BladeSystem Management Software

Active Directory Authentication via Onboard Administrator (OA)

 
chuckk281
Trusted Contributor

Active Directory Authentication via Onboard Administrator (OA)

Troy had a customer question:

 

******************

 

Hello,

 

I have a customer that is trying to setup the OA to use Active Directory authentication. They followed all of the instructions in the OA user guide and were able to get the certificate exported correctly and working. However, when the customer tries to use the “Test Settings” button, ALL of the test pass, except the last one: “User Authorization”. The OA is running 3.21

 

Initiating Directory Settings diagnostic for server 10.22.60.11
Accepting Directory Server certificate for signed by /DC=com/DC=csgsystems/DC=csg/CN=CSG Corporate CA01
Successful SSL connection (TLSv1/SSLv3, AES128-SHA, 128 bits)

Test user csgoma\jacb03 authenticated.
Unable to authorize test user.
Some diagnostics FAILED for server 10.22.60.11
Tests complete.

 

They have already created the proper Admin group using the “Directory Groups” setting as well. Do we have any other documentation about Active Directory support than what is in the OA user guide? I’m not sure how to troubleshoot this furthers so any ideas would be greatly appreciated.

 

*******************

 

Monty replied:

 

*********************

 

The last test is the authorization on the OA – whether the user is a member of a group that matches a group configured on the OA.

 

The three critical items here are:

  1. The OA finds a user attribute of “memberOf” for Active Directory or “groupMembership” for Novell eDirectory.
  2. The configurable OA search context strings find a match in the customer directory service for the group name
  3. The directory group name found is an exact match for the group name configured on the OA

 

Example:

Groupname:                      testgroup@hp.com

Search context1:              OU=US,OU=Users,OU=Accounts,DC=americas,DC=cpqcorp,DC=net

 

If the groupname is fully qualified, the OA must be configured with the complete groupname.  If I left “@hp.com” out of the OA configuration of this group name – the authorization would fail.  Similarly if the group name is not part of the directory group name, then the OA group name would need to be configured as testgroup.

 

*********************

 

Hope that helps Troy's customer. Any other advice for him?