HPE Community
HPE OneView
1751714 Members
5419 Online
108781 Solutions
New Discussion ī„‚

Re: AD issues

 
SOLVED
Go to solution
JayFromIT
Advisor

ā€Ž08-05-2019 10:27 AM

ā€Ž08-05-2019 10:27 AM

AD issues

I can't seem to figure where and why it's causing the bottle neck. It also doesn't help the situation I don't have domain admin credentails, so I can't troubleshoot the AD issues.

Domain: Company.com (Parent)

Domain forest USA.Company.com (Child)

Domain forest CANADA.Company.com (Child)

I created a US secuirty group. All the USA users can login in just fine. However all the people who are a CANADA user and part of the US secuirty group has a hard time logging into HPe OneView.

The couple of ways I tried to get it to work.

Created a Company.com "Directories" then linked that directories in user and groups to a USA secuirty group, then had the user login as CA/username, sometimes able to login but mostly failure due to time out failure.

Created an USA.Company.com in "Directories" then linked that directories in the user and groups to a USA secuirty group, then had the user login as CA/username, failed.

Created an CANADA.Company.com in "Directories" however could not link it to the "USA secuirty group"

Any suggestions? 

 

0 Kudos
Reply
8 REPLIES 8
ChrisLynch
HPE Pro

ā€Ž08-05-2019 02:08 PM

ā€Ž08-05-2019 02:08 PM

Re: AD issues

I would recommend creating a unique directory for each AD domain you have.  I would name them the exact same as the NT Domain Name.  So, if your USA.domain.com's NT Domain Name is USA, then create a USA auth directory in OneView.  Then, your users can type in USA\MyUsername without needing to change the auth directory on the OneView login console to authenticate to the correct directory.


I am an HPE employee

Accept or Kudo

Reply
BhaskarV
Trusted Contributor

ā€Ž08-11-2019 10:15 PM

ā€Ž08-11-2019 10:15 PM

Re: AD issues

Hi @JayFromIT 

Were you able to get this issue resolved using the suggestions from Chris Lynch?
Let us know.

Regards,
Bhaskar


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
JayFromIT
Advisor

ā€Ž02-17-2020 12:40 PM - edited ā€Ž02-17-2020 01:06 PM

ā€Ž02-17-2020 12:40 PM - edited ā€Ž02-17-2020 01:06 PM

Re: AD issues

Hi Chris,

This task was put into the back burner as the oneview was more of a POC at the time.

 

Anyways my Current Setup

-US.COMPANY.COM

--- US_User_1

--- US_Security_Group

 

CANADA.COMPANY.COM

--- CANADA_User_1 (is a member of US_Secuirty_Group)

 

In HPEONEVIEW

US.COMPANY.COM is in ā€œSettings/Security/Directoriesā€

-US_Security_Group added to US.COMPANY.COM directory in users and groups

--US_User_1 can login

 

CANADA.COMPANY.COM is in ā€œSettings/Security/Directoriesā€

--CANADA_User_1 just stalls for a long time then a login failure

 

I tried adding ā€œUS_Secuirty_Groupā€ to the CANADA directory but it could not find US_Secuirty_Group.

 

I get something like ā€œAn invalid search input CN=groupname, OU= OU PATH, DC=us,DC=company,DC=com was not provided with the request to search on directory CANADA.COMPANY.COM

I assume HPe recommendation/wants

-US.COMPANY.COM

-- US_Security_Group

--- US_User_1

CANADA.COMPANY.COM

-- CANADA_Security_Group

--- CANADA_User_1

Due to company requirements, is there a way not to use this setup but try to get it to work in the first example? Because that example does work within iLO. Users in the Canada domain can login to ilo even though the security group is in the US domain.

 

EDIT: also some other few things I have noticed. I can not add CANADA.COMPANY.COM with my US account in ā€œSettings/Security/Directoriesā€. I had to have someone with a CANADA NT account add the CANADA Directory. It says "Invalid Credentials or Base DN" I did try login "us\username"

0 Kudos
Reply
Poongkodi
Occasional Advisor

ā€Ž02-17-2020 10:55 PM

ā€Ž02-17-2020 10:55 PM

Solution

Re: AD issues

Hi,

What you have is a cross-domain authentication requirement, and OneView supports it. All you need is configure the baseDN as the top/parent domain and port as the global catalog port.

Can you try the below configuration?

BaseDN: dc=company,dc=com

Port: 3269 (default global catalog port)

and group: us_security_group

With this both the US and Canada users should be able to login. Can you try and let us know how it goes?

The documentation on this is available in the OneView 5.0 user guide as a separate section 'cross-domain authentication'.

Thanks,

Poongkodi

0 Kudos
Reply
JayFromIT
Advisor

ā€Ž02-18-2020 11:43 AM

ā€Ž02-18-2020 11:43 AM

Re: AD issues

Hi Poongkodi,

I swore I tried that before but for some reason, when I follow your instructions it's working, maybe it's the port? I always used 636 however to follow your instructions, I used 3269. The only issue I have is once the Directory has been added in security, in users and groups it takes about 1-2 minutes to find the group, even though I put the full DN path. Is that normal?

 

 

0 Kudos
Reply
ChrisLynch
HPE Pro

ā€Ž02-18-2020 11:53 AM

ā€Ž02-18-2020 11:53 AM

Re: AD issues

Keep in mind that 636/TCP is the LDAP port for local Active Directory requests.  3269/TCP is to initiate an LDAP query to the Active Directory Global Catelog service.  The GC role for a DC indexes all resources within the forest, regardless the number of domains, or tree structure.  As for the length of time, I'mnot sure what is causing that.  It could be the number of objects you have within your enterprise forest, or the type of LDAP query OneView is making to the GC service.  Do you experience the same delay when authenticating to the appliance?


I am an HPE employee

Accept or Kudo

0 Kudos
Reply
JayFromIT
Advisor

ā€Ž02-18-2020 12:15 PM - edited ā€Ž02-18-2020 02:00 PM

ā€Ž02-18-2020 12:15 PM - edited ā€Ž02-18-2020 02:00 PM

Re: AD issues

Right now when I try to login with the new parent directory it was in the "acceptable/usable" (5-10 second) range. I am in the process to ask people outside my domain to login.

@ Chris Lync

In Users and Groups\Add Group\Group box

When I enter the full DN path and press "select group" on the back end is it searching for that exact path or just trying to login to pull the GC? because after waiting a long time, when it's "done" it starts me off in a pop-up window with DC=Company, DC=com not the full path I entered earlier.

EDIT: I have confirmation users outside of the domain, who has never logged in before it took about 5 seconds for them to log in. I think the port did help. However, I still have an issue where I try to add a DN it takes a long time for it to load. I guess not a big issue as, because I only have to do it one time, which I can wait for.

0 Kudos
Reply
Poongkodi
Occasional Advisor

ā€Ž02-18-2020 09:55 PM

ā€Ž02-18-2020 09:55 PM

Re: AD issues

Hi @JayFromIT

During group add if you are entering the group DN (or the group name) then "Add" action can be clicked directly. The "Select group" action is needed only when you want to navigate the directory and select the group. Entering the group DN and clicking "Add" directly should save you time. Could you pl try and confirm?

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.