CloudIQ: Unable to add AD groups even after successfully making the connection to Active Directory

1) Use the correct attribute expected by the CloudIQ Active Directory query.
2) Remove white-space from the mapping string being used for the Active Directory bind.
 

Error #1:
6-Nov-2019 15:02:11.437 SEVERE [http-nio-58443-exec-1] com.watch4net.apg.v2.gui.tomcat.authenticationrealm.DelegateLog.error Exception performing authentication javax.naming.directory.InvalidSearchFilterException: invalid attribute description; remaining name 'DC=test,DC=lab,DC=dell,DC=com'

Error #2:
Catalina is throwing errors around the  username  entry - based on the error it is expecting a number and complaining about the format:
Caused by: java.lang.IllegalArgumentException: can't parse argument number: username at java.text.MessageFormat.makeFormat(MessageFormat.java:1429) at java.text.MessageFormat.applyPattern(MessageFormat.java:479) at java.text.MessageFormat.<init>(MessageFormat.java:362) at org.apache.catalina.realm.JNDIRealm.setUserSearch(JNDIRealm.java:732) at com.watch4net.apg.v2.gui.tomcat.ActiveDirectoryRealm.setUserSearch(ActiveDirectoryRealm.java:65)
.. 124 more Caused by: java.lang.NumberFormatException

1) The DN being used for the user bind was using an incorrect property value, 'username' when it should have been using '0' .
2) There was also white-space embedded in the search/bind string.

To resolve the issue that was being experienced during the Active Directory bind/communication the following changes would need to be made (see example bind string):

1) Confirm that the full bind path expected by the corporate Domain Controller is correct by validating with a third-party tool such as Jxplorer or command line DSQUERY or other tools to view Active Directory structures or by contacting the corporate AD Administrator.
2) Remove white-space from the mapping string being used for the CloudIQ Active Directory bind:
Example:
Original entry:        (&(memberOf= CN=ACM-StorageAdministration-PrivilegedAccounts,OU=Groups,DC=test,DC=lab,DC=dell,DC=com)( sAMAccountName ={username}))
Corrected entry:     (&(memberOf=CN=ACM-StorageAdministration-PrivilegedAccounts,OU=Groups,DC=test,DC=lab,DC=dell,DC=com)(sAMAccountName={0}))

1) To restrict access to a specific group modify the default value of the  userSearch , and specify the search criterias.
2) The customer will need to confirm the full DN of the group they they need to use. For instance  CN=myadmingroup,DC=dell,DC=com  they would specify a value similar to:
(&(memberOf=CN=myadmingroup,DC=dell,DC=com)(sAMAccountName={0}))
3) To find this information use a tool such as Jxplorer, ADexplorer, DSQUERY (or other tool) to be able to log into their corporate Active Directory Domain Controller. When logged in search on attribute sAMAccountName = <your id>. This should list all attributes available to be used including:
DN (distinguished name) - that describes the full path to your user
and
memberOf - lists the group access/membership:
and
userSubtree - allows searching for user search to be done down through all the child nodes.

A customer can restrict a set of accounts using either the  userbase  or "roles" attributes. The userbase will specify a DN where all his storage or other team members accounts are located. The  roles  attribute will specify the type of status a user has (user, admin, etc.).