topic Re: AD issues in HPE OneView

AD issues

JayFromIT — Mon, 05 Aug 2019 17:27:45 GMT

I can't seem to figure where and why it's causing the bottle neck. It also doesn't help the situation I don't have domain admin credentails, so I can't troubleshoot the AD issues.

Domain: Company.com (Parent)

Domain forest USA.Company.com (Child)

Domain forest CANADA.Company.com (Child)

I created a US secuirty group. All the USA users can login in just fine. However all the people who are a CANADA user and part of the US secuirty group has a hard time logging into HPe OneView.

The couple of ways I tried to get it to work.

Created a Company.com "Directories" then linked that directories in user and groups to a USA secuirty group, then had the user login as CA/username, sometimes able to login but mostly failure due to time out failure.

Created an USA.Company.com in "Directories" then linked that directories in the user and groups to a USA secuirty group, then had the user login as CA/username, failed.

Created an CANADA.Company.com in "Directories" however could not link it to the "USA secuirty group"

Any suggestions?

Re: AD issues

ChrisLynch — Mon, 05 Aug 2019 21:08:32 GMT

I would recommend creating a unique directory for each AD domain you have. I would name them the exact same as the NT Domain Name. So, if your USA.domain.com's NT Domain Name is USA, then create a USA auth directory in OneView. Then, your users can type in USA\MyUsername without needing to change the auth directory on the OneView login console to authenticate to the correct directory.

Re: AD issues

BhaskarV — Mon, 12 Aug 2019 05:15:17 GMT

Hi @JayFromIT

Were you able to get this issue resolved using the suggestions from Chris Lynch?
Let us know.

Regards,
Bhaskar

Re: AD issues

JayFromIT — Mon, 17 Feb 2020 21:06:27 GMT

Hi Chris,

This task was put into the back burner as the oneview was more of a POC at the time.

Anyways my Current Setup

-US.COMPANY.COM

--- US_User_1

--- US_Security_Group

CANADA.COMPANY.COM

--- CANADA_User_1 (is a member of US_Secuirty_Group)

In HPEONEVIEW

US.COMPANY.COM is in “Settings/Security/Directories”

-US_Security_Group added to US.COMPANY.COM directory in users and groups

--US_User_1 can login

CANADA.COMPANY.COM is in “Settings/Security/Directories”

--CANADA_User_1 just stalls for a long time then a login failure

I tried adding “US_Secuirty_Group” to the CANADA directory but it could not find US_Secuirty_Group.

I get something like “An invalid search input CN=groupname, OU= OU PATH, DC=us,DC=company,DC=com was not provided with the request to search on directory CANADA.COMPANY.COM

I assume HPe recommendation/wants

-US.COMPANY.COM

-- US_Security_Group

--- US_User_1

CANADA.COMPANY.COM

-- CANADA_Security_Group

--- CANADA_User_1

Due to company requirements, is there a way not to use this setup but try to get it to work in the first example? Because that example does work within iLO. Users in the Canada domain can login to ilo even though the security group is in the US domain.

EDIT: also some other few things I have noticed. I can not add CANADA.COMPANY.COM with my US account in “Settings/Security/Directories”. I had to have someone with a CANADA NT account add the CANADA Directory. It says "Invalid Credentials or Base DN" I did try login "us\username"

Re: AD issues

Poongkodi — Tue, 18 Feb 2020 06:55:33 GMT

Hi,

What you have is a cross-domain authentication requirement, and OneView supports it. All you need is configure the baseDN as the top/parent domain and port as the global catalog port.

Can you try the below configuration?

BaseDN: dc=company,dc=com

Port: 3269 (default global catalog port)

and group: us_security_group

With this both the US and Canada users should be able to login. Can you try and let us know how it goes?

The documentation on this is available in the OneView 5.0 user guide as a separate section 'cross-domain authentication'.

Thanks,

Poongkodi

Re: AD issues

JayFromIT — Tue, 18 Feb 2020 19:43:03 GMT

Hi Poongkodi,

I swore I tried that before but for some reason, when I follow your instructions it's working, maybe it's the port? I always used 636 however to follow your instructions, I used 3269. The only issue I have is once the Directory has been added in security, in users and groups it takes about 1-2 minutes to find the group, even though I put the full DN path. Is that normal?

Re: AD issues

ChrisLynch — Tue, 18 Feb 2020 19:53:22 GMT

Keep in mind that 636/TCP is the LDAP port for local Active Directory requests. 3269/TCP is to initiate an LDAP query to the Active Directory Global Catelog service. The GC role for a DC indexes all resources within the forest, regardless the number of domains, or tree structure. As for the length of time, I'mnot sure what is causing that. It could be the number of objects you have within your enterprise forest, or the type of LDAP query OneView is making to the GC service. Do you experience the same delay when authenticating to the appliance?

Re: AD issues

JayFromIT — Tue, 18 Feb 2020 22:00:19 GMT

Right now when I try to login with the new parent directory it was in the "acceptable/usable" (5-10 second) range. I am in the process to ask people outside my domain to login.

@ Chris Lync

In Users and Groups\Add Group\Group box

When I enter the full DN path and press "select group" on the back end is it searching for that exact path or just trying to login to pull the GC? because after waiting a long time, when it's "done" it starts me off in a pop-up window with DC=Company, DC=com not the full path I entered earlier.

EDIT: I have confirmation users outside of the domain, who has never logged in before it took about 5 seconds for them to log in. I think the port did help. However, I still have an issue where I try to add a DN it takes a long time for it to load. I guess not a big issue as, because I only have to do it one time, which I can wait for.

Re: AD issues

Poongkodi — Wed, 19 Feb 2020 05:55:03 GMT

Hi @JayFromIT

During group add if you are entering the group DN (or the group name) then "Add" action can be clicked directly. The "Select group" action is needed only when you want to navigate the directory and select the group. Entering the group DN and clicking "Add" directly should save you time. Could you pl try and confirm?