When attempting my initial AD login username in the Foglight console, it just provides an error stating either the username or password is incorrect.
How can I diagnose the actual error?
In one customer case, they had created Organizational Units (OU) for 'Users' & 'MCR' so the reference to CN (Canonical Units) was incorrect in this instance.
Steps taken to verify this was the cause:
1) Set FMS in debug mode (fms --set-global-debug-level 1)
2) In the $FGLHOME/logs/ManagementServer*.log debug logs noted the following exception which indicates that the password could not be validated.
2008-05-16 11:17:29.727 DEBUG [http-0.0.0.0-8443-1] com.quest.nitro.service.security.auth.spi.NitroExtendedLdapLoginModule - Failed to validate password.javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
This error clearly shows that the configuration is incorrect. LDAP error code 49 indicates that the credentials are wrong. Error data 525 indicates that the DN (distinguished name) used is wrong.
Note the logs indicate use of CN instead of OU in the Distinguished Name of Service Account field.
2008-05-16 11:15:47.363 DEBUG [main] com.quest.nitro.service.security.core.NitroSecurityService - jaas ldap config: SecJaasLdapConfig[ldapCfgId: 3544adcb-9b5a-4f81-a347-8536d05c71ad, bindPwdPrefix: bindpwd., bindUserDN: CN=Administrator,CN=Users,CN=MCR,DC=HR,DC=DEV,DC=org, gidAttrId: member, ldapAuthType: .]
3) Turn off debug
fms --set-global-debug-level 0
Correct the Distinguished Name of Service Account field for the 'Users' & 'MCR' from CN to OU.
How AD information is entered into Foglight after successful configuration:
1) Attempt login as AD user (which will fail since no 'Foglight' groups have been assigned to this 'external' user, but actually automatically adds the user to Foglight.
2) Login as user 'foglight' and Administrate the User to assign a Foglight group/role to the new 'external' AD user entry
Foglight will automatically import the AD groups from the server.
Note: In most cases, the FMS does not need to be restarted after entering the Configure Directory Services information. After modifying the DSC page, try logging in as an AD user. If things do not work out as planned, try restarting the FMS so the Security Service will read the configuration during startup. And then try logging in again. If you still cannot login, investigate the $FGLHOME/logs/ManagementServer*.log further and also see other Solutions regarding the 'Directory Services Configuration' in SupportLink.