topic Re: LDAP use in MSA2050 in MSA Storage

LDAP use in MSA2050

M_v_S — Tue, 02 Jun 2020 09:55:43 GMT

Hi,

I want to enable LDAP support in my MSA2050 for the domain admins.

The basic configuration is working, but users can't logon.

In User-search-base, I added the FQDN for my ad group. In that group I created the same group-name as in the Current-User-Groups area of the MSA config and gave them the admin rights there.

I see no further explanation what I have to do, with the group created in MSA. You can't add users there.

Have I to do somethin in another way?

Greetings to you all

Re: LDAP use in MSA2050

Dardan — Tue, 02 Jun 2020 10:45:13 GMT

Hello,

Have you tried logging in using the Domain\User and Password?

In order to troubleshoot further, please provide the following:
- Your MSA configuration, found under the tab LDAP Users
- AD Group FQDN and User's group.

Cheers,
Dardan

Re: LDAP use in MSA2050

M_v_S — Tue, 02 Jun 2020 10:21:12 GMT

Hi,

of course I tried with Domain\Username before the post.

Server: my DC IP
Port: 636
User-search-base: OU=MyGroup,OU=Location,DC=Domain,DC=TLD
(of course with my real values)
Connection to LDAP worked with that configuration, with a wrong entry I couldn't save it.

Current User-Groups:
User Group Name: MyGroup

That is all I can configure.

Re: LDAP use in MSA2050

Dardan — Tue, 02 Jun 2020 10:47:29 GMT

User-search-base is the FQDN of the group where your (admin) users reside. I wouldn't create any extra group for this, if your priviledged account resides within OU=Admins, then it becomes OU=Admins,OU=Location,DC=Domain,DC=TLD.

User Group Name is then a security group (Global) where privileged users are added to. In your case it is let's say 'MyGroup' which has as a member your admin and other privileged accounts.

In addition to that, I have also configured the Alt-Server and Alt-Port and my MSA arrays are already using TLS/SSL certificates. Port 636 is a Secure LDAP port which might be needing the CA root certificate to be able to authenticate - although not sure of it.

Re: LDAP use in MSA2050

M_v_S — Tue, 02 Jun 2020 11:07:18 GMT

The FQDN points to the group, where my Users are. But can't login with these accounts. Tried also port 389.

At first attempts I pointed the FQDN to the OU, where the group name is located in AD and added the Admin Accounts to that group, but as I said, it didn't worked.

Any other ideas?
I have other devices, where I use LDAP successfully.

Re: LDAP use in MSA2050

SUBHAJIT KHANBARMAN_1 — Wed, 17 Jun 2020 07:07:03 GMT

@M_v_S

Are you using Kerberos Server ?

The Kerberos realm name needs to be in CAP

The Group Distinguished Name need to be in the correct given group name – CN=<group_name>,OU=<applicable OU>,DC=<domin>,DC=TLD

Can you please help us to understand if the issue got resolved or not?

If issue got resolved then how?

Also request you to mark the forum as resolved if there is no more outstanding query from your end on this issue.

This will help for everyone who are all following your forum.

Hope this helps!
Regards
Subhajit

I am an HPE employee

If you feel this was helpful please click the KUDOS! thumb below!

***********************************************************************

Re: LDAP use in MSA2050

M_v_S — Wed, 17 Jun 2020 11:19:51 GMT

Hi,

I don't have Kerberos in use.

Tried it also with a group in the last OU and your suggestion: CN=Group,...

So this issue is still open.