Users are unable to log into Aria Operations for Logs using their Active Directory (AD) credentials. When reviewing the entries in /storage/core/loginsight/var/audit.log , the affected AD account's authentication failures appear in the audit.log, however, the failure entry does not include any AD-related login information.

Aria Operations for Logs 8.18.x

This issue occurs when there are multiple orphaned entries for the affected user in the database's user_auth table. Because of the duplicate database entries, there is no guarantee that the system will use the proper login entry to authenticate against the Active Directory domain.

To resolve this issue, the orphaned user entries must be manually cleared from the database.

1. Take a snapshot of all the nodes in the environment prior to making any changes in the database.
2. Log in to the Aria Operations for Logs UI as an administrator.
3. Navigate to Management > Access Control and remove the affected user's AD account by selecting the user check box and pressing the X DELETE.
4. Log into the Aria Operations for Logs primary node as root via SSH.
5. To enter the database enter the following:
   
   cqlsh-no-pass
use logdb;
   
   
6. Run the following to check the database whether the user account is still present:
   
   select user_name, type, domain from user;
select user_name, type, domain, upn  from user_auth;

Note: If the user was deleted from the UI, then the user should not appear in the user table.
   
   
7. Run the  following to update the database to remove the errant user entries from the user_auth table:
   
   delete from user_auth where user_name = '<username>' and domain= '<domainname>' and type = 1 and upn = '';

Note: Replace the affected <username> and <domain> with your user and domain.
   
   
8. Repeat for any other users having this issue. Once complete, type quit to exit the cqlsh shell.
9. Restart the loginsight service on all nodes in the cluster following KB 432128:
   
   

   • Log in to the Primary Node

     • Connect to the Primary node via SSH using the root account.

   • Restart the Service on the Primary Node

     • Run the following command to restart the Log Insight service:

       service loginsight restart

     • Wait for the command to complete and verify the service status:

       service loginsight status

   • Perform a Rolling Restart on Worker Nodes

     • Log in to each Worker node one at a time.

     • Run the restart command on the Worker node:

       service loginsight restart

     • Wait for the service to become fully active on the current Worker node before moving to the next one. This prevents simultaneous downtime across the cluster.

   • Verify Cluster Health

     • Log in to the Aria Operations for Logs web interface.

     • Navigate to Management > Cluster.

     • Verify that all nodes show a status of Connected and that the integrated load balancer (ILB) is functioning correctly.

10. Log into the Aria Operations for Logs using the admin account.
11. Recreate the AD user account and select the appropriate role and options.
12. Log out of the UI.
13. Log in using the newly-created AD account.
14. Delete snapshots from step 1 if login is now successful.