Data Center Expert | Tips for configuring Active Directory integration
Tips for configuring Active Directory integration in InfraStruXure Central / StruxureWare DCE
StruxureWare Data Center Expert (DCE)
- Standard Appliance (AP9470)
- Enterprise Appliance (AP9475)
- Virtual Appliance (AP94VMACT)
InfraStruXure Central (ISXC)
Active directory integration.
Active directory integration can have some configuration options that may or may not work well with Struxureware. The following information are some examples of how DCE and active directory may better work together.
InfraStruxure Central officially supports two software suites for remote authentication: Active Directory and OpenLDAP. While other LDAP based remote authentication suites may work, APC does not test or support them.
1. Search Base Too Large:
Symptom: Only some of the selected users can login, or binding during configuration takes too long and produces an error / blank selection screen. Related error messages may appear in the nbc.xml file.
We test with Active Directory Search Bases as large as 10,000 objects (including Users, Groups, etc…). If your search base exceeds this, you max experience the above symptoms. In general, we recommend creating smaller more tightly defined search bases. Multiple binding entries can be configured in ISX Central, each entry binding to a completely different but isolated search base. It is common to create one binding instance for your admin accounts, and another for your general users, as these two different types of user accounts are likely to exist in very different hierarchical locations within Active Directory.
Bind User DN, Bind Password, and Search Base must all be entered with proper syntax. These fields are case sensitive and must match how your Active Directory structure was created. The following are examples of the proper syntax and structure. Please note that the Bind User DN is the actual user (bind-user) that can search the database and the rest of that path is where he can be found. Bind password is that user's password. Search Base is where the users reside that you want to add :
Bind User DN: cn=bind-user,cn=Users,dc=techlab,dc=apcc,dc=com
Search Base: dc=techlab,dc=apcc,dc=com
If using Active Directory on a Windows 2003 server or newer, you should be able to right click the OU that you want the syntax for, then select 'All Tasks', followed by 'Resultant Set of Policy.' This does not work with all version of Active Directory.
NOTE: Similar to issue #1 of having a search base too large, the sub-domain 'techlab' is a very small group of users. If we were to bind to the entire apcc.com domain, we would run into issues with a search base that is too large.
3. Pre-Windows 2000 Username:
Ensure that you are using the Pre-Windows 2000 Username (found in the Properties of the User Object within Active Directory), which may be slightly different syntax than the standard username you use to login to a windows system on a daily basis. ISX Central is also case sensitive in regards to your username, unlike Windows which typically ignores capitalization on a username. Also, if there is a space in a user name, you may want to try entering that name within quotes. For example, instead of John Smith, use "John Smith".
4. Group Type:
If adding User Groups from Active Directory instead of individual User Objects, please ensure that the Active Directory Group is NOT a Global Group. Global group members are unable to login to ISX Central. Changing the group type in Active Directory to Universal will resolve this. More Specifically, if the user and the group do not reside in the same search base, Central will not see the user.
5. Special Characters:
We've seen that Active Directory objects that begin with a # can cause issues with ISX Central being able to parse the AD Search Base. You'll see an error if this happens that states 'Invalid Attribute.' Typically binding to a Search Base one container higher than the one that contains the object beginning with '#' will resolve this issue. However, you cannot select any AD Objects within the container that also contains the '#' object.
6: Protected Users:
Windows 8.1 and Windows Server 2012 R2 have a group called "Protected Users". As of StruxureWare DCE 7.4.1, adding a user that is also a member of this group will cause authentication to fail. We are potentially looking into this for a future release but currently, a user added to DCE can not be a member of this group.
7. Secure LDAP over SSL or LDAPS
DCE does NOT support wildcard certificates.
When making modifications to the bind, it is recommended to remove the entire entry in authentication servers and recreate as opposed to editing an existing bind.
Ensure the host name of Data Center Expert completely matches the common name on the certificate. If they do not match in any capacity the bind will fail.
Ensure to download and import a base64 version of the domain controller's certificate.
Ensure Remote DCE users sign in with the case sensitivity shown in their AD/LDAP objects.