Hi,

Here is an example from my lab using WFA 5.0.1.0.0 connect to a Server 2016 DC.

The Base DN should be the distinguished name for the root of the LDAP query (not the OU path of the service account).

D:\>dsquery user -samid srv_netapp_wfa
"CN=srv_netapp_wfa,OU=Service Accounts,DC=testlab,DC=local"

Hope that helps

/Matt

Cheers Matt. I've just put 5.1.3212 on.

I now get the following erorr which suggests the base DN is wrong, but it aint. It's pefectly fine, have many sysems using the same base DN 😞 Including OCUM!

2019-12-18 13:01:13,602 ERROR [com.netapp.wfa.ldap.LdapWrapper] (default task-9) Failed to find user in LDAP: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839�]

What are you putting in the text boxes? Just the sam account name or domain\ or upn? To be fair I've tried all combinations and it doesnt work. Lost now lol

Hi,

To elaborate a bit, consider the following OU heirarcy in Active Directory. If searching for a user in the employees OU, the Base DN must be at the root of the heriaracy to ensure the LDAP search can find users in in that OU. EG the baseDN should be "DC=testlab,DC=local" (NOT the OU path of the AD service account "OU=Service Accounts,DC=testlab,DC=local")

C:\>dsquery user -samid mbeattie
"CN=mbeattie,OU=Employees,DC=testlab,DC=local"

C:\>dsquery user -samid srv_netapp_wfa
"CN=srv_netapp_wfa,OU=Service Accounts,DC=testlab,DC=local"

Also one other point is that you must add the AD groups that are assigned to a WFA role for authentication to work.

EG ensure you have an AD group created that has the appropriate group members added

C:\>dsquery group -name WFA-Admins
"CN=WFA-Admins,OU=Groups,DC=testlab,DC=local"

C:\>dsquery group -name SGG-WFA-Admins | dsget group -members
"CN=mbeattie,OU=Employees,DC=testlab,DC=local"

Then in WFA add the group "Execution\User Management\Active Directory Groups" click Add\New type the group name, select the WFA role and click save. You must add the AD group to WFA before using the test authentication feature.

When using the "test authentication" feature i entered the username who would login to WFA via their AD account. In my case: EG "TESTLAB\mbeattie" <%NetBIOSDomain>\<%samAccountName%>

I read you note about changing the configuration and having to re-enter the password otherwise it fails and locks the account out. Sure sounds like a bug and the documentation should definately be updated, will chase it up with the developers. Thanks

/Matt

I'd appreciate it if you dont remove my posts chap. There is clearly an issue here which you just removed? It's important people can search on issues to mitigate them, that's the point in these forums.

In order to get this working I had to go against the documentation and the image which you posted.

For those that want a solution that works please do the following:

1. Enter the server URL without :389 or :636 at the end, i.e. ldaps://servername or if you want add the FQDN at the end. If you do this it will then prompt you for a certificate and will properly bind. Be aware the windows install wont use the certificates in the windows certificate store, probably because this is Java.
2. Enter the username in format DOMAIN\username not just username
3. Enter the BaseDN as you would normally do for any LDAP application, i.e. the location you want to search for which contains the users/groups your authenticating with.

There is a bug which means the password gets reset, if you play with the AD servers settings you may find the LDAP bind account being locked out. This is because any changes cause the password to be lost, when you make changes, ensure you update the password at the same time.

Hope this helps someone.

Recently upgraded and it appears the problem hasn't gotten worse and not better. I can't even edit or remove the existing LDAP address. It just keeps spitting out NULL at the top of the page. The bind username is missing, as is the DN. Every time I try to tab from one field to the next is complains about NULL. When I can get it do a test it complains about an expired certificate which probably the case because it was recently replaced. However I can't even remove the current entry so I can force to download the latest certificate. 

Any suggestions. I am close to reverting to a snapshot.

Hi,

I recently upgraded to WFA5.1P1 and noticed similar issues.

• Credentials were invalid (even though the WFA encryption key was applied before restoring the backup).
• LDAP authentication failed.

The reason for this is that WFA5.1 requires certificates to be accepted. I found a workaround to this by deleting the credentials and LDAP configuration then re-adding them (if deletion fails, log out, login and try again. If that fails logout, clear your browser cache or try using a different browser).

Hope that helps

/Matt

I have attempted to remove the current LDAP entry but I can't even select it. Every time I select the entry it goes into edit mode in one of the field boxes. Can't even select the entry as a single entity.  If a field entry is selected and I click remove then I get the NULL error at the top of the page. The entire entry needs to be fixed so you can select it as a single entity or bring back the check box. Glaring oversight.

You can edit or remove the entry directly in the MySQL database. Also check this thread for another possible solution: https://community.netapp.com/t5/Data-Infrastructure-Management-Software-Discussions/WFA-5-1-LDAPs-Server-not-possible/td-p/160235