This post is more than 5 years old
6 Posts
0
3108
DPA 6 using Windows Domain Authentication
Hi to all
I am trying to get our new DPA 6.x server to use AD as authentication like we did with version 5.8, however it is not working properly.
The folowing error message is show inside the log:
2014-02-18 11:21:02,049 WARN [com.emc.apollo.command.ldapconfig.LDAPAuthenticationStrategy] (Thread-51476 (HornetQ-client-global-threads-3 71363177)) Error occurred while testing user authentication.: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0 C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1]; remaining name 'DC=XXXX,DC=XXXXXX,DC=XXXX'
Any susggestions ?
Regards,
Marco
Marco_UK1
6 Posts
0
February 19th, 2014 03:00
Hi
Hi Roland
Many thanks for the tips.
I believe the documentation of the product must be improved - I always suffer with DPA regarding its documentation and end up in here for help - what is not a bad thing (i.e. being in here on the forum), however I think EMC should improve the documentation of the product. (Thumbs down for EMC on this respect - see my other post about Firewall Ports)
We need to use Anonymous Bind because our user names must change their password very frequently and putting a user on "User Properties" will become unmanageable (i.e. the user password gets changed, authentication on DPA for everybody gets compromised, etc).
Ok, I've managed to get this working for now (more tests needed and I will be doing this very soon):
1) Reason one that it wasn’t working:
The documentation explicitly states, and I quote:
"If you have installed DPA on a UNIX environment and are authenticating to a Microsoft Active Directory LDAP server, you cannot connect to the Windows machine using SSL."
I assume the LINUX installation can be considered as "UNIX" in this context.
However, no matter whatever I’ve put in place on the fields and Anonymous Bind or not, Auto Login or not it didn’t work.
So, when using/ticking ”Use SSL" , even though we were said that “we cannot connect” from the documentation , that was the ONLY way the Domain Controller (in our environment) accepted the connection (DPA version 6.1.0 Build 81945)
2) The use of “username or DN of the user”
The user name doesn’t work, it must be the DN - what a pain this is EMC!
But is working (for now!) so I forgive you guys!
3) Auto Login
No need (and for now we are not going to use it anyway)
4) How it works in our environment
As per 3, we will not be using (and I repeat for now) auto login
So, to work properly we add the user locally on DPA with Authentication Type LDAP
ISSUE: the Logon Name doesn’t support the "_" character - that we use a lot around here and matching the "local login" and the DN name became impossible - EMC could you please look at that please?
Example that works for our environment ( DPA 6.1.0 Build 81945 running on Linux 64 bits)
Admin -> User & Security (tab) -> Manage Users -> Create user
Name = John Smith
Logon Name = E123457ADM -->>> John Domain Name as ADM is E123457_ADM but "_ " is not permitted in here!
External Name = CN=John Smith,OU=Admin Accounts,OU=Admin,OU=MSP01,DC=xxx,DC=xxxx,DC=xxxx
If you are wondering: no the CN= E123457_ADM doesn’t work
Role = Administrator ( We need John to be a local Admin on DPA)
Authentication Type = LDAP
The configuration under "Manage External Authentication"
Use LDAP Authentication = ticked
Host Properties
Server = x.x.x.x I've used the IP of the Domain
Use SSL = ticked
Port = 636
LDAP Version = 2
Base Name= DC=xxx,DC=xxxx,DC=xxx (put your domain name in here)
Idetification Attribute = sAMAccountName
Anonymous Bind = ticked
User Properties = all clear
Auto Login Properties
Enable Auto Login = this is UNTICKED!
When clicking the "Test User" button:
Username = CN=John Smith,OU=Admin Accounts,OU=Admin,OU=MSP01,DC=xxx,DC=xxxx,DC=xxxx
Password = put Johns password in here
I hope this will help when someone is searching on the subject.
Thank you all
Regards,
Marco
RLIM
14 Posts
1
February 18th, 2014 14:00
Hi Marco,
I did run into issues setting this up myself and found that I ran into problems when using the Anonymous Bind.
Can you please advise if you are using Anonymous Bind and if you have been able to validate the User specified in the User Properties fields.
I did also find that the Auto Login Properties were required to be set to ensure that a Test User could be established correctly.
1 more thing that I had to double check was the correct specifications used in the Base Name, User Name in User Properties and in the Auto Log in Properties the Group Base Name. I had checked these against the Item Properties within AD.
An example for the Base Name: "OU=Client Users,OU=Users,DC=Example,DC=Domain,DC=COM".
An example for the Username for User Properties: "CN=Admin,OU=Users,DC=Example,DC=Domain,DC=COM".
An example for the Group Base within the Auto log in: "OU=Users,DC=Example,DC=Domain,DC=COM".
Hope the above information helps and you can resolve validating a user.
If you are still having issues, please provide your configuration details.
Regards
Roland
ElvinKan
59 Posts
0
February 19th, 2014 03:00
Hi Marco
Thanks for the update, I will notify the doc writers with your feedback.
-E