ManageIQ Active Directory Integration

bwarisch · January 26, 2017, 12:26pm

Hi there,

I have installed ManageIQ and integrated it to our Active Directory Environment.
When recreate the AD user in ManageIQ and add all needed Groups to ManageIQ a Login with AD credentials is possible. When I try to logon with an AD User who resides in the correct Active Directory Group a Login ist not possible. The error message ist “login not allowed, User’s User is missing. Please contact the administrator”

Is there a way to configure the System so that a user is created automatically if he resides in the correct Active Directory Group ?
In the past there was a good PDF documentation on the web. Can someone Point me to link as I am only able to find a web documentation.

Thanks for your help !

Bernd

marshcroft · January 28, 2017, 1:45am

For me all the if the user exists in the AD group then they will be created during there first login. What version of AD are you currently running? This was the setup that worked for me on 2012

Use LDAPS
The under LDAP Settings
your ldap host names or if you use a generic Load Balancer then point to the LB hostname
Port 636
User Type SAM Account Name
Domain Prefix
domain name only i.e is example.com put in example
User Suffix
domain name full i.e example.com

Role Settings
Get User Groups from LDAP tick
Get Roles from Home Forest tick
Follow Referrals is dependent on your AD setup

Base DN
example.com would be dc=example,dc=com
Bind DN
A user that has access to check the domain for users, I would recommend creating a service account for this so the password doesnt expire if you create an account called manageiq then the username would just be manageiq

Bind Password the password to the manageiq account

Trusted Forest only applicable is using a forest.

validate to make sure its green.

Then under access control -> Groups Add new Group
tick the lookup LDAP groups
then add user to lookup

for instance
auser
then in username put in the manageiq account or your own account and the relevant password when it finds then pick the group they belong to that makes the most sense to you for them and there department.

This is also a good time to start to think about Tags.

bwarisch · January 28, 2017, 10:07pm

Hi, I think this answer was helpfull. I will test that next week

THANKS !!

Bernd

mds6901 · December 21, 2018, 6:42pm

I do not know if this helped you or not, but I found the AD documentation and it worked for me.

http://manageiq.org/docs/reference/fine/auth/active_directory

One thing to note that is not in the document (linked above) is that you will not lose your local accounts (i.e. Administrator/admin, custom created local accounts, etc). I know it should not be that way anyway, but it was a concern of some people I saw in my search as well as the team I work with.

It would have been good if this came up when I began my initial search, but it was not buried in an obscure location of the online documentation. I just figured I would post it here for the bump and help others who are looking to implement AD authentication.