Facts when working with Active Directory Groups and Foglight Directory Services Configuration (4352964)

Facts, when working with Active Directory Groups and Foglight Directory Services Configuration.

Troubleshooting import of LDAP groups when logging into Foglight with LDAP users.

Facts, when working with Active Directory Groups and Foglight Directory Services Configuration. Troubleshooting import of LDAP groups when logging into Foglight with LDAP users.

• AD groups that Foglight sees the user is a member of (based on the mode of group searching) get added as "External" Groups. If a group is missing, try logging into Foglight as a member of that group, then search again for the group.
• "External" Groups membership (add/remove from group) cannot be changed through Foglight (done through AD Users and Computers).
• Once Foglight finds an External Groups, it is not shown by default in Foglight Admin Console, to show, go to:
  • Foglight Admin Console | Administration | Users & Security | Manage Users, Groups, Roles
  • Select "Groups" and click on "LDAP groups".
  • Now select which LDAP groups will be visible.
• All AD Group Groups that Foglight finds the user is a member of (based on the mode of group searching) will be added as External Groups. This includes: Global-Security, Domain Local-Security, Universal-Security, Global-Distribution, Domain Local-Distribution, Universal-Distribution.
• When "Direct" mode of group searching, Foglight searches for group membership directly in the user object based on the value of "Parent group attribute ID" (E.g.: memberOf).
• When "Indirect" mode of group searching, Foglight searches all containers below the setting for Group Namespace Searches.

  For example, if the “The scope(s) to search for groups:” is set to "OU=Groups,DC=example,DC=com", Foglight searches the OU "Groups" for AD group membership and it searches all OU’s nested under "Groups".

  If you wanted Foglight to search the entire AD Directory Tree, simply set the "scope to search for groups" to the highest level, the AD Domain itself.; for example, "DC=example,DC=com" – note however, this could cause a great deal of External Groups to be created in Foglight, depending on the size of your AD organization and AD group counts – its better to use the 1st, 2nd and 3rd group namespace settings in Foglight Directory Services Configuration to target exactly where your AD groups reside that you want to get created for AD users logging into Foglight.

• Make sure there are no invalid search strings are specified in any of the namespaces for Groups searching because this will result in an error when trying to search for a group.
• Check/update the value for "Maximum level of group nesting" setting depending upon what nested group the user account (used to logon to Foglight console) is member of.

Using AD Groups to grant Foglight login/use access:

As you will find out, when logging into Foglight as any LDAP User, you do not “get in” at the first login – you must log back in as a Foglight administrator to grant that newly imported "External" account abilities in Foglight.

A trick for getting around this is by using AD Groups already created in Foglight to grant access. HowTo:

1. Decide who in your AD organization will need access to Foglight
2. Create a AD group which will be “found” when Foglight searches the “1^st, 2^nd or 3^rd group namespaces”.
3. Login to Foglight as an LDAP user who is a member of the AD group you just created or import the group manually using the "Import Groups" option. The user and the group will get imported into Foglight as ‘External’.
4. Login to Foglight as a Foglight Security Admin and grant Foglight Roles to the newly created External Group.
5. In AD, add users who will need access to Foglight, to the AD group.

Now, any AD User, who logs into Foglight and who is a member of that AD Group, that’s just been granted Foglight Roles, will get in the first time they login to Foglight – they should NOT be presented with the message:

"The user "username" does not have access to the application. Please contact your administrator to grant necessary permissions.". The administrator could then grant access if necessary or group matching configured for roles to be inherited automatically.

Note: The "Foglight Users" group may also be used to grant console access to as newly created LDAP as all users are members of it; see: What is the purpose of the Foglight group "Foglight Users"? (4260373).