Configure LDAP in Management Center

book

Article ID: 168912

calendar_today

Updated On:

Products

Management Center - VA

Issue/Introduction

Note:  As of MC 1.5.2.1, we now have the ability to take pcaps in Management Center.  Please upgrade to Management Center 1.5.2.1 at a minimum and take pcaps while reproducing the issue which will help in troubleshooting issues logging in and connecting to LDAP servers.

In Management Center there are 2 options for setting up LDAP.  

  1. Active Directory LDAP
    • Only works with Microsoft Active Directory LDAP servers.
  2. LDAP
    • Works with Microsoft Active Directory LDAP
    • Works with other LDAP servers

Each of these options offer different advantages.  LDAP is meant for fine tuning where Active Directory LDAP is meant for simple setups.  Asking a few questions which should give which option to select.

  1. Do I require a particular bind user when making an LDAP query?
  2. Do I want to only query part of my domain tree?
  3. Do you have a multi layer domain structure that is complicated?

The above three questions will give the reason for using LDAP or Active Directory LDAP.  So if answer is a hard YES for question 2 and others are yes or preferred then you want to use LDAP.  The reason for this is Active Directory LDAP will use the user who is logging in as the bind user and it will query the whole domain.  If this is not preferred, then the option is to use LDAP instead.  Lets go through each option.

Resolution

Note only to configure AD LDAP or LDAP, never configure both or it will break things in MC. Only configure one or the other, but never both!

Active Directory LDAP

Only recommended for small environments because delays can occur for large environments as MC will search the entire domain when enabled.

Remember with this option Management Center will query the whole domain and the bind request will be made with the user who is logging into Management Center.

The way to setup LDAP is configure the basic settings first to get it working.  Once that is working, then lock it down further and customize it to your needs.  The way Management Center works is the basic requirements are the following:

Primary Server:
  • ​"Is the authenticator enabled" must be enabled
  • LDAP URL  (Example: ldap://:389)
  • Login Domain (Example: mydomain.com)
  • Save
  • Activate (Requires Restart to work, will be prompted for the restart as well)

At this point leave everything else as default as outlined in the example, Default is everything not in the red box:

Then try to login as a user.  If the user fails to login then please make sure the login domain and the DC domain are similar as its most likely failing at trying to get to the DC or the DC not allowing the bind of that user.  The following logs will be helpful in troubleshooting:

  1. If running Management Center 1.5.2.1 or Later: Take pcaps from the CLI using the pcap command and reproduce the issue. (viewing the PCAP requires a Diagnostics file to retrieve the PCAP)
  2. Administration - Auditing - Here you can see the login failure attempts
  3. Set Master Logging to Debug under Administration - Settings - Diagnostics and try to login.  Check Debug.log under Administration - Logs
  4. Event Logs on the Domain Controller.  While event logs can be very helpful in certain situations, they are not required as pcaps from the Management Center should provide most of the information.

 You should see a Kerberos error which should point to the problem.  In all locations you should see a failure which should explain the problem.  From here you can change the settings to meet those needs.  Failing this you will have to use LDAP as you have a multi layer domain which requires deeper level configuration which can only be done in the LDAP settings page.  Lets say the above settings work.  What Management Center will do is once an LDAP user logs in, it will create that user under Users.  By default it will only have view only rights.  From here the Management Center Admin can go in and assign this user any role or customize it. From here you have the following options to further customize Active Directory LDAP settings:



Lets say 'User must have permission' to login is selected.  What Management Center will do is when the user tries to login, they will get an error saying you don't have permissions to login.  From here the Management Center Admin has to login and assign this user the appropriate role.  As an alternate what you can do is use the 'Sync the group membership' option.  For this to work the group in Active Directory and Management Center must match exactly for this to work.  Once you create the group in Management Center, you can assign it to a particular permission role to give it permissions and which ever user is part of this group will get that permission. Role attribute works the exact same way.  The only difference is the attribute has to be a string attribute.  For example the Department field in the user properties in Active Directory.

LDAP

LDAP can be used for Microsoft Active Directory or another LDAP server.

LDAP settings and Active Directory settings are similar for the most part so I will recommend you read above for the meaning of the same options.  The nice part about LDAP settings vs Active Directory LDAP settings is here we can specify exactly where to search in the Active Directory domain tree instead of going to the root. 

  • Make sure that AD LDAP is disabled
    • Make sure the field "Is the authenticator enabled" is NOT checked

  • Enable LDAP and the following settings
    • "Sync the group membership" should be enabled
    • "User must have permission" should be enabled
    • Key in "displayname" for the "Display name attribute"

  • Primary Server - In this example, the user "neo" is in the organizational unit called "Support" and the domain is "nickmvlab.com"
    • ​"Is the authenticator enabled" under Primary Server must be enabled
    • LDAP URL (Example: ldap://mydc:389/ or you can always use an IP instead of a dns name if required or for testing)
    • Login user (Example :  CN=neo,OU=Support,DC=nickmvlab,DC=com)
      • Note: Ensure that the Login user is the "distinguishedName" from Active Directory otherwise it will fail to authenticate.
    • Login password  is the user password 

  • Search Settings - For this setup, I am authenticating all the groups and users in the organizational unit called "Support"
    • "Ignore partial results on search" must be set to true for Management Center to work with a Microsoft LDAP server.
    • "Base DN for user search" (Example: OU=Support,DC=nickmvlab,DC=com.  Use whatever OU that the search will be limited to searching.)
    • User search should be set to (sAMAccountName={0.EN_US}) in Microsoft Active Directory environments
    • "Search Filter to find group membership" field should be set to (member={0.EN_US})
    • "Base DN for group search" (Example:  OU=Support,DC=nickmvlab,DC=com)
    • "Attribute to read group name" should be the attribute in Active Directory used to read group names.  By default this is set to cn which is the default value in Active Directory for the group name.
    • "Search sub-tree" is if you want to search for the user through the whole subtree of the Base DN for user or group search.
      • If you have a Microsoft Active Directory setup then you have to pay attention to setting "Ignore partial results on search" and member={0.EN_US} as they are required to be changed from defaults under Search Settings.  

  • Save and Activate the new configuration. It will require a reboot, which MC will prompt for the ok.
  • Add the AD group into Management Center
    • Go to Administration > Group > Select Add Group > Key in the Group name exactly as shown in AD
    • DO NOT manually add any user to the group. Management Center automatically adds successfully authenticated users to the group.
    • Set the desired roles for the group
    • Here you can see the adding of Group called "Mountain-View"

 

With all the above configured with your LDAP specific information, Management Center should now be able to use LDAP for Admin log in.

 

Attachments