Configuring Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) as domain within an authentication broker under Veritas Operations Manager (VOM)
|Article:TECH155909|||||Created: 2011-03-17|||||Updated: 2014-04-10|||||Article URL http://www.symantec.com/docs/TECH155909|
VOM administrators that want to offload responsibilities to users within their Enterprise often have to rely on alternative pre-existing authentication methods to authenticate users prior to providing authorization to use the VOM console for specific tasks allocated as a role. There are many methods available within an enterprise and most may be handled within the Operating System of the VOM authentication brokers an Administrator has configured. Two unique methods for using external authentication prior to authorizing a user within the console are LDAP and AD.
The methods are detailed in the 3.1 VOM documentation available online.
There are certain steps which if not followed correctly can result in errors that may not be immediately identifiable as VOM related.
Some errors would should up when attempting to log in to the VOM Console with a user which the Administrator believes should have been authorized to use a role defined on the server.
In the Resulting Console window:
Without the proper access to the authentication host - "authentication" error
Failed to authenticate client.Username/Password/Domain is incorrect.
With an appropriate Security Group defined or role assigned - "authorization" error
Failed to Log in. User is not Authorized.
In the system error log: logon attempt using account <AccountName> failed.
The configuration of the connection to the authentication host is required successfully only once for a security group's users to be authorized and subsequent attempts when the intention is to add additional group users will also error if an admin attempts to add the same group name over and over.
Failed to add Security Group SQL Anywhere Error -193: Primary key for table 'P_SF_AUTHORIZATION_GROUP' is not unique : Primary key value (''sfm/Rod_test_616/ldap'')
Windows AD server
Unix or Linux LDAP server
Central Management Server (CMS) operating system authentication such as NT, NIS, PAM, Unixpwd
Veritas Security Services (VSS) installs a local Authentication (Veritas Authentication ) VxAT and Authorization (Veritas Authorization) VxAZ Root (R) and Authentication Broker (AB) for use with the CMS or allows configuration of a previously installed RAB / AB as an authentication source for the VOM Application. To configure other authentication sources they must be added as Domains into VSS.
Under the VOM console to allow users from other than the default root group on a Unix box to log into the graphical User interface (GUI) the VOM administrator must take actions to configure LDAP / AD to perform authentication and then must add a security group and assigned the desired role for users to be authorized to use the application. Performing only one step will result in an error as described above.
Many criteria must be accomplished prior to creating the configuration so as to not leave a step incomplete or point to a group membership which is not discovered for inclusion in the desired client authorization.
1) To complete the steps which are simple and straight forward the Administrator must log into the VOM GUI Console with administrative role privileges and navigate to the Settings drop down on the far right of the title bar.
2) using the mouse Click the drop down arrow and go to the Authentication Broker page
Note: Popups must be allowed in the browser for the resulting window to be displayed
4) in the new window that is displayed the information needs to be accurately entered.
Note: If this information is not known or for testing the information to be entered see below.
5) click next to move to the next screen and provide a name that will be used in the drop down box for logging in under the context of the users available to be authenticated from the newly created Domain.
6) The newly created Domain should be enabled by default and ready to use to create an Authorization via adding a security group.
7) Create a Security Group for the new users desired in the VOM console by selecting the Security Groups from the security section of the Settings drop down menu.
8) Click on the New security Group Button
9) Group creation requires a group name. While any name can be selected the authorization of users will compare an authenticated user to the group membership for the authentication type and it must match a valid User and group combination or the authorization error above will appear. Select the Role the group will have on the VOM console and scope it to the entire domain or predetermined and already created business entities defined within the VOM application and select OK.
10) Select the group from the drop down for login to the console and enter a valid User / Password combination which can be authenticated using the domain against the authentication host.
11) Enter valid credentials
12) confirm the user now accessing the VOM console is the user using the domain the administrator created to authenticate
13) user administrator can be completed externally using the authentication host and groups and administrator has deigned for VOM GUI COnsole access and roles. A suggested methodology would be to create a Group for the desired role and add the users that require that role to the group. Users in multiple groups will inherit the least permissions.
Most errors and issues faced with adding an LDAP or Ad authentication Domain pointing to a valid Authentication Host are due to incorrect values used in configuration there are many testing commands available to confirm the correct setting prior to adding a domain or creating a security group.
proper group discovery
Article URL http://www.symantec.com/docs/TECH155909