Active IQ Unified Manager Discussions
Active IQ Unified Manager Discussions
Hi guys,
Has anyone got an example setup of LDAP for WFA 5.0? I've tried every variation I can possibly think of and keep getting the following error.
2019-12-17 00:51:00,739 ERROR [com.netapp.wfa.ldap.LdapWrapper] (default task-5) Failed to find user in LDAP: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839�]; remaining name 'DC=xx,DC=xxxx,DC=xx,DC=xx'
It's struggling with the bind from what I can tell. What format is it expecting the bind username to be in? I've tried username, domain\user, upn, direct CN path. Also when doing the test is the username supposed to be domain\user? or just user? Some added detail in the documentation would be helpful, it doesnt really go into any depth.
Solved! See The Solution
OK so I got this working finally, the documentation is out of date I think for the latest version. Here was what sorted it.
Hope this helps someone with configuring the latest version of WFA for AD.
Hi,
Here is an example from my lab using WFA 5.0.1.0.0 connect to a Server 2016 DC.
The Base DN should be the distinguished name for the root of the LDAP query (not the OU path of the service account).
D:\>dsquery user -samid srv_netapp_wfa "CN=srv_netapp_wfa,OU=Service Accounts,DC=testlab,DC=local"
Hope that helps
/Matt
Cheers Matt. I've just put 5.1.3212 on.
I now get the following erorr which suggests the base DN is wrong, but it aint. It's pefectly fine, have many sysems using the same base DN 😞 Including OCUM!
2019-12-18 13:01:13,602 ERROR [com.netapp.wfa.ldap.LdapWrapper] (default task-9) Failed to find user in LDAP: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839�]
What are you putting in the text boxes? Just the sam account name or domain\ or upn? To be fair I've tried all combinations and it doesnt work. Lost now lol
OK so I got this working finally, the documentation is out of date I think for the latest version. Here was what sorted it.
Hope this helps someone with configuring the latest version of WFA for AD.
Hi,
To elaborate a bit, consider the following OU heirarcy in Active Directory. If searching for a user in the employees OU, the Base DN must be at the root of the heriaracy to ensure the LDAP search can find users in in that OU. EG the baseDN should be "DC=testlab,DC=local" (NOT the OU path of the AD service account "OU=Service Accounts,DC=testlab,DC=local")
C:\>dsquery user -samid mbeattie "CN=mbeattie,OU=Employees,DC=testlab,DC=local" C:\>dsquery user -samid srv_netapp_wfa "CN=srv_netapp_wfa,OU=Service Accounts,DC=testlab,DC=local"
Also one other point is that you must add the AD groups that are assigned to a WFA role for authentication to work.
EG ensure you have an AD group created that has the appropriate group members added
C:\>dsquery group -name WFA-Admins "CN=WFA-Admins,OU=Groups,DC=testlab,DC=local" C:\>dsquery group -name SGG-WFA-Admins | dsget group -members "CN=mbeattie,OU=Employees,DC=testlab,DC=local"
Then in WFA add the group "Execution\User Management\Active Directory Groups" click Add\New type the group name, select the WFA role and click save. You must add the AD group to WFA before using the test authentication feature.
When using the "test authentication" feature i entered the username who would login to WFA via their AD account. In my case: EG "TESTLAB\mbeattie" <%NetBIOSDomain>\<%samAccountName%>
I read you note about changing the configuration and having to re-enter the password otherwise it fails and locks the account out. Sure sounds like a bug and the documentation should definately be updated, will chase it up with the developers. Thanks
/Matt
I'd appreciate it if you dont remove my posts chap. There is clearly an issue here which you just removed? It's important people can search on issues to mitigate them, that's the point in these forums.
In order to get this working I had to go against the documentation and the image which you posted.
For those that want a solution that works please do the following:
There is a bug which means the password gets reset, if you play with the AD servers settings you may find the LDAP bind account being locked out. This is because any changes cause the password to be lost, when you make changes, ensure you update the password at the same time.
Hope this helps someone.
Recently upgraded and it appears the problem hasn't gotten worse and not better. I can't even edit or remove the existing LDAP address. It just keeps spitting out NULL at the top of the page. The bind username is missing, as is the DN. Every time I try to tab from one field to the next is complains about NULL. When I can get it do a test it complains about an expired certificate which probably the case because it was recently replaced. However I can't even remove the current entry so I can force to download the latest certificate.
Any suggestions. I am close to reverting to a snapshot.
Hi,
I recently upgraded to WFA5.1P1 and noticed similar issues.
The reason for this is that WFA5.1 requires certificates to be accepted. I found a workaround to this by deleting the credentials and LDAP configuration then re-adding them (if deletion fails, log out, login and try again. If that fails logout, clear your browser cache or try using a different browser).
Hope that helps
/Matt
I have attempted to remove the current LDAP entry but I can't even select it. Every time I select the entry it goes into edit mode in one of the field boxes. Can't even select the entry as a single entity. If a field entry is selected and I click remove then I get the NULL error at the top of the page. The entire entry needs to be fixed so you can select it as a single entity or bring back the check box. Glaring oversight.
You can edit or remove the entry directly in the MySQL database. Also check this thread for another possible solution: https://community.netapp.com/t5/Data-Infrastructure-Management-Software-Discussions/WFA-5-1-LDAPs-Server-not-possible/td-p/160235