2012-07-27 12:56 PM
Hello ... I want to start a thread on a specific configuration a customer is running and having difficulty making it work.
With the information I have ( and lets us assume that all versions are current and supported ) ... a client has a RHEL system hosting OnCommand 5.X. The RHEL host itself is configured to authenticate with the W2K8 domain controller and our admins can log in ( ex: esynodinos ) with a simple user name and pass their domain password just fine. With OnCommand this is not the case. A user by the name of esynodinos is on the OnCommand admin list with Global Full Control but yet the domain password is rejected.
I have searched the forums for ideas and it may be that we have to enter LDAP credentials into OnCommand to better pass authentication requests.
We are going to ask the customer what they do to get their RHEL boxes to authenticate properly.
In the meantime, I am hoping to get some ideas from the community here.
2012-07-27 03:54 PM
Okay an update ... we may have the answer next week.
We do not have root access to the RHEL server so we will have to wait until next week but through the access we have we believe the RHEL is configured with the PAM package which allows authentication to a Windows AD system. With that in mind, through a colleague's experience, they had to set a command line only option to make DFM pass the authentication properly through PAM
the option in question is authUsePam and is only command line; once you enable it, it should just work.
However since we are in a pickle with ROOT access, no matter how we tried to fool the host system, it refused us the ability to make the change. On the actual system, our regular users can log into the host with local accounts. Those same local accounts have DFM admin user entries with GlobalFullControl but are unable to make the command line change
dfm option set authUsePam=yes
You must have the capability to perform the DFM Core Control operation in order to change these options.
Log in as a different administrator to try again.
My test instance allows me to make the change to the option. The only difference is, my test instance is a windows box and i am logged in as a domain administrator account ( domain/esynodinos )
C:\script>dfm option set authUsePam=yes
Service DFMServer: Unable to connect to Service Control Manager: 5
Changed authenticate using PAM to Yes.
You must now restart the server service:
dfm service stop server
dfm service start server
Note: Since you have chosen to use PAM authentication which is used by the
server service, you must restart the server service every time you change
the PAM configuration on this system.
2012-07-31 11:18 AM
UPDATE - this did not work and now the curiosity is to understand if there are other linux modules out there that can configure hosts to authenticate through an active directory.
2012-08-01 07:29 AM
why you don,t use LDAP?
Look at this:
It works fine and you could configure it without special permissions for root. Only a Systemaccount in th AD and two ore more groups are neccessary.
2012-08-08 02:28 PM
Correct ... we got the AD - LDAP information and plugged them into DFM and we can authenticate with AD accounts on a Linux box through AD.
This opens up other questions, like when a OnCommand Admin user named "pete" becomes recorded as a series of contain name properties. This will be a separate thread.
2012-08-17 04:32 PM
So I followed the instructions according to the kb article and I'm still having issue. These are the settings that I have in my lab environment.
[root@tkoslis01 ~]# dfm options list | grep -i ldap
[root@tkoslis01 ~]# dfm ldap list
Address Port Last Use Last Failure
------------------------------------------ ------ -------------------------- --------------------------
tkosmdc01.tkocs.prv 389 2012-08-17 19:10:23.000000
tkosmdc02.tkocs.prv 389 2012-08-17 19:18:41.000000
tkosmdc03.tkocs.prv 389 2012-08-17 19:25:00.000000
And this is the error that I get:
[root@tkoslis01 ~]# dfm ldap test svcDFM <password>
Warning: Failed to bind to ldap server 'tkosmdc01.tkocs.prv' as administrator 'cn=svcDFM,ou=System,ou=Accounts,dc=tkocs,dc=prv': Invalid credentials
Warning: ldapBindDN ('cn=svcDFM,ou=System,ou=Accounts,dc=tkocs,dc=prv') and/or ldapBindPass setting may be wrong.
Error: Failed to authenticate svcDFM.
I know the username and password is correct. I've tried this with a Linux system configured with Winbind authentication working and without. Not sure what I need to do and have been checking posts to see where I'm going wrong.
2012-08-18 01:17 AM
After looking at ldap setting I can guess that you are using active directory LDAP server. You are getting this error because option value for below fields are not setting correctly.
Normal, in Ad server we create a user under "Users" directory, so in your case "ldapBindDN" field's value should be "cn=svcDFM,cn=Users,ou=System,ou=Accounts,dc=tkocs,dc=prv".
So, below option value should be
ldapBindPass password of "svcDFM"
Also, you can bind the LDAP server with different domain user, the user that is created when you build the AD setup.
Exp: I have Administrator user in BARD_QA domain, so my LDAP setting is
[root@shoemake-rhel ~]# dfm option list | grep -i ldap
[root@shoemake-rhel ~]# dfm ldap test ldap_user ******
[root@shoemake-rhel ~]# dfm ldap find ldap_user
Username Full Name
Please first search the user with "dfm ldap find <user_name>" command if this is success then you can user "dfm ldap test " command.
Please let me know for any further assignment
2012-08-18 03:17 AM
My CN is correct as that account is in the System OU, which is in the Accounts OU in my tkocs.prv domain. The CN=Users is the default area for user accounts if you are not maintaining a OU structure that is different from default. In either case, I've tried it with an account in CN=Users and got the same error.
2012-08-18 03:54 AM
You have three LDAP servers, "dfm ldap find/test" command first try to search the user in first LDAP server.
So, do you have ldap user "svcDFM" in "tkosmdc01.tkocs.prv" server ..?