Basic Stratusphere LDAP/AD Import Procedure:
Stratusphere can import users, machines and groups from LDAP and Active Directory, and the imported users can use their domain credential to access or even manage Stratusphere UI. The following instructions will import all users, groups, and optional machines and machine groups from your LDAP/AD.
- Go to Stratusphere Administration -> Hub Administration - Directories, and click on New Directory button. You will see a menu like the following:
- Enter your LDAP/AD directory info:
Name: Enter the name of your domain. You can choose any name here. This will also show up in the domain drop-down menu on the login screen.
Directory Type: Choose the proper directory type for your domain. For most people, it is AD.
Fully Qualified Name: This is the address Stratusphere uses to import from your directory. You may use your domain name (not the best choice), the IP address of the closest LDAP/AD server, or FQDN of the closest LDAP/AD server (recommended, but require Hub to resolve its FQDN). It is best to import users from the closest server to avoid long import time and reduce network load.
Port: The default port for LDAP/AD import is TCP/389. If security is required, the default port is TCP/636. If your LDAP/AD uses a non-standard port, you may set a custom port here.
Security: Check this box if LDAP SSL is required.
Administrator Name: Enter service account or domain admin account here. Highly recommend using the distinguish name of your service/admin account here as it is universal for both LDAP and AD.
Admin Password: The password of the account used above.
Base DN: Base Distinguished Name indicates the starting point of LDAP/AD query. Directory is a tree structure, and this setting allows Stratusphere Hub to narrow down the search starting point. Since we import all users, groups and optional machines from Hub in this tutorial, we set the Base DN to the root of the directory.
Here's an example of the config for AD:
Name: Example.com
Directory Type: AD
Fully Qualified Name: ad01.example.com
Port: Use Default Port
Security: Checked
Administrator Name: cn=administrator, cn=users, dc=example.com, dc=com (you may also use "administrator@example.com" here)
Admin Password: password
Base DN: dc=example, dc=com
Click on Create New Directory to save the changes. Go to Import from Directory tab and click on Import to import from your directory.
Optional Config (only change if you need custom import for users, machines, and groups):
- Toggle Advanced User and User Group Properties, and you will find the following:
Import User & Groups: Select Yes to enable import users and user groups
User Search Filter: Filter for users to import. The default is: (&(objectClass=person)(!(objectClass=computer))(!(objectClass=contact)))
User Search Base: By default, User Search Base is blank. Stratusphere will look up all users starting from Base DN. If users are located in a specific location under Base DN, you may specify it here, excluding the portion already in the Base DN. For example, if you only want to import users in ou=Users, ou=NYC, ou=Branches, dc=exmample, dc=com, and your base DN is dc=example, dc=com, you will put ou=Users, ou=NYC, ou=Branches in here.
User's Group Attribute: Used to link users to groups they belong. Leave it as memberOf
Group Search Filter: Filter for groups to import. The default is (objectClass=group)
Group Search Base: Similar to User Search Base, this is left blank by default. If the groups are located in a specific location under Base DN, you may specify it here, excluding the portion already in the Base DN. For example, if the groups are in ou=Groups, dc=example,dc=com, and the Base DN is dc=example, dc=com, then you put only ou=Groups in here
Group's User Attribute: Used to link groups to their members. Leave it as member
Group Name Attribute: Used to import the groups' names (common names). Leave it as cn
Mail Attribute: Used to import user's email address. Leave it as mail
Login Attribute: Used to support legacy Windows logon. Leave it as sAMAccountName
Disabled Attribute: Used to import account enabled/disabled status
- Toggle Advanced Machine and Machine Group Properties, and you will find the following (please note normally you do not import machines here, but from vCenter via VM Directoires):
Import Machine and Groups: Select yes to enable import machines and machine groups
Machine Search Filter: Filter for machines to import. The default is (objectClass=computer)
Machine Search Base: By default, Machine Search Base is blank. Stratusphere will look up all machines starting from Base DN. If machines are located in a specific location under Base DN, you may specify it here, excluding the portion already in the Base DN. For example, if you only want to import machines in ou=Computers, ou=NYC, ou=Branches, dc=exmample, dc=com, and your base DN is dc=example, dc=com, you will put ou=Computers, ou=NYC, ou=Branches in here.
Machines' Group Attribute: Used to link machine to groups they belong. Leave it as memberOf
Name Attribute: Used to import machine names. Leave it as name
Hostname (FQDN) Attribute: Used to import machines' fully qualified domain name. Leave it as dnsHostName
IP Address Attribute: Used to import IP address. Leave it as networkAddress
Group Search Filter: Filter for groups to import. The default is (objectClass=group)
Group Search Base: Similar to Machine Search Base, this is left blank by default. If the groups are located in a specific location under Base DN, you may specify it here, excluding the portion already in the Base DN. For example, if the groups are in ou=Groups, dc=example,dc=com, and the Base DN is dc=example, dc=com, then you put only ou=Groups in here
Group's Machine Attribute: Used to link groups to their members. Leave it as member
Group's Name Attribute: Used to import the groups' names (common names). Leave it as cn
Related KB:
Stratusphere LDAP/AD Import - Import Only Specific Groups and Members: https://liquidwarelabs.zendesk.com/entries/109282336-Stratusphere-LDAP-AD-Import-Import-Only-Specific-Groups-and-Members
Help with errors: (SSH to HUB appliance as friend/sspassword, su - (same sspassword when prompted) then execute: grep LDAP /var/log/tnt/tnt-backend.log*)
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0x525 - user not found
DEC: 1317 - ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e - invalid credentials
DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893
HEX: 0x530 - not permitted to logon at this time
DEC: 1328 - ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation.)
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0x531 - not permitted to logon from this workstation
DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: <multivalued list of workstation names>]
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893
HEX: 0x532 - password expired
DEC: 1330 - ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.)
LDAP[userAccountControl: <bitmask=0x00800000>] - PASSWORDEXPIRED
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893
HEX: 0x533 - account disabled
DEC: 1331 - ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.)
LDAP[userAccountControl: <bitmask=0x00000002>] - ACCOUNTDISABLE
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893
HEX: 0x701 - account expired
DEC: 1793 - ERROR_ACCOUNT_EXPIRED (The user's account has expired.)
LDAP[accountExpires: <value of -1, 0, or extemely large value indicates account will not expire>] - ACCOUNTEXPIRED
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893
HEX: 0x773 - user must reset password
DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password change>] - MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893
HEX: 0x775 - account locked out
DEC: 1909 - ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.)
LDAP[userAccountControl: <bitmask=0x00000010>] - LOCKOUT
NOTE: Returns even if invalid password is presented
LDAP: error code 12 - 00000057: LdapErr: DSID-0C090796, comment: Error processing control, data 0, v23f0 ]; remaining name '/'.
NOTE: Error code 12 usually means you're pointing to a load-balancer, we currently do not support this and require pointing to the domain FQDN or a specific DC.
Product: Stratusphere FIT/UX
Product Version: All
Expires on: 365 days from publish date
Updated: March 27, 2016