It has the Unix extensions installed. After entering our LDAP information...:
- LDAP server: ldap://server.example.com
- Base search entry: dc=example,dc=com
- Bind entry: ldap_user
- Bind password: ********
...And pressing Submit, I get the Configuration Saved message.
However, when I attempt to add a group, I am not able to find anything. The optional settings are left as default.
Which log should I be looking at to trace this? What might the problem be?
patrick_lynch
2 Posts
0
April 19th, 2017 15:00
InsightIQ 4.1.1 introduced integrated LDAP support, but there is a known issue regarding the level of flexibility in the LDAP lookup that IIQ is performing. Since there are variances in how RFC 2307 Unix extensions can be implemented in AD (that is, there is no formal compliance required), IIQ needs to be more flexible in its lookup.
Please file a bug report with the details of your experience. This will aid our investigations and efforts to create a fix for a future maintenance release.
Mark_Strong
41 Posts
6
August 18th, 2017 03:00
Hello,
I have had the same issue integrating InsightIQ 4.1.1.3 with Windows Server 2016 Active Directory.
The issues is the Default Attributes.
For LDAP implementations the defaults are:
posixAccount
posixGroup
For Active Directory you need to change them to:
Object Class for users: user
Object Class for groups: group
This will allow you to add AD groups to Read-Only and Administrator roles but I still cannot login to IIQ using my AD account. The scope for the user and group search and group membership is correct.
isilon_guru
4 Posts
0
August 18th, 2017 07:00
I am having same issue as Mark_Strong. Its added the group as Administrator but wont' allow to login.
patrick_lynch
2 Posts
0
August 18th, 2017 09:00
Just to clarify, AD is not technically supported (even with RFC2307 extensions), though there are ways to get it to work with IIQ. This forum is a good way to share experiences, so thanks for your post!
kbaryeh
5 Posts
0
August 21st, 2017 04:00
Thanks Mark, this has been very helpful...been struggling to get it to work for a few months now. Would be nice if changing the object class was in the install document somewhere.
Chris1213
4 Posts
0
August 23rd, 2017 08:00
Same issue after being able to add groups with the correct objectclass (user,group). I am not able to log in, it says :
Log in attempt failed. Please try again.
I am trying to log in with my sAMAccountName, userPrincipalName. Even tried DOMAIN\username... Nothing works.
Have any idea ?
arivano_ilp
1 Message
0
September 14th, 2017 04:00
I can also add groups just fine using the modified Object Classes but none of the accounts can login.
Did anyone get this working with AD?
NoDecaf
24 Posts
2
September 18th, 2017 22:00
I became curious about getting to enable AD authentication on the InsightIQ server working. A bit of googling got me to this article pointing to a similar issue with another LADP server and the shortcomings of InsightIQ’s LDAP configurations:
http://vstrong.info/2017/06/07/isilon-insightiq-and-opendj-ldap-intergration/
Essentially, to get it working. Change the python security file to look at the 'sAMAccountName' attribute instead of the hardcoded 'uid' one:
/usr/share/isilon/lib/python2.7/site-packages/insightiq/controllers/security.py
# Search for specified user
search_str = self.ldap_service.filter_format(
'(&(objectClass=%s)(sAMAccountName=%s))', #replace uid with sAMAccountName
#'(&(objectClass=%s)(uid=%s))', #comment out
[user_object_class, username])
search_dn = user_dn if user_dn else search_base
group_dn = group_dn if group_dn else search_base
conn.search(search_dn, search_str)
if len(conn.entries) > 0:
# Try to re-bind connection with found user
full_dist_name = conn.entries[0].entry_get_dn()
conn.user = full_dist_name
conn.password = password
if not conn.bind():
log.info('LDAP login failed: Invalid credentials by user %s.', username)
conn.unbind()
return (False, None)
# Group roles list is sorted by role with admin groups first
for group in self.ldap_service.fetch_group_roles():
# Search for membership of specified user in privileged group
# This should cover all RFC 2307 compliant AD servers
search_str = self.ldap_service.filter_format(
#'(&(objectClass=%s)(memberOf=%s)(uid=%s))', #comment out
'(&(objectClass=%s)(memberOf=%s)(sAMAccountName=%s))', #replace uid with sAMAccountName
[user_object_class, group['dn'], username])
conn.search(search_dn, search_str)
3. Reboot server
- John Fjeldberg
Mark_Strong
41 Posts
0
September 19th, 2017 01:00
Thank you John1978
I will update the article...
Isilon InsightIQ and OpenDJ LDAP integration | vStrong.info
NoDecaf
24 Posts
0
September 19th, 2017 14:00
Ha, didn't even see you posted the article @mark_strong , thanks for that, would not have figured it out without it!
Mark_Strong
41 Posts
1
September 20th, 2017 01:00
Thank you John1978
It is the same approach, you need to amend the Object Class for users and groups for IIQ to read AD properly and then edit the config file for IIQ to query the right parameters.
Will publish detailed article shortly.
SKT2
2 Intern
2 Intern
•
1.3K Posts
0
September 26th, 2017 07:00
Will be glad to see that article when it is released.
InnovativeDisco
1 Message
0
October 11th, 2017 10:00
Thanks, John1978.
Exactly what I needed to get this working!
Mark_Strong
41 Posts
2
February 16th, 2018 01:00
InsightIQ 4.1.2 released:
https://support.emc.com/docu87838_Isilon-InsightIQ-4.1.2-Release-Notes.pdf?request=akamai
Quite a few improvements RE LDAP and Active Directory integration:
Resolved issues
216372
If a user, within InsightIQ, changed the IP or FQDN of the LDAP server being used for authentication while still referencing the same server, InsightIQ might have stopped allowing any users to login from that LDAP server. This issue can now be addressed by re-adding the previously configured group authorizations.
209335
InsightIQ group membership used the "memberOf" attribute to identify all LDAP groups a user belonged to. The InsightIQ group membership now uses "memberOf", "isMemberOf", and "sAMAccountName" attributes to support a wider range of LDAP and Active Directory configurations.