What Does This Article Cover?
This How-To article provides tips for troubleshooting the setup of Active Directory (AD) security provider. It covers potential errors that you might get while setting up Active Directory and how to go about resolving each error. This article assumes that the reader has read the Active Directory section of the user guide to best understand the setting needed to configure the Active Directory provider.
Setting up intelligencehub-identifierproviers.json
When setting up the intelligencehub-identityproviers.json, there are a few things that should be consider.
- What users should have access to Intelligence hub?
- What roles should users have access to?
- Who should administrate the connectivity between Active Directory and Intelligence Hub?
- Will an SSL Certificate be needed for encryption?
These questions should be answered before trying to configure the Active Directory provider. Once these questions are answered, the next step is to map the provider settings to meet the requirements. Some of these settings might take some testing to determine the appropriate values for the settings. In particular, the userFilter, searchBase, userRoleAttribute and roleNameAttribute. We suggest working with an Active Directory administrator to determine these values. They will use tools such as ldp.exe to determine the appropriate values.
Example Configuration
To better understand the provider settings, here is an example of an Active Directory setup. The name of the Active Directory Domain is "adsandbox.local". There are 3 users defined in the Active Directory (Administrator, UserOne and UserTwo).
There is one group defined named "HighByteAdmin". 2 of the users assigned to the group (UserOne and UserTwo).
The host name of the server running Active Directory is "adsandbox". Given this configuration, the following intelligencehub-identityproviders.json has been configured.
This intelligencehub-identityproviders.json has not been read by Intelligence Hub since the encryptGatewayPassword is still just a name and value. It has not been encrypted. Make sure you enter your password into the value for encryptGatewayPassword before starting Intelligence Hub.
{
"authentication" : {
"providers" : [ "ad" ],
"ad" : {
"host" : "adsandbox",
"port" : "389",
"gatewayUsername" : "UserOne@adsandbox.local",
"encryptGatewayPassword" : "****",
"domain" : "adsandbox.local",
"ssl" : false,
"caAlias" : "",
"userFilter" : "(&(objectClass=user)(!(objectClass=computer)))",
"searchBase" : "DC=adsandbox,DC=local",
"suffixGatewayUsername" : false,
"usernameAttribute" : "sAMAccountName",
"userRoleAttribute" : "memberOf",
"roleNameAttribute" : "CN",
"fullNameAttribute" : "name",
"phoneAttribute" : "telephoneNumber",
"emailAttribute" : "mail",
"smsAttribute" : "mobile"
}
}
}
This intelligencehub-identityproviders.json has already been read by Intelligence Hub so the encrypeGatewayPassword has already been encrypted.
{
"authentication" : {
"providers" : [ "ad" ],
"ad" : {
"host" : "adsandbox",
"port" : "389",
"gatewayUsername" : "UserOne@adsandbox.local",
"encryptGatewayPassword" : {
"type" : "Encrypted",
"value" : {
"keyId" : "0JmImYFpOgrhsDpJgWD3QQ==",
"iv" : "CDDOoNSB5Zvv+sAi5/mueQ==",
"ciphertext" : "oV8GYCZCbsSYxlUUhYx72A=="
}
},
"domain" : "adsandbox.local",
"ssl" : false,
"caAlias" : "",
"userFilter" : "(&(objectClass=user)(!(objectClass=computer)))",
"searchBase" : "DC=adsandbox,DC=local",
"suffixGatewayUsername" : false,
"usernameAttribute" : "sAMAccountName",
"userRoleAttribute" : "memberOf",
"roleNameAttribute" : "CN",
"fullNameAttribute" : "name",
"phoneAttribute" : "telephoneNumber",
"emailAttribute" : "mail",
"smsAttribute" : "mobile"
}
}
}
Verify Settings
As mentioned previously, tools like ldp.exe can be used to help verify the settings. Here we will use ldp.exe to verify the settings. First, test that the connection to the Active Directory server can be established by selecting Connector...Connect. Once prompted, specify the hostname and port to the ActiveDirectory.
Once connected, connection information is displayed.
Now, the user that will administrate the connection between Active Directory and Intelligence Hub can be tested. Select Connection...Bind. Specify the User and Password. Only "Simple bind" is supported by Intelligence Hub.
If successful. the user is displayed as authenticated.
Now, the searchBase and userFilter can be tested. This is done by selecting Browse...Search. The Base DN is the same as the searchBase attribute and Filter is the same as userFilter attribute. Intelligence Hub uses Subtree as its scope. For Attributes, specify "sAMAccountName;memberOf". Once done, press Run.
The following results are displayed. sAMAccountName is the user. memberOf CN= are the roles. The sAMAccountName determines the users that can be authorized to use Intelligence Hub. memberOf CN= determines the roles that the user is authorized to in Intelligence Hub. NOTE: Guest and krbtgt are built-in accounts.
The attributes are case sensitive....Please check if memberOf should be "cn" or "CN" depending on your Active Directory configuration.
Errors
400 Error occurs when the Active Directory setting is not configured correctly. Intelligence Hub cannot connect to Active Directory. Verify the host, port, user, domain, ssl and caAlias setting to ensure they are configured correctly.
Login Request Failed occurs for 2 reasons. First, the password entered for the username is incorrect. Second, the username is not found as part of the searchBase. For the later, ensure that the user shows up in the searchBase. Verify usernameAttribute is setup correctly. It is case sensitive.
401 Error occurs when the user can be authenticated by Active Directory, but the user cannot be authorized to use Intelligence Hub. If this occurs, but the role attribute cannot be found in the userFilter. Verify that the userRoleAttribute and roleNameAttribute are setup correctly. These are case sensitive.
