Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

Problems with LDAP configuration of WFA

CHCSADP

I am trying to configure WFA so I can login using my Active Directory credentials. I am using WFA 2.2.0.2.6 Build 2416155. I have configured WFA based on the document titled "WFA LDAP Configuration" by fenton on Mar 16 2012. Here are the wfa_ldap log entries. It looks like there might be typographical error that is hampering the login. It might just be cosmetic but it might be important. My account is found along with my groups and the group for admin of wfa is WFAAdmin which I am a member. If I am totally off base, I appologize in advance.

The problem might be seen here: look for the attribute "userGroupNamse".I think it should be "userGroupNames".

user LdapUser{name='mydomain\myUserID', email='Dale.Puotinen@mydomain.org', userGroupNamse=[CN=NovellAdmins,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=WFAadmin,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=ITS,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=GW Disk Space (4 GB Club),OU=GroupWise,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Websense_Level_II,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Domain Users,CN=Users,DC=kids,DC=mydomain,DC=org, CN=Unique User,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=VIP Level 2,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=IntelAdminsAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Vmware_ADM_GRP,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=RemoteDesktopAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=UCSAdmin,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=WHO_Intel_Admins_GRP,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Data Readers,CN=Users,DC=kids,DC=mydomain,DC=org, CN=RDP-CPTAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=ITSAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=VIPAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=UnixAdmins,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=myUserID,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=NASadmins,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org]}

Admin groups were: [CN=WFAadmin, OU=Groups, OU=CHCUsers, DC=kids, DC=mydomain, DC=org], Architect groups were: [], Operator groups were: [], Guest groups were: []

2014-08-14 16:50:22,013 WARN  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 67) User 'mydomain\myUserID' couldn't be logged in using LDAP because no roles were found, reverting to local WFA login (member of the following groups: [CN=NovellAdmins,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=WFAadmin,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=ITS,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=GW Disk Space (4 GB Club),OU=GroupWise,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Websense_Level_II,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Domain Users,CN=Users,DC=kids,DC=mydomain,DC=org, CN=Unique User,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=VIP Level 2,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=IntelAdminsAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Vmware_ADM_GRP,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=RemoteDesktopAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=UCSAdmin,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=WHO_Intel_Admins_GRP,OU=Groups,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=Data Readers,CN=Users,DC=kids,DC=mydomain,DC=org, CN=RDP-CPTAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=ITSAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=VIPAccessAUTH,OU=Authentication,OU=Services,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=UnixAdmins,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=myUserID,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org, CN=NASadmins,OU=CPT,OU=CHCUsers,DC=kids,DC=mydomain,DC=org])

1 ACCEPTED SOLUTION

sinhaa

====

Admin groups were: [CN=WFAadmin, OU=Groups, OU=CHCUsers, DC=kids, DC=mydomain, DC=org], Architect groups were: [], Operator groups were: [], Guest groups were: []

2014-08-14 16:50:22,013 WARN  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 67) User 'mydomain\myUserID' couldn't be logged in using LDAP because no roles were found, reverting to local WFA login (member of the following groups:

===

You seem to have provided WFA Admin Groups field as: CN=WFAadmin, OU=Groups, OU=CHCUsers, DC=kids, DC=mydomain, DC=org

Provide just the CN name like: WFAadmin

sinhaa


If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

3 REPLIES 3

sinhaa

====

Admin groups were: [CN=WFAadmin, OU=Groups, OU=CHCUsers, DC=kids, DC=mydomain, DC=org], Architect groups were: [], Operator groups were: [], Guest groups were: []

2014-08-14 16:50:22,013 WARN  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 67) User 'mydomain\myUserID' couldn't be logged in using LDAP because no roles were found, reverting to local WFA login (member of the following groups:

===

You seem to have provided WFA Admin Groups field as: CN=WFAadmin, OU=Groups, OU=CHCUsers, DC=kids, DC=mydomain, DC=org

Provide just the CN name like: WFAadmin

sinhaa


If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

CHCSADP

Thanks for the idea but I should have put it in my post that I have tried it using both the fully qualified name of the group and also just the name of the group. Both give the same error and neither one works. But I did only have a group for the Admins. I did not have group names for any other role.

OK, so I tried it again using just the group name and I also added a group for Architects and one  for Operators. Now the interesting part of this is that it works now but I get put into the Architects Role even though I am in all of those groups.

Message was edited by: Dale Puotinen

CHCSADP

Here is the last of the wfa_ldap log.

2014-08-14 23:25:45,143 INFO  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 112) Discovering roles of user 'mydomain\myUserID'

2014-08-14 23:25:45,143 INFO  [com.netapp.wfa.ldap.LdapLoginModule] (http-executor-threads - 112) User 'mydomain\myUserID' was authenticated successfully and is assigned the role of 'Architect' (EJB roles are [architect, guest, operator])

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public