Active IQ Unified Manager Discussions

WFA LDAP Configuration

fenton
3,947 Views

I just had to set this up in the lab as an example so I'd thought I'd share it here...

I'm authenticating with Active Directory in our lab environment.

Login into the WFA Portal using your local admin credentials.

Next Click on Tools > WFA Configuration and click the LDAP tab... you'll now need to enter your LDAP server details,  here is the example that I used....

Here:

LDAP Servers:  ldap://SP-DC01.uk-demo.netapp.com <<< this is my Active Directory Server

WFA Administrators group:  Domain Admins  <<< this is the AD group that I will map to the Administrators group in WFA

All other details are left untouched

Once configured you can logout and then log back in using your Active Directory credentials:

If successful you will then be logged in:

If you get a login failure message,  a good place to check is:

{WFA_INSTALL_DIRECTORY}/jboss/server/default/log/wfa_ldap

This will give you clues as to why the authentication failed:

012-03-16 12:42:44,040 GMT INFO  [com.netapp.wfa.ldap.LdapLoginModule] (http-0.0.0.0-80-4) Looking up user 'UK-DEMO\Administrator' in LDAP servers

2012-03-16 12:42:44,054 GMT INFO  [com.netapp.wfa.ldap.LdapWrapper] (http-0.0.0.0-80-4) Looking up user 'UK-DEMO\Administrator' using 'sAMAccountName' attribute

2012-03-16 12:42:44,141 GMT INFO  [com.netapp.wfa.ldap.LdapLoginModule] (http-0.0.0.0-80-4) Discovering roles of user 'UK-DEMO\Administrator'

2012-03-16 12:42:44,143 GMT WARN  [com.netapp.wfa.ldap.LdapLoginModule] (http-0.0.0.0-80-4) User 'UK-DEMO\Administrator' couldn't be logged in using LDAP because no roles were found, reverting to local WFA login (member of the following groups: [CN=Enterprise Admins,CN=Users,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Administrator,CN=Users,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Exchange Organization Administrators,OU=Microsoft Exchange Security Groups,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Group Policy Creator Owners,CN=Users,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Schema Admins,CN=Users,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Administrators,CN=Builtin,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM, CN=Domain Admins,CN=Users,DC=UK-DEMO,DC=HQ,DC=NETAPP,DC=COM]

In the example above I had a typo in my mapping between LDAP groups and WFA Groups in the configuration section

Once a user has then successfully logged in they will also appear in the Users definition within WFA - so can now be mapped to categories for further RBAC controls:


2 REPLIES 2

goodrum
3,947 Views

Great How-To!  The only concern I would have is that there is a single domain controller.  I assume that we can comma separate those entries?  I think it might almost be better if WFA would accept a domain and then use the SRV records in DNS to perform an ldap lookup.  Just my two bits

fenton
3,947 Views

Yes Jeff it can be a comma, separated list of multiple LDAP servers (I only have one in my lab currently)  (If you hover over the dialogue, WFA will advise you the syntax)

I like the SRV suggestion so will let the Engineering folks comment if thats something we look towards adding in the future

Public