Domain Setup
LDAP Connection
Within DNS Administrator, consider creating a series of A Name records all called LDAP, but pointing to the different domain controllers you would like Stratusphere to communicate with. Typically, these domain controllers are going to be local to the site where Stratusphere is installed. This LDAP DNS entry will round-robin between all the entries allowing for a domain controller to be offline and not break Stratusphere’s ability to connect to the domain for authentication.
LDAP Connection Account
Consider creating a dedicated Active Directory Service Account for Stratusphere to connect to Active Directory to Authenticate users upon login as well as import the users in the Stratusphere groups into the Stratusphere environment on a scheduled basis.
Stratusphere Groups
Within Active Directory Users and Computers, consider adding 2 groups for Stratusphere users. The first Group, Stratusphere_Admins, should be created for any Active Directory account that will be allowed to log into Stratusphere with administrative access. The second group, Stratusphere_Users, should be created and have members that will be allowed to login to Stratusphere and view the data.
While creating the groups it is advised to get the distinguished names of both groups to utilize later. In the case of the demo environment, the Groups have the following DNs:
DN of Group: CN=Stratusphere_Admins,OU=DomainGroups,DC=liquidware,DC=lab
DN of Group: CN=Stratusphere_Users,OU=DomainGroups,DC=liquidware,DC=lab
It’s also advisable to get the DN of the users that will have access to Stratusphere. In the case of the demo environment all users are in the same OU.
DN of User: CN=Kenny McCormick,OU=DomainUsers,DC=liquidware,DC=lab
Using the DN’s of the User and the Groups the following information is determined:
| Base DN | DC=liquidware,DC=lab |
| User Search Base | OU=DomainUsers |
| Group Search Base | OU=DomainGroups |
Create Stratusphere Directory
Directory Properties
While in the Administration module of Stratusphere, click on the Hub Administration tab and the Directories sub-tab to create a new authentication directory.
- Click the New Directory button
- Enter an easily recognized directory name for the Name field.
- Ensure the “User for Logins” box is checked
- Select “AD” for Directory Type
- For the Fully Qualified Domain Name, enter the Fully qualified domain name for the domain, a domain controller, or the subset of domain controllers described above in the LDAP Connection area.
- For the Port selection, make the appropriate selection for your environment. Most will select Use Default Port.
- For Security, if desired you can configure Stratusphere to connect via the secured port (636) or by default the unsecured port (389). Environments will need to be properly configured for the secured connection.
- The Administrator Name and associated password is an account that has access to AD to perform authentication to the LDAP environment.
- The Base DN is the base DN for the domain.
If you click “Create New Directory” now, the directory should be created, but without any filters on groups or users to pull in. Continue to the Advanced User and User Group Properties to configure the appropriate filters on user imports.
Advanced User and User Group Properties
The best way to import Stratusphere users is to import only the users and groups needed, not all users and groups in the Active Directory.
- Select the Yes radio button for Import User & Groups
- In the User Search Filter replace the default values with the following:
(&(objectClass=person)(!(objectClass=computer))(!(objectClass=contact))(|(memberof=CN=Stratusphere_Admins)(memberof=CN=Stratusphere_Users))) - Using Active Directory Users and Computers, find the Distinguished Name of the Stratusphere_Admins and Stratusphere_Users groups created earlier. Replace the information for each group with the full DN of each group. For example, in this demo environment the filter will be
(&(objectClass=person)(!(objectClass=computer))(!(objectClass=contact))(|(memberof=CN=Stratusphere_Admins,OU=DomainGroups,DC=liquidware,DC=lab)(memberof=CN=Stratusphere_Users,OU=DomainGroups,DC=liquidware,DC=lab)))
- Optionally, the LDAP query can be sped up by limiting the user search to a certain OU which will include all subsequent OU’s. The User Search Base is prepended to the Base DN previously configured. In the demo environment, the User Search Base is OU=DomainUsers.
- Assign the users that are a member of the Stratusphere_Admins group to the Stratusphere Administrator role by adding the group name to the Assign Administrator role Groups. Each group is simply the group name separated by commas.
- The Group Search filter can be limited to only import Stratusphere Groups simply by listing the CN of the group in the filter. For example, (&(objectClass=group)(|(cn=Stratusphere_Admins)(cn=Stratusphere_Users)))
- Optionally, the LDAP query can be sped up by limiting where groups are found by adding a Group Search Base of where Active Directory Groups for Stratusphere are located . For example in the demo environment, the setting is set to OU=DomainGroups and this is prepended to the Base DN previously configured.
- Click Create New Directory or if you are making a change to an existing directory, click Save Changes to update the directory information.
Import Users and Groups
Import from Directory
Once created, import users and groups from the directory. There currently isn’t a way to test the import other than performing the import. If too many users or groups are imported, adjustments to the LDAP information will remove imported users. Click the Import from Directory Tab. Click the Import button.
If the import is successful, there will be a summary message of the number of user and groups imported. If the import fails an error message will be displayed. The event log of Stratusphere may also have some additional data regarding the failure.
Schedule the Import
For Stratusphere users and administrators to be kept up to date it is important to schedule the import. The users, groups and roles if selected will be updated with the import process.
- Click the Schedule Import tab
- Click Yes next to Scheduled
- Select a frequency for the import. Daily imports are suggested at an off time. Imports will only update the users and groups defined in the import filters.
4. Click the Set Schedule button to configure the import schedule.
Help with errors: (SSH to HUB appliance as friend/sspassword, su - (same sspassword when prompted) then execute: grep LDAP /var/log/tnt/tnt-backend.log*)
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0x525 - user not found
DEC: 1317 - ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0x52e - invalid credentials
DEC: 1326 - ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893
HEX: 0x530 - not permitted to logon at this time
DEC: 1328 - ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation.)
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0x531 - not permitted to logon from this workstation
DEC: 1329 - ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: <multivalued list of workstation names>]
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893
HEX: 0x532 - password expired
DEC: 1330 - ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.)
LDAP[userAccountControl: <bitmask=0x00800000>] - PASSWORDEXPIRED
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893
HEX: 0x533 - account disabled
DEC: 1331 - ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.)
LDAP[userAccountControl: <bitmask=0x00000002>] - ACCOUNTDISABLE
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893
HEX: 0x701 - account expired
DEC: 1793 - ERROR_ACCOUNT_EXPIRED (The user's account has expired.)
LDAP[accountExpires: <value of -1, 0, or extemely large value indicates account will not expire>] - ACCOUNTEXPIRED
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893
HEX: 0x773 - user must reset password
DEC: 1907 - ERROR_PASSWORD_MUST_CHANGE (The user's password must be changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password change>] - MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential.
80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893
HEX: 0x775 - account locked out
DEC: 1909 - ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.)
LDAP[userAccountControl: <bitmask=0x00000010>] - LOCKOUT
NOTE: Returns even if invalid password is presented
LDAP: error code 12 - 00000057: LdapErr: DSID-0C090796, comment: Error processing control, data 0, v23f0 ]; remaining name '/'.
NOTE: Error code 12 usually means you're pointing to a load-balancer, we currently do not support this and require pointing to the domain FQDN or a specific DC.
Product: Stratusphere FIT/UX
Product Version: 6.7.X