- Integrated Systems
- About Us
- Integrated Systems
- About Us
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
11-13-2014 07:52 AM - edited 11-13-2014 07:56 AM
I am having some issues with setting up authentication. I am doing the checkpassword command with one of my domain accounts and the "searching LDAP using:" looks questionable. The filter seems to be attempting to filter on objectClass group not user and I am not sure why. I am currently trying to authenticate to an Windows 2012 R2 Active Directory Server. I have included some screen shots with vital info redacted.
Solved! Go to Solution.
11-17-2014 11:55 AMSolution
So I ended up having to punt on this one. I went through the CLI reference guide for 3.2.1 MU1 and I found the command to clear all auth params. I ran the following command:
setauthparams -f -clearall
Once I did that I ran through the setauthparams again. I used the following commands, in the following order:
setauthparam -f ldap-server <ipaddress of domain controller to use>
setauthparam -f ldap-server-hn <DNS_Hostname of DC, case insensitive>
setauthparam -f kerberos-realm <LDAP_Service name, case sensitive. Use LDP.exe on DC and pull value from the output connecting to the DC>
setauthparam -f binding sasl
setauthparam -f sasl-mechanism GSSAPI
setauthparam -f accounts-dn <dn path, you can pull DN path from adsi or the attributes tab in ADUC if you have advanced mode enabled>
setauthparam -f account-obj user (This value needs to be "user" specifically for AD)
setauthparam -f account-name-attr sAMAccountName (if you look at page 22 on the CLI Admins Reference guide for 3.2.1 MU1 this value says "sAMAccount". This is completely wrong. Windows AD requires sAMAccountName)
setauthparam -f memberof-attr memberOf
setauthparam -f <map_param> <map_value, DN of group that you wish to reference in AD>
In some writeups the following is listed as a required command
setauthparams -f account-group group
Do not use that command. It triggers the filter for parsing Active Directory to change to "group" instead of authenticating per user. That's essentially what was throwing off my AD configuration.
11-23-2014 09:32 PM
Re: LDAP Authentication Issues
Very well Self Solved..:)
Here is the script to set up LDAP:
Just replace the info with the customers info REM assuming all windows default security params REM setauthparam ldap-server <IP-Address> REM setauthparam ldap-server-hn <DNS-hostname> REM setauthparam kerberos-realm <LDAP-ServiceName> - CASE SENSITIVE REM setauthparam binding sasl REM setauthparam sasl-mechanism GSSAPI REM setauthparam accounts-dn <dn-path> REM setauthparam account-obj user (tells the LDAP client to search for users) REM setauthparam account-name-attr SAMAccountName REM setauthparam memberof-attr memberOf REM checkpassword ---- REM EXAMPLE USING THE LAB MACHINES ---- REM assuming all default windows params REM clear out all old params setauthparam -f clearall setauthparam -f ldap-server 192.168.47.100 setauthparam -f ldap-server-hn mktg-admin0.3par-mktg.3pardata.com setauthparam -f kerberos-realm 3PAR-MKTG.3PARDATA.COM setauthparam -f binding sasl setauthparam -f sasl-mechanism GSSAPI setauthparam -f accounts-dn cn=Users,dc=3par-mktg,dc=3pardata,dc=com setauthparam -f account-obj user setauthparam -f account-name-attr sAMAccountName setauthparam -f memberof-attr memberOf setauthparam super-map "cn=Domain Admins,cn=Users,dc=3par-mktg,dc=3pardata,dc=com"
To assign points on this post? Click the white Thumbs up below!