Issues commonly encountered when setting up Directory Services Configuration
Note: the ServiceAccount password must be re-typed EVERY time the Directory Services Configuration Editor is opened.
Common LDAP Integration issues:
1. Improperly configured ServiceAccount.
The ServiceAccount must be in the 'Distinguished Name' format. The syntax must match EXACTLY how the LDAP directory sees the object. With Microsoft's Active Directory, the 'dsquery' command can be used - for steps, see below:
To find the Distinguished Name (DN) of the Service Account object, run the command below via the command prompt on the Windows Domain Controller:
dsquery user –limit 1000 | dsget user –dn > dn.txt
This will produce a text file called dn.txt, that can be searched through for what Active Directory (AD) sees as the proper DN of the FoglightServiceAccount object.
Example of what the DN may look like after running the query:
CN=fogsvc1,CN=Managed Service Accounts,DC=domain,DC=com
2. The 'LDAP context for user searching' is set too narrow / too focused.
Foglight uses the 'LDAP context for user searching' to determine where to start looking for LDAP users in the LDAP directory when the LDAP user logs into Foglight. Foglight searches for the user in that location and every container level under that starting point. If the user's account is at a higher level than what is set for 'LDAP context for user searching', the login will fail.
Its easy to test this, simply set the context to the highest level of the LDAP tree. In Microsoft Active Directory, this is the Domain. Example - the AD domain is called domain.com. The 'LDAP context for user searching' would be:
Narrow this after confirming Foglight integration with LDAP is successful.
Note: the ServiceAccount does NOT have to exist at or under the ‘LDAP context for user searching’. The ServiceAccount is targeted directly when defining the ‘Distinguished name of the service account’ in Foglight Directory Services Configuration.
3. A setting on the LDAP account in the LDAP Directory is preventing Foglight from doing a simple check and return authentication.
4. Formatting or Syntax of Foglight Directory Service Configuration entries is incorrect.
In Active Directory, if the CN user accounts are defined in the CN=Users group, and the Active Directory domain is SITE.DOM, apply the following settings:
• LDAP query prefix: CN=
• LDAP query suffix: ,CN=Users,DC=SITE,DC=dom
Missing the preceding comma in the 'LDAP query suffix' = ,OU=Employees,DC=example,DC=com
5. The last common mistake here is not a mistake, but what will actually be seen with a successful or non-sucessful LDAP login attempt:
Login to the Foglight Admin Console with an LDAP account. If the Foglight Directory Services configuration is CORRECT, the following message will appear:
Error The LDAP account fogsvc1 was imported into the Management Server successfully. However, you cannot log in until an administrator grants permissions to your account. Please contact your administrator. Would you like to log in as another user?
Once again – the above message is indicating that Directory Services configuration in Foglight is CORRECT. A Foglight Security Admin user must login and add the newly added LDAP user (called a 'External' user) to a Foglight group which has been granted abilities, called Foglight 'Roles', in order for the user to access the Foglight console.
If Foglight Directory Services is not configured correctly, the message below will appear:
Invalid username and/or password. Please try again.
Note: LDAP user's passwords DO NOT need to conform to Foglight password policies.
For example, if any password policy set in Foglight | Administration | Users & Security | Password Policy Settings - these settings apply ONLY to Foglight internal accounts - the 'external' (LDAP) accounts are not held to this same standard when logging in.