- Community Home
- >
- Software
- >
- HPE OneView
- >
- Re: AD issues
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-05-2019 10:27 AM
тАО08-05-2019 10:27 AM
I can't seem to figure where and why it's causing the bottle neck. It also doesn't help the situation I don't have domain admin credentails, so I can't troubleshoot the AD issues.
Domain: Company.com (Parent)
Domain forest USA.Company.com (Child)
Domain forest CANADA.Company.com (Child)
I created a US secuirty group. All the USA users can login in just fine. However all the people who are a CANADA user and part of the US secuirty group has a hard time logging into HPe OneView.
The couple of ways I tried to get it to work.
Created a Company.com "Directories" then linked that directories in user and groups to a USA secuirty group, then had the user login as CA/username, sometimes able to login but mostly failure due to time out failure.
Created an USA.Company.com in "Directories" then linked that directories in the user and groups to a USA secuirty group, then had the user login as CA/username, failed.
Created an CANADA.Company.com in "Directories" however could not link it to the "USA secuirty group"
Any suggestions?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-05-2019 02:08 PM
тАО08-05-2019 02:08 PM
Re: AD issues
I would recommend creating a unique directory for each AD domain you have. I would name them the exact same as the NT Domain Name. So, if your USA.domain.com's NT Domain Name is USA, then create a USA auth directory in OneView. Then, your users can type in USA\MyUsername without needing to change the auth directory on the OneView login console to authenticate to the correct directory.
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-11-2019 10:15 PM
тАО08-11-2019 10:15 PM
Re: AD issues
Hi @JayFromIT
Were you able to get this issue resolved using the suggestions from Chris Lynch?
Let us know.
Regards,
Bhaskar
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-17-2020 12:40 PM - edited тАО02-17-2020 01:06 PM
тАО02-17-2020 12:40 PM - edited тАО02-17-2020 01:06 PM
Re: AD issues
Hi Chris,
This task was put into the back burner as the oneview was more of a POC at the time.
Anyways my Current Setup
-US.COMPANY.COM
--- US_User_1
--- US_Security_Group
CANADA.COMPANY.COM
--- CANADA_User_1 (is a member of US_Secuirty_Group)
In HPEONEVIEW
US.COMPANY.COM is in тАЬSettings/Security/DirectoriesтАЭ
-US_Security_Group added to US.COMPANY.COM directory in users and groups
--US_User_1 can login
CANADA.COMPANY.COM is in тАЬSettings/Security/DirectoriesтАЭ
--CANADA_User_1 just stalls for a long time then a login failure
I tried adding тАЬUS_Secuirty_GroupтАЭ to the CANADA directory but it could not find US_Secuirty_Group.
I get something like тАЬAn invalid search input CN=groupname, OU= OU PATH, DC=us,DC=company,DC=com was not provided with the request to search on directory CANADA.COMPANY.COM
I assume HPe recommendation/wants
-US.COMPANY.COM
-- US_Security_Group
--- US_User_1
CANADA.COMPANY.COM
-- CANADA_Security_Group
--- CANADA_User_1
Due to company requirements, is there a way not to use this setup but try to get it to work in the first example? Because that example does work within iLO. Users in the Canada domain can login to ilo even though the security group is in the US domain.
EDIT: also some other few things I have noticed. I can not add CANADA.COMPANY.COM with my US account in тАЬSettings/Security/DirectoriesтАЭ. I had to have someone with a CANADA NT account add the CANADA Directory. It says "Invalid Credentials or Base DN" I did try login "us\username"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-17-2020 10:55 PM
тАО02-17-2020 10:55 PM
SolutionHi,
What you have is a cross-domain authentication requirement, and OneView supports it. All you need is configure the baseDN as the top/parent domain and port as the global catalog port.
Can you try the below configuration?
BaseDN: dc=company,dc=com
Port: 3269 (default global catalog port)
and group: us_security_group
With this both the US and Canada users should be able to login. Can you try and let us know how it goes?
The documentation on this is available in the OneView 5.0 user guide as a separate section 'cross-domain authentication'.
Thanks,
Poongkodi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-18-2020 11:43 AM
тАО02-18-2020 11:43 AM
Re: AD issues
Hi Poongkodi,
I swore I tried that before but for some reason, when I follow your instructions it's working, maybe it's the port? I always used 636 however to follow your instructions, I used 3269. The only issue I have is once the Directory has been added in security, in users and groups it takes about 1-2 minutes to find the group, even though I put the full DN path. Is that normal?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-18-2020 11:53 AM
тАО02-18-2020 11:53 AM
Re: AD issues
Keep in mind that 636/TCP is the LDAP port for local Active Directory requests. 3269/TCP is to initiate an LDAP query to the Active Directory Global Catelog service. The GC role for a DC indexes all resources within the forest, regardless the number of domains, or tree structure. As for the length of time, I'mnot sure what is causing that. It could be the number of objects you have within your enterprise forest, or the type of LDAP query OneView is making to the GC service. Do you experience the same delay when authenticating to the appliance?
I am an HPE employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-18-2020 12:15 PM - edited тАО02-18-2020 02:00 PM
тАО02-18-2020 12:15 PM - edited тАО02-18-2020 02:00 PM
Re: AD issues
Right now when I try to login with the new parent directory it was in the "acceptable/usable" (5-10 second) range. I am in the process to ask people outside my domain to login.
@ Chris Lync
In Users and Groups\Add Group\Group box
When I enter the full DN path and press "select group" on the back end is it searching for that exact path or just trying to login to pull the GC? because after waiting a long time, when it's "done" it starts me off in a pop-up window with DC=Company, DC=com not the full path I entered earlier.
EDIT: I have confirmation users outside of the domain, who has never logged in before it took about 5 seconds for them to log in. I think the port did help. However, I still have an issue where I try to add a DN it takes a long time for it to load. I guess not a big issue as, because I only have to do it one time, which I can wait for.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-18-2020 09:55 PM
тАО02-18-2020 09:55 PM
Re: AD issues
Hi @JayFromIT
During group add if you are entering the group DN (or the group name) then "Add" action can be clicked directly. The "Select group" action is needed only when you want to navigate the directory and select the group. Entering the group DN and clicking "Add" directly should save you time. Could you pl try and confirm?