2012-03-16 06:25 AM
I just had to set this up in the lab as an example so I'd thought I'd share it here...
I'm authenticating with Active Directory in our lab environment.
Login into the WFA Portal using your local admin credentials.
Next Click on Tools > WFA Configuration and click the LDAP tab... you'll now need to enter your LDAP server details, here is the example that I used....
LDAP Servers: ldap://SP-DC01.uk-demo.netapp.com <<< this is my Active Directory Server
WFA Administrators group: Domain Admins <<< this is the AD group that I will map to the Administrators group in WFA
All other details are left untouched
Once configured you can logout and then log back in using your Active Directory credentials:
If successful you will then be logged in:
If you get a login failure message, a good place to check is:
This will give you clues as to why the authentication failed:
012-03-16 12:42:44,040 GMT INFO [com.netapp.wfa.ldap.LdapLoginModule] (http-0.0.0.0-80-4) Looking up user 'UK-DEMO\Administrator' in LDAP servers
2012-03-16 12:42:44,054 GMT INFO [com.netapp.wfa.ldap.LdapWrapper] (http-0.0.0.0-80-4) Looking up user 'UK-DEMO\Administrator' using 'sAMAccountName' attribute
2012-03-16 12:42:44,141 GMT INFO [com.netapp.wfa.ldap.LdapLoginModule] (http-0.0.0.0-80-4) Discovering roles of user 'UK-DEMO\Administrator'
2012-03-16 12:42:44,143 GMT WARN [com.netapp.wfa.ldap.LdapLoginModule] (http-0.0.0.0-80-4) User 'UK-DEMO\Administrator' couldn't be logged in using LDAP because no roles were found, reverting to local WFA login (member of the following groups: [CN=Enterprise Admins,CN=Users,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Administrator,CN=Users,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Group Policy Creator Owners,CN=Users,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Schema Admins,CN=Users,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Administrators,CN=Builtin,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Domain Admins,CN=Users,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM]
In the example above I had a typo in my mapping between LDAP groups and WFA Groups in the configuration section
Once a user has then successfully logged in they will also appear in the Users definition within WFA - so can now be mapped to categories for further RBAC controls:
2012-03-16 06:30 AM
Great How-To! The only concern I would have is that there is a single domain controller. I assume that we can comma separate those entries? I think it might almost be better if WFA would accept a domain and then use the SRV records in DNS to perform an ldap lookup. Just my two bits
2012-03-16 06:45 AM
Yes Jeff it can be a comma, separated list of multiple LDAP servers (I only have one in my lab currently) (If you hover over the dialogue, WFA will advise you the syntax)
I like the SRV suggestion so will let the Engineering folks comment if thats something we look towards adding in the future