Purpose

The purpose of this document is to help in configuring Windows active directory service for authenticating the versa director. This will cover a basic level of troubleshooting on versa director

As a result, this document provides a checklist of common procedures to try before you begin to troubleshoot a connection and call Versa Technical Support. This document will mainly illustrate and focus on the checks needs to perform on Versa Devices.

Prerequisite: Active Directory installation is already completed on the Windows server. The forset has been added. This should look something similar to below where raj.lab is my domain.

The first step is to add an OU under the forest. So here we are going to add three OU. First is Tenant which will have all the tenants that we have configured on the director. The second is Roles which contains all the roles including custom roles and the third is users. Kindly note that all those names case sensitive and must match exactly with the director configuration.

Go to Active Directory users and computers and right-click on the forest then add new OU and name them appropriately

Here in the screen capture, we can see all three OU Tenants, Roles, and User are created

Now we need to create groups inside the respective OU. Here for example under the Tenant OU we will create groups which are the names of tenants we have on the director to provide authentication service to the tenant user. Kindly note that all these names case sensitive and must match exactly with the director configuration.

Similarly, we will add the roles under OU Roles I am only configuring our predefined roles however we can have custom roles defined in a similar fashion.

ProviderDataCenterAdmin

ProviderDataCenterSystemAdmin

ProviderDataCenterOperator

TenantSuperAdmin

TenantSecurityAdmin

TenantDashboardOperator

TenantOperator

Now at this point we will have to define or users First we will define a user just for Bind data which will not have a role defined. This will used for establish a authentication channel  between Director and AD server.

Right click on the user and select new user.

Give it a name of your choice and select a password and click next and finish.

Come to the Power shell and execute Get-aduser <name of user>. In my case it john, it will show you the details.

From here just login to the versa Director and go to Administrator >>> Connector >>> Authentication and click on + sign.

At this window fill all the details and select this as default connector. In my case

Bind DN: CN=john,OU=User,OU=p1-org,DC=raj,DC=lab

   Note: DistinguishedName value is Bind DN value

Base DN:  DC=raj,DC=lab           

This finishes step number three of creating users for bind data. Now from here onwards we can create other users who will be used for login.

In this section, I will create two types of users. First is ProviderDataCenterSystemAdmin user which is considered to be a system user and it will have system-wide access. Secondly, we will create a Tenant user and it will a role of TenantSuperAdmin which will access to that specific tenant related objects.

5.1 Adding ProviderDataCenterSystemAdmin user

I will add a user call raj here. For that go to the AD server right click on the user  >> New >> User. Fill in the details as shown below and click on next. On the next step set your password click next and finish. User raj should be able to login to the director now.

5.2 Creating Tenant users

As shown above same way add another user. Here I have added a user called t1-user1.

The additional step is to right-click on the user t1-user1 and click on properties. Here you have to click on Member Of. Add role and tenant to the user. In my case, I am adding a role as TenantSuperAdmin and my tenant on the director is t1 so I am adding that as well. Kindly note that this t1 tenant I have created at step number two.

Now come to the director and make sure that the connector we have configured should be called in the respective tenant organization.

User t1-user1 is now ready to login to the director. Kindly note that we have to specify tenant org name as well so the format would be <username>@<tenant org name>

Review the logs in /var/log/vnms/ncs/vnms-external-auth.log file

In the below screen shot I have captured the logs where a ProviderDataCenterSystemAdmin user is able to login successfully to show the correct sequence of events.

In below screen shot I have captured the logs tenant user login successfully to show the correct sequence of events.

Below logs will be seen if the director not able to reach the AD server

Here are failure scenarios.

We have provided a script in Versa Director  to test the users /opt/versa/vnms/scripts/externalauth/

sudo ./ad_client.py --address 10.192.155.98 --ad-username "CN=raj,OU=User,OU=p1-org,DC=raj,DC=lab" --ad-password versa123 --base-dn "dc=raj,dc=lab" --username raj --password versa123

sudo ./ad_client.py --address 10.192.155.98 --ad-username "CN=t1-user1,OU=User,OU=p1-org,DC=raj,DC=lab" --ad-password "versa123" --username "t1-user1" --password "versa123" --base-dn "dc=raj,dc=lab"

/var/log/vnms/ncs/vnms-external-auth.log

vd1> show configuration nms provider auth-connectors | display set

From AD sever run cmd ” get-aduser  <username>”

Capture Logs all above outputs and contact Versa Support.
NOTE: Log the putty/terminal session to capture all outputs when performing requested steps, will be helpful when engaging Support.