Active IQ Unified Manager Discussions

WFA 5.0 RC1 LDAP

amayacitta
6,376 Views

Hi guys,

 

Has anyone got an example setup of LDAP for WFA 5.0? I've tried every variation I can possibly think of and keep getting the following error.

2019-12-17 00:51:00,739 ERROR [com.netapp.wfa.ldap.LdapWrapper] (default task-5) Failed to find user in LDAP: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839�]; remaining name 'DC=xx,DC=xxxx,DC=xx,DC=xx'

It's struggling with the bind from what I can tell. What format is it expecting the bind username to be in? I've tried username, domain\user, upn, direct CN path. Also when doing the test is the username supposed to be domain\user? or just user? Some added detail in the documentation would be helpful, it doesnt really go into any depth.

 

https://docs.netapp.com/wfa-50/index.jsp?topic=%2Fcom.netapp.doc.onc-wfa-isg%2FGUID-257AF002-75DF-4D22-8502-4CFB91FA76E3.html&cp=1_1_5_4_1

1 ACCEPTED SOLUTION

amayacitta
6,226 Views

OK so I got this working finally, the documentation is out of date I think for the latest version. Here was what sorted it.

 

  1. All of the attributes were left as default, still logging on with sAMAccountName
  2. The server URL only works for me when I enter ldap://servername.somedomain.co.uk or ldaps://severname.somedomain.co.uk. When doing ldap://servername.somedomain.co.uk:389 it fails to bind. Also when entering ldaps:// without :636 (SSL) at the end it prompts to accept the certificate, I presume this is becasue it's Java based and not using the windows certificate store. The back end system 100% has trust of the deployed LDAP certificate.
  3. Bind username only works for me when doing DOMAIN\serviceacount. When doing just serviceaccount it fails to bind.
  4. BaseDN is the same as most other LDAP systems, enter something broad where users and groups are, root of domain is OK if you're not sure. So for example dc=somedomain,dc=co,dc=uk
  5. Lastly there is a bug / annoyance, each time you play with any of the fields in the list of Active Directory Servers, the password field is somehow messed up. If for example I simply change the server URL from ldap to ldaps - the bind will fail and eventually the password get's locked out. If I change the server URL AND the password at the same time it's fine. It does this with Firefox and Chrome.
  6. Lastly when doing the test authenticaiton you just need the username not DOMAIN\username.

Hope this helps someone with configuring the latest version of WFA for AD.

 

View solution in original post

9 REPLIES 9

mbeattie
6,335 Views

Hi,

 

Here is an example from my lab using WFA 5.0.1.0.0 connect to a Server 2016 DC.

The Base DN should be the distinguished name for the root of the LDAP query (not the OU path of the service account).

 

D:\>dsquery user -samid srv_netapp_wfa
"CN=srv_netapp_wfa,OU=Service Accounts,DC=testlab,DC=local"

 

wfa.png

 

Hope that helps

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

amayacitta
6,281 Views

Cheers Matt. I've just put 5.1.3212 on.

 

I now get the following erorr which suggests the base DN is wrong, but it aint. It's pefectly fine, have many sysems using the same base DN 😞 Including OCUM!

 

2019-12-18 13:01:13,602 ERROR [com.netapp.wfa.ldap.LdapWrapper] (default task-9) Failed to find user in LDAP: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839�]

What are you putting in the text boxes? Just the sam account name or domain\ or upn? To be fair I've tried all combinations and it doesnt work. Lost now lol

 

Untitled.png

amayacitta
6,227 Views

OK so I got this working finally, the documentation is out of date I think for the latest version. Here was what sorted it.

 

  1. All of the attributes were left as default, still logging on with sAMAccountName
  2. The server URL only works for me when I enter ldap://servername.somedomain.co.uk or ldaps://severname.somedomain.co.uk. When doing ldap://servername.somedomain.co.uk:389 it fails to bind. Also when entering ldaps:// without :636 (SSL) at the end it prompts to accept the certificate, I presume this is becasue it's Java based and not using the windows certificate store. The back end system 100% has trust of the deployed LDAP certificate.
  3. Bind username only works for me when doing DOMAIN\serviceacount. When doing just serviceaccount it fails to bind.
  4. BaseDN is the same as most other LDAP systems, enter something broad where users and groups are, root of domain is OK if you're not sure. So for example dc=somedomain,dc=co,dc=uk
  5. Lastly there is a bug / annoyance, each time you play with any of the fields in the list of Active Directory Servers, the password field is somehow messed up. If for example I simply change the server URL from ldap to ldaps - the bind will fail and eventually the password get's locked out. If I change the server URL AND the password at the same time it's fine. It does this with Firefox and Chrome.
  6. Lastly when doing the test authenticaiton you just need the username not DOMAIN\username.

Hope this helps someone with configuring the latest version of WFA for AD.

 

mbeattie
6,244 Views

Hi,

 

To elaborate a bit, consider the following OU heirarcy in Active Directory. If searching for a user in the employees OU, the Base DN must be at the root of the heriaracy to ensure the LDAP search can find users in in that OU. EG the baseDN should be "DC=testlab,DC=local" (NOT the OU path of the AD service account "OU=Service Accounts,DC=testlab,DC=local")

 

C:\>dsquery user -samid mbeattie
"CN=mbeattie,OU=Employees,DC=testlab,DC=local"

C:\>dsquery user -samid srv_netapp_wfa
"CN=srv_netapp_wfa,OU=Service Accounts,DC=testlab,DC=local"

Also one other point is that you must add the AD groups that are assigned to a WFA role for authentication to work.

EG ensure you have an AD group created that has the appropriate group members added

 

C:\>dsquery group -name WFA-Admins
"CN=WFA-Admins,OU=Groups,DC=testlab,DC=local"

C:\>dsquery group -name SGG-WFA-Admins | dsget group -members
"CN=mbeattie,OU=Employees,DC=testlab,DC=local"

Then in WFA add the group "Execution\User Management\Active Directory Groups" click Add\New type the group name, select the WFA role and click save. You must add the AD group to WFA before using the test authentication feature.

 

When using the "test authentication" feature i entered the username who would login to WFA via their AD account. In my case: EG "TESTLAB\mbeattie" <%NetBIOSDomain>\<%samAccountName%>

 

I read you note about changing the configuration and having to re-enter the password otherwise it fails and locks the account out. Sure sounds like a bug and the documentation should definately be updated, will chase it up with the developers. Thanks

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

amayacitta
6,240 Views

I'd appreciate it if you dont remove my posts chap. There is clearly an issue here which you just removed? It's important people can search on issues to mitigate them, that's the point in these forums.

 

In order to get this working I had to go against the documentation and the image which you posted.


For those that want a solution that works please do the following:

 

  1. Enter the server URL without :389 or :636 at the end, i.e. ldaps://servername or if you want add the FQDN at the end. If you do this it will then prompt you for a certificate and will properly bind. Be aware the windows install wont use the certificates in the windows certificate store, probably because this is Java.
  2. Enter the username in format DOMAIN\username not just username
  3. Enter the BaseDN as you would normally do for any LDAP application, i.e. the location you want to search for which contains the users/groups your authenticating with.

There is a bug which means the password gets reset, if you play with the AD servers settings you may find the LDAP bind account being locked out. This is because any changes cause the password to be lost, when you make changes, ensure you update the password at the same time.

 

Hope this helps someone.

eyeboxone
5,131 Views

Recently upgraded and it appears the problem hasn't gotten worse and not better. I can't even edit or remove the existing LDAP address. It just keeps spitting out NULL at the top of the page. The bind username is missing, as is the DN. Every time I try to tab from one field to the next is complains about NULL. When I can get it do a test it complains about an expired certificate which probably the case because it was recently replaced. However I can't even remove the current entry so I can force to download the latest certificate. 

 

Any suggestions. I am close to reverting to a snapshot.

mbeattie
5,122 Views

Hi,

 

I recently upgraded to WFA5.1P1 and noticed similar issues.

 

  • Credentials were invalid (even though the WFA encryption key was applied before restoring the backup).
  • LDAP authentication failed.

 

The reason for this is that WFA5.1 requires certificates to be accepted. I found a workaround to this by deleting the credentials and LDAP configuration then re-adding them (if deletion fails, log out, login and try again. If that fails logout, clear your browser cache or try using a different browser).

 

Hope that helps

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

eyeboxone
5,084 Views

I have attempted to remove the current LDAP entry but I can't even select it. Every time I select the entry it goes into edit mode in one of the field boxes. Can't even select the entry as a single entity.  If a field entry is selected and I click remove then I get the NULL error at the top of the page. The entire entry needs to be fixed so you can select it as a single entity or bring back the check box. Glaring oversight.

moep
4,894 Views

You can edit or remove the entry directly in the MySQL database. Also check this thread for another possible solution: https://community.netapp.com/t5/Data-Infrastructure-Management-Software-Discussions/WFA-5-1-LDAPs-Server-not-possible/td-p/160235

Public