Integrating LDAP with Commander

Integrating Commander with directory services is optional. If you don't use Active Directory or LDAP, you can set up local user accounts directly in Commander.

Adding LDAP servers

Access through:

Configuration menu > Identity and Access > Authentication

Available to:

Commander Role of Superuser

  1. In the Directory Services pane, click Add and select LDAP (Lightweight Directory Access Protocol).
  2. On the Server Configuration page, enter a valid user account stored on the LDAP server you're configuring.
  3. Complete the server fields (the secondary server is optional).
  4. Choose either Anonymous Bind or Specify user/password.

    If you choose Specify user/password, you must supply the Bind DN and Password information.

  5. Enter the information for the Base DN.
  6. To enable LDAPS to ensure security of data transmission, enable LDAPS.
  7. To enable the use of the LDAP server, select the Enabled checkbox.

    You can return to this wizard later and enable this integration.

  8. To validate the settings on this page, click Test.

    A Success message appears when validation succeeds; otherwise, errors are flagged for you to fix.

  9. On the Identity page, specify attribute names and filters to match your LDAP server configuration.

    These fields are used to retrieve and authenticate users from your LDAP server. Fields marked with * are mandatory. If you choose to specify the Group Identity fields, the first two fields must be specified as a pair, and the second two fields must be specified as a pair.

    You can configure a filter to exclude disabled or inactive users from being retrieved in a search. In the User Filter field, add or replace the text string that allows Commander to filter out disabled or inactive user accounts.

    The following example displays the default text string that you can replace. You can also add another string as required.
    user-filter-last-phrase

    Once this filter has been set, the identified user accounts won't be found in Commander searches, and these user accounts won't be able to log in to Commander or the Service Portal.

    By default, the Anonymous Search option is enabled. If anonymous searches aren't allowed for your LDAP server, disable this option.

  10. To validate the settings on this page, click Test. A Success message appears when validation succeeds; otherwise, errors are flagged for you to fix.
  11. On the Optional Attributes page, add or edit attributes as required.
  12. To validate the settings on this page, click Test. A Success message appears when validation succeeds; otherwise, errors are flagged for you to fix.
  13. Click Finish.

Setting up email notification for directory services issues

Access through:

Configuration menu > System > Notifications

Available to:

Commander Roles of Superuser and Enterprise Admin

To configure Commander to notify administrators for directory services when events occur:

  1. On the Notifications page, under For Directory Services Connection Issues, click Add.
  2. In the Manage Directory Service Notifications dialog, enter the full user ID and click ellipses.

    The user account information is displayed.

  3. Click OK.

Troubleshooting

Handling clock skew issues

If you're unable to log in with a directory services account, and you see messages like the following in the Commander log:

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Kerberos error: Clock skew too great (37)

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Unable to map site omegapdc.omega.pv/OMEGA.PV: Security.AD.Erro.Krb.clockSkew

2017-09-12 14:10:33,765 [http-bio-443-exec-6] INFO - omegapdc.omega.pv - Final AD map: AD Topology discovered by null

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - No AD sites could be found while mapping omegapdc.omega.pv

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - authentication error: trodney@omega.pv; reason:Security.AD.LoginFailed

See the Knowledge Base article Resolving Clock Skew Issues.

Unable to log in to Commander as LDAP user

After integrating an LDAP server, if you're able to add an LDAP user to Commander, but trying to log in to Commander as that user generates an error similar to the following:

2014-06-02 15:49:24,593 [http-bio-443-exec-5] DEBUG - Authenticating user jsmith

2014-06-02 15:49:24,608 [http-bio-443-exec-5] DEBUG - Ldap login as jsmith failed

javax.security.auth.login.FailedLoginException: can't find user's LDAP entry

Your LDAP server may not allow anonymous searches.

To disable anonymous searches:

  1. Under Configuration > Identity and Access, on the Authentication tab, select your LDAP server and click Edit.
  2. Click Next.
  3. On the Identity page, disable the Anonymous Search option.
  4. Click Next and Finish.

Removing LDAP servers

Access through:

Configuration menu > Identity and Access > Authentication

Available to:

Commander Role of Superuser

  1. Select the directory service and click Delete.

    The Confirm Directory Service Deletion dialog appears.

    Caution: If you remove access to a user directory, all user accounts in that directory are unable to access Commander.

  2. Click Yes.