Integrating LDAP with Commander

Integrating Commander with directory services is optional. If you don't use Active Directory or LDAP, you can set up local user accounts directly in Commander.

In this topic:

Adding LDAP servers

Access through:

Configuration > Identity and Access

Available to:

Commander Role of Superuser

To add an LDAP server:

  1. Click the Authentication tab.
  2. In the Directory Services section, click Add and select LDAP (Lightweight Directory Access Protocol).
  3. On the Server Configuration page, enter a valid user account stored on the LDAP server you're configuring.
  4. Complete the server fields (the secondary server is optional).
  5. Choose either Anonymous Bind or Specify user/password.

    If you choose Specify user/password, you must supply the Bind DN and Password information.

  6. Enter the information for the Base DN.
  7. To enable LDAPS to ensure security of data transmission, enable LDAPS.
  8. To enable the use of the LDAP server, select the Enabled checkbox.

    You can return to this wizard later and enable this integration.

  9. To validate the settings on this page, click Test.

    A Success message appears when validation succeeds; otherwise, errors are flagged for you to fix.

  10. On the Identity page, specify attribute names and filters to match your LDAP server configuration.

    These fields are used to retrieve and authenticate users from your LDAP server. Fields marked with * are mandatory. If you choose to specify the Group Identity fields, the first two fields must be specified as a pair, and the second two fields must be specified as a pair.

    Note: You can configure a filter to exclude disabled or inactive users from being retrieved in a search. In the User Filter field, add or replace the text string that allows Commander to filter out disabled or inactive user accounts.

    The following example displays the default text string that you can replace. You can also add another string as required.
    user-filter-last-phrase

    Once this filter has been set, the identified user accounts won't be found in Commander searches, and these user accounts won't be able to sign in to Commander or the Service Portal.

    By default, the Anonymous Search option is enabled. If anonymous searches aren't allowed for your LDAP server, disable this option.

  11. To validate the settings on this page, click Test. A Success message appears when validation succeeds; otherwise, errors are flagged for you to fix.
  12. On the Optional Attributes page, add or edit attributes as required.
  13. To validate the settings on this page, click Test. A Success message appears when validation succeeds; otherwise, errors are flagged for you to fix.
  14. Click Finish.

Setting up email notification for directory services issues

Access through:

Configuration > System

Available to:

Commander Roles of Superuser and Enterprise Admin

To configure Commander to notify administrators for directory services when events occur:

  1. Click the Notifications tab.
  2. In the For Directory Services Connection Issues section, click Add.
  3. In the Manage Directory Service Notifications dialog, enter the full user ID and click ellipses.

    The user account information is displayed.

  4. Click OK.

Troubleshooting

Handling clock skew issues

If you're unable to sign in with a directory services account, and you see messages like the following in the Commander log:

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Kerberos error: Clock skew too great (37)

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Unable to map site omegapdc.omega.pv/OMEGA.PV: Security.AD.Erro.Krb.clockSkew

2017-09-12 14:10:33,765 [http-bio-443-exec-6] INFO - omegapdc.omega.pv - Final AD map: AD Topology discovered by null

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - No AD sites could be found while mapping omegapdc.omega.pv

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - authentication error: trodney@omega.pv; reason:Security.AD.LoginFailed

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Kerberos error: Clock skew too great (37)
2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Unable to map site omegapdc.omega.pv/OMEGA.PV: Security.AD.Erro.Krb.clockSkew
2017-09-12 14:10:33,765 [http-bio-443-exec-6] INFO - omegapdc.omega.pv - Final AD map: AD Topology discovered by null
2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - No AD sites could be found while mapping omegapdc.omega.pv
2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - authentication error: trodney@omega.pv; reason:Security.AD.LoginFailed 

Unable to sign in to Commander as LDAP user

After integrating an LDAP server, if you're able to add an LDAP user to Commander, but trying to sign in to Commander as that user generates an error similar to the following:

2014-06-02 15:49:24,593 [http-bio-443-exec-5] DEBUG - Authenticating user jsmith
2014-06-02 15:49:24,608 [http-bio-443-exec-5] DEBUG - Ldap login as jsmith failed
javax.security.auth.login.FailedLoginException: can't find user's LDAP entry 

Your LDAP server may not allow anonymous searches.

To disable anonymous searches:

  1. Under Configuration > Identity and Access, on the Authentication tab, select your LDAP server and click Edit.
  2. Click Next.
  3. On the Identity page, disable the Anonymous Search option.
  4. Click Next and Finish.

Removing LDAP servers

Access through:

Configuration > Identity and Access

Available to:

Commander Role of Superuser

To remove an LDAP server:

  1. Click the Authentication tab.
  2. Select the directory service and click Delete.

    The Confirm Directory Service Deletion dialog appears.

    Caution: If you remove access to a user directory, all user accounts in that directory are unable to access Commander.

  3. Click Yes.