Common configuration problems when setting up LDAP integration with Foglight (4249457)

Issues commonly encountered when setting up Directory Services Configuration

Note: the ServiceAccount password must be re-typed EVERY time the Directory Services Configuration Editor is opened.

Common LDAP Integration issues:

1. Improperly configured ServiceAccount.

The ServiceAccount must be in the 'Distinguished Name' format. The syntax must match EXACTLY how the LDAP directory sees the object. With Microsoft's Active Directory, the 'dsquery' command can be used - for steps, see below:

To find the Distinguished Name (DN) of the Service Account object, run the command below via the command prompt on the Windows Domain Controller:

dsquery user –limit 1000 | dsget user –dn > dn.txt

This will produce a text file called dn.txt, that can be searched through for what Active Directory (AD) sees as the proper DN of the FoglightServiceAccount object.

Example of what the DN may look like after running the query:

CN=fogsvc1,CN=Managed Service Accounts,DC=domain,DC=com

2. The 'LDAP context for user searching' is set too narrow / too focused.

Foglight uses the 'LDAP context for user searching' to determine where to start looking for LDAP users in the LDAP directory when the LDAP user logs into Foglight. Foglight searches for the user in that location and every container level under that starting point. If the user's account is at a higher level than what is set for 'LDAP context for user searching', the login will fail.

Its easy to test this, simply set the context to the highest level of the LDAP tree. In Microsoft Active Directory, this is the Domain. Example - the  AD domain is called domain.com. The 'LDAP context for user searching' would be:

DC=domain,DC=com

Narrow this after confirming Foglight integration with LDAP is successful.

Note: the ServiceAccount does NOT have to exist at or under the ‘LDAP context for user searching’. The ServiceAccount is targeted directly when defining the ‘Distinguished name of the service account’ in Foglight Directory Services Configuration.

3. A setting on the LDAP account in the LDAP Directory is preventing Foglight from doing a simple check and return authentication.

• Foglight does not know how to handle anything but a “check and return” from LDAP.  For example: Foglight does not know how to process 'change password' requests presented by LDAP during login. Some other non-“check and return” responses would include: prevention of Logon Hours, prevention of Logon To (specific workstations), Password Expiration, Account is Disabled, company proprietary security messages/practices. Consult the LDAP Administrator to help inspect the ServiceAccount.
• To test this, Try to login to a Windows machine, to the Domain with the LDAP account specified. If anything is presented other than a successful login, Foglight will have a problem with this when it tries to submit an authentication. Consult the LDAP Administrator to work around LDAP account issues.
• Another trick that can be tried if LDAP authentication isn't working in Foglight is setting the “LDAP query prefix” to force use older NTLM authentication. Do this by changing the “CN=” to “sAMAccount=” in the “LDAP query prefix” box.

4. Formatting or Syntax of Foglight Directory Service Configuration entries is incorrect.

• Look at a FMS that the LDAP configuration hasn’t been touched/set – compare the formats of the entries to what is currently in place. Check the settings that are assumed to be default – someone could have mistakenly changed an uncommon setting. Examples of incorrect formatting / incorrect changes:

• In Active Directory, if the CN user accounts are defined in the CN=Users group, and the Active Directory domain is SITE.DOM, apply the following settings:
  • LDAP query prefix: CN=
  • LDAP query suffix: ,CN=Users,DC=SITE,DC=dom

• Missing the preceding comma in the 'LDAP query suffix' = ,OU=Employees,DC=example,DC=com

• someone changed the JAAS LoginModule Name = com.quest.nitro.service.security.auth.spi.NitroExtendedLdapLoginModule

5. The last common mistake here is not a mistake, but what will actually be seen with a successful or non-sucessful LDAP login attempt:

Login to the Foglight Admin Console with an LDAP account. If the Foglight Directory Services configuration is CORRECT,  the following message will appear:

Error The LDAP account fogsvc1 was imported into the Management Server successfully. However, you cannot log in until an administrator grants permissions to your account. Please contact your administrator. Would you like to log in as another user?

Once again – the above message is indicating that Directory Services configuration in Foglight is CORRECT. A Foglight Security Admin user must login and add the newly added LDAP user (called a 'External' user) to a Foglight group which has been granted abilities, called Foglight 'Roles', in order for the user to access the Foglight console.

If Foglight Directory Services is not configured correctly, the message below will appear:

Invalid username and/or password. Please try again.

Note: LDAP user's passwords DO NOT need to conform to Foglight password policies.

For example, if any password policy set in Foglight | Administration | Users & Security | Password Policy Settings - these settings apply ONLY to Foglight internal accounts - the 'external' (LDAP) accounts are not held to this same standard when logging in.