Applies to Models: WAVE
Summary:
LDAP integration allows VMS admins to link an already existing User Data Base to the WAVE system while keeping LDAP passwords and providing an option to assign specific access rights.
Explanation of Behavior:
Instructions on integrating and configuring an LDAP Server can be found here.
Q: Why can't I use an IP address while configuring LDAP in the Desktop Client?
A: FQND* standard should be used instead. You can find more information at the bottom of the page.
Q: Can the system be set to pull LDAP for changes/updates periodically?
A: The Media Server tries to sync with LDAP/AD server every 5 or 10 minutes by default.
Q: Why are LDAP users unable to log in to the Web Client until they have successfully logged into the Desktop Client once?
A: The functionality is planned to be implemented in later releases.
Q: When configuring LDAP integration, I cannot specify the domain's base DN as a search base, but can specify OU's underneath the base DN. Why?
A: You cannot filter on OU membership, but you can filter on group membership. To retrieve all users that are members of a specified group, filter on the memberOf attribute.
Example:
memberOf=CN=Security Users,CN=Users,DC=DOMAIN,DC=LOCAL
Q: Does VMS keep LDAP passwords?
A: No, for security reasons.
Q: Does an LDAP Server have to be a part of a Local Network together with the Media Server?
A: No. An LDAP Server must be available for the Media Server rather on LAN or via WAN.
Q: Why can I not see the LDAP "button" in the Desktop Client?
A: LDAP users with any role assigned cannot modify LDAP Server settings. The basic concept is that they will lose permission to connect if they accidentally modify these settings.
Q: Why does LDAPS (LDAP over SSL) not work?
A: You'll most likely be required to change certificates or install certificates to both machines: the LDAP Server and the Media Server.
Resolution:
Step I
First, let's understand if an issue is related to the VMS. For that we recommend you to use an alternative LDAP Browser/Client to connect to your LDAP Server from the list below:
Win --> Softerra LDAP Browser
Ubuntu --> OpenLDAP
To install (Ubuntu):
sudo apt-get update && sudo apt-get install ldap-utils
A test query can look like the one below:
ldapsearch -LLL -x -H ldap://ad.my.domain.com:389 -s sub -D Administrator@my.domain.com -b CN=Users,DC=my,DC=domain,DC=com -w PaSsWoRd123 -o ldif-wrap=150
where:
port: 389
DN of an admin: Administrator@my.domain.com or CN=Administrator,CN=Users,DC=my,DC=domain,DC=com
Search Base: CN=Users,DC=my,DC=domain,DC=com
password: PaSsWoRd123
Valid output:
dn: CN=Users,DC=my,DC=domain,DC=com
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=my,DC=domain,DC=com
instanceType: 4
whenCreated: 20151113032937.0Z
whenChanged: 20151113032937.0Z
uSNCreated: 5696
uSNChanged: 5696
showInAdvancedViewOnly: FALSE
name: Users
objectGUID:: puf/DK2dGkCF/7bTR7V+iw==
systemFlags: -1946157056
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com
isCriticalSystemObject: TRUE
dSCorePropagationData: 20170619233637.0Z
dSCorePropagationData: 16010101000001.0Z
.....
If you manage to fetch / browse the information, please proceed to Step II. Otherwise, we strongly encourage you to talk to your LDAP system administrator for assistance.
Step II
*** If Step I was successful ***
Elevate the main logging level of the media server to DEBUG2 (VERBOSE)
Try to perform / re-create the same LDAP related operation you were unsuccessful with.
Gather Server Logs and create a ticket via our Support Portal with the files attached.
*FQND - it is necessary to use correct Fully Qualified Domain Name (FQDN) as URL. To determine:
1) Log in to the LDAP server
2) Open command prompt and type:
hostname
ASDDC6
3) Enter:
setspn -L ASDDC6 (ASDDC6 is your hostname). You'll see something like:
Registered ServicePrincipalNames for CN=ASDDC6,OU=Domain Controllers,DC=asd,DC=local:
DNS/ASDDC6.asd.local
RPC/1b3acc4a-88ec-4b0f-a72d-6a67831626c2._msdcs.asd.local
HOST/ASDDC6/ASD
HOST/ASDDC6.asd.local/ASD
GC/ASDDC6.asd.local/asd.local
exchangeAB/ASDDC6.asd.local
HOST/ASDDC6.asd.local/asd.local
exchangeAB/ASDDC6
ldap/ASDDC6/ASD
ldap/1b3acc4a-88ec-4b0f-a72d-6a67831626c2._msdcs.asd.local
ldap/ASDDC6.asd.local/ASD
ldap/ASDDC6
ldap/ASDDC6.asd.local
ldap/ASDDC6.asd.local/DomainDnsZones.asd.local
ldap/ASDDC6.asd.local/ForestDnsZones.asd.local
ldap/ASDDC6.asd.local/asd.local
E3514235-4B06-11D1-AB04-00C04FC2DCD2/1b3acc4a-88ec-4b0f-a72d-6a67831626c2/asd.local
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ASDDC6.asd.local
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ASDDC6.asd.local
WSMAN/ASDDC6.asd.local
WSMAN/ASDDC6
TERMSRV/ASDDC6.asd.local
TERMSRV/ASDDC6
RestrictedKrbHost/ASDDC6
HOST/ASDDC6
RestrictedKrbHost/ASDDC6.asd.local
HOST/ASDDC6.asd.local
ldap/ASDDC6.asd.local is the correct hostname (we use ldap://ASDDC6.asd.local)