Friday 13 February 2015

CloudSystem Foundation 8.1 Active Directory integration

LDAP integration with CloudSystem Foundation 8.1


I've been struggling with LDAP integration with OneView and CloudSystem Foundation for a while but had some success with OneView recently and planned to crack CSF 8.1 also!

I took some time in the lab today to validate the error message I kept getting. Often with customer environments you have a number of restrictions which you never encounter in the PDFs you read, like all life is a Lab! At least in my lab I've control over users, groups etc so I can get it working and then gradually change things until it gets close to the Production environment I'm working with. The usual generic errors aren't helpful in diagnosing this but there are some logs that can help if you're stuck:

If you create & download the Foundation Appliance support dump and rename it .tar.gz you can open it with winzip or a similar tool to extract the following file:
/ci/logs/ciDebug.01.log
Then read through and check the time of the LDAP configuration error with the timestamp in the file for a pointer.

In my lab I used the following settings to get the LDAP to work:

The User you use and any Groups you want to configure have to be in the same OU. Great news for Production usage, you can't add in AD Users and grant them permissions, only Groups!!!

My Lab OU Structure I tested was :

OU=Cloud,OU=Users,OU=Lab,DC=lab,DC=local

Basically it's 3 levels deep and I've the following users & groups here:
Users: admintest, clouduser1 - admintest seems to need Domain Admin group membership if possible or you will run into trouble.
Groups: Cloud Users - clouduser1 is a member
The remaining settings are as follows:
Now you should be able to add in the group. If the admintest doesn't have Domain Admin rights this is where I get rejected until I assign membership to that user.

You should be allowed click Connect and search for that Group. You have to have the groups in the SAME OU however for this to work. Now when you log in you get the drop down option of the Domain and a member of the group can access the Foundation site, in my case clouduser1

Have Fun!

Edit 15/02/15:
I wondered if having a space in the OU name would make any difference or if quotes would be needed. I went back to my Lab today just to check this out:

OU=Bottom OU,OU=Middle OU,OU=Top OU,DC=lab,DC=local
I created a new cloudadmin2 account with Domain Admin privileges and a clouduser3 which was a member of the Cloud Test Users group. All three of these objects were located in the "Bottom OU". I modified the existing settings and was able to configure the new LDAP search path and add the Group. Clouduser3 could log in fine, clouduser1 and clouduser2 were no longer able to log in as they were not in the configured LDAP search path.

So - Results, spaces in the OU path name does not matter!

Update 13/03/15: Note: You need to use your CN to login which may be longer than your NT Logon - i.e. "Joe Soap" as opposed to jsoap etc. Check your Active Directory for the exact CN Attribute.