Active IQ Unified Manager Discussions

Problems with LDAP configuration of WFA

CHCSADP
5,041 Views

I am trying to configure WFA so I can login using my Active Directory credentials. I am using WFA 2.2.0.2.6 Build 2416155. I have configured WFA based on the document titled "WFA LDAP Configuration" by fenton on Mar 16 2012. Here are the wfa_ldap log entries. It looks like there might be typographical error that is hampering the login. It might just be cosmetic but it might be important. My account is found along with my groups and the group for admin of wfa is WFAAdmin which I am a member. If I am totally off base, I appologize in advance.

The problem might be seen here: look for the attribute "userGroupNamse".I think it should be "userGroupNames".

user LdapUser{name='mydomain\myUserID', email='Dale.Puotinen@mydomain.org', userGroupNamse=[CN=NovellAdmins,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=WFAadmin,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=ITS,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=GW Disk Space (4 GB Club),OU=GroupWise,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Websense_Level_II,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Domain Users,CN=Users,DC=kids,DC=mydomain,DC=org, CN=Unique User,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=VIP Level 2,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=IntelAdminsAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Vmware_ADM_GRP,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=RemoteDesktopAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=UCSAdmin,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=WHO_Intel_Admins_GRP,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Data Readers,CN=Users,DC=kids,DC=mydomain,DC=org, CN=RDP-CPTAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=ITSAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=VIPAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=UnixAdmins,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=myUserID,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=NASadmins,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org]}

Admin groups were: [CN=WFAadmin, OU=Groups, OU=CHCUsers, DC=kids, DC=mydomain, DC=org], Architect groups were: [], Operator groups were: [], Guest groups were: []

2014-08-14 16:50:22,013 WARN  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 67) User 'mydomain\myUserID' couldn't be logged in using LDAP because no roles were found, reverting to local WFA login (member of the following groups: [CN=NovellAdmins,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=WFAadmin,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=ITS,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=GW Disk Space (4 GB Club),OU=GroupWise,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Websense_Level_II,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Domain Users,CN=Users,DC=kids,DC=mydomain,DC=org, CN=Unique User,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=VIP Level 2,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=IntelAdminsAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Vmware_ADM_GRP,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=RemoteDesktopAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=UCSAdmin,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=WHO_Intel_Admins_GRP,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Data Readers,CN=Users,DC=kids,DC=mydomain,DC=org, CN=RDP-CPTAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=ITSAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=VIPAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=UnixAdmins,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=myUserID,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=NASadmins,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org])

1 ACCEPTED SOLUTION

sinhaa
4,972 Views

====

Admin groups were: [CN=WFAadmin, OU=Groups, OU=CHCUsers, DC=kids, DC=mydomain, DC=org], Architect groups were: [], Operator groups were: [], Guest groups were: []

2014-08-14 16:50:22,013 WARN  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 67) User 'mydomain\myUserID' couldn't be logged in using LDAP because no roles were found, reverting to local WFA login (member of the following groups:

===

You seem to have provided WFA Admin Groups field as: CN=WFAadmin, OU=Groups, OU=CHCUsers, DC=kids, DC=mydomain, DC=org

Provide just the CN name like: WFAadmin

sinhaa


If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

3 REPLIES 3

sinhaa
4,973 Views

====

Admin groups were: [CN=WFAadmin, OU=Groups, OU=CHCUsers, DC=kids, DC=mydomain, DC=org], Architect groups were: [], Operator groups were: [], Guest groups were: []

2014-08-14 16:50:22,013 WARN  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 67) User 'mydomain\myUserID' couldn't be logged in using LDAP because no roles were found, reverting to local WFA login (member of the following groups:

===

You seem to have provided WFA Admin Groups field as: CN=WFAadmin, OU=Groups, OU=CHCUsers, DC=kids, DC=mydomain, DC=org

Provide just the CN name like: WFAadmin

sinhaa


If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

CHCSADP
4,973 Views

Thanks for the idea but I should have put it in my post that I have tried it using both the fully qualified name of the group and also just the name of the group. Both give the same error and neither one works. But I did only have a group for the Admins. I did not have group names for any other role.

OK, so I tried it again using just the group name and I also added a group for Architects and one  for Operators. Now the interesting part of this is that it works now but I get put into the Architects Role even though I am in all of those groups.

Message was edited by: Dale Puotinen

CHCSADP
4,973 Views

Here is the last of the wfa_ldap log.

2014-08-14 23:25:45,143 INFO  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 112) Discovering roles of user 'mydomain\myUserID'

2014-08-14 23:25:45,143 INFO  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 112) User 'mydomain\myUserID' was authenticated successfully and is assigned the role of 'Architect' (EJB roles are [architect, guest, operator])

Public