Subscribe
Accepted Solution

Non anonymous AD connect with WFA

Hi all,

 

as far as I can see I can only do anonymous connects to a AD LDAP server from WFA. Unfortunatelly our AD doesn't

allow to connect anonymously - I have to authenticate first. In other NetApp tools like OCPM and OCUM I can add

an AD LDAP server together with a login user. Is there any way to do the same with WFA?

 

Best regards,

Markus

Re: Non anonymous AD connect with WFA

If you are referring to running workflows as an AD user, you simply need to change the service account for the Netapp WFA Server to be a domain account.  Then just restart the service. 

Re: Non anonymous AD connect with WFA

@Team-Cloud

 

I can see I can only do anonymous connects to a AD LDAP server from WFA.

-------

 

What are you trying to do here? How are you trying to connect to AD LDAP from WFA?

 

sinhaa

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Non anonymous AD connect with WFA

[ Edited ]

Yes, that's what I try. Users should be able to login to WFA with their AD account and run workflows. But ' solution seems to work only with windows. I'm running WFA on a Linux host (RHEL), so that method won't work for me.

 

What I did so far is enter the LDAP server address under: 'Administration' --> 'WFA Configuration' --> 'Authentication'

 

After that I tried futilely to login with my AD credentials. So I looked in the file wfa_ldap.log in directory /opt/netapp/wfa/jboss/standalone/log.war/jboss/ and found this message:

 

2016-04-19 13:57:37,364 ERROR [com.netapp.wfa.ldap.LdapLoginModule] (default task-3) Failed to find user 'domain\user' using LDAP servers:
 * ldap://ldap1.mydomain.de - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580] (JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module "deployment.wfa-0.5.ear.flex-server-facade-0.5.war:main" from Service Module Loader): com.netapp.wfa.ldap.LdapException: Failed to find user 'domain\user' using LDAP servers:
 * ldap://ldap1.mydomain.de - [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903D0, comment: AcceptSecurityContext error, data 52e, v2580] (JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module "deployment.wfa-0.5.ear.flex-server-facade-0.5.war:main" from Service Module Loader)

My read is, that the domain controller doesn't allow anonymous ldap queries. But in the mentioned configuration menu are no fields to enter ldap credentials.

Re: Non anonymous AD connect with WFA

@Team-Cloud

 

What I did so far is enter the LDAP server address under: 'Administration' --> 'WFA Configuration' --> 'Authentication'

----

 

WFA Configuration for 'Authentication" needs you to provide Groups. Unless its provided, domain login will not work. I'll explain.

 

WFA dosn't connect to AD as annonymous user. It will connect using the credentials being provided at the WFA Login page. If the credential validation succeed at the AD end, then the Group for this user is being looked for. If the user's group( or parent group) has been assigned a Role in WFA in 'Authentication' page, then the user is assigned that particular role as he is allowed access into WFA. 

 

If the user's group is not provided, then WFA can't decide what role to be provided to this user. Hence the login is failed.

 

See image below:

 

WFA_LDAP_.png

 

 

Assume I'm a user in domain mydomain.com and in Group: Group_MG_FIN_1 . You can see that this group has been assigned the role as "Admin". So all AD user members of this group when attempt to login into WFA with their credentials, will get 'Admin' roles when authntication succeeds

 

sinhaa

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

Re: Non anonymous AD connect with WFA

Thanks @sinhaa for figuring that relation. After adding the group and using a valid domain\user login everything works fine.