Integrate LDAP with Commander

Commander can leverage an existing LDAP directory to provide multi-tenant RBAC for different departments or organizations.

Integrating Commander with directory services is optional. If you don't use Active Directory or LDAP, you can set up local user accounts directly in Commander. For information, see Add user or group accounts and assigning Commander roles.

Add LDAP servers

Access:

Configuration > Identity and Access

Available to:

Commander Role of Superuser

  1. Click the Authentication tab.
  2. In the Directory Services section, click Add and select LDAP (Lightweight Directory Access Protocol).
  3. On the Server Configuration page, enter a valid user account stored on the LDAP server you're configuring.
  4. Complete the server fields (the secondary server is optional).
  5. Choose either Anonymous Bind or Specify user/password.

    If you choose Specify user/password, you must supply the Bind DN and Password information.

  6. Enter the information for the Base DN.
  7. To enable LDAPS to ensure security of data transmission, enable LDAPS.
  8. To enable the use of the LDAP server, select the Enabled checkbox.

    You can return to this wizard later and enable this integration.

  9. To validate the settings on this page, click Test.

    A Success message appears when validation succeeds; otherwise, errors are flagged for you to fix.

  10. On the Identity page, specify attribute names and filters to match your LDAP server configuration.

    These fields are used to retrieve and authenticate users from your LDAP server. Fields marked with * are mandatory. If you choose to specify the Group Identity fields, the first two fields must be specified as a pair, and the second two fields must be specified as a pair.

    You can configure a filter to exclude disabled or inactive users from being retrieved in a search. In the User Filter field, add or replace the text string that allows Commander to filter out disabled or inactive user accounts.

    The following example displays the default text string that you can replace. You can also add another string as required.
    user-filter-last-phrase

    Once this filter has been set, the identified user accounts won't be found in Commander searches, and these user accounts won't be able to sign in to Commander or the Service Portal.

    By default, the Anonymous Search option is enabled. If anonymous searches aren't allowed for your LDAP server, disable this option.

  11. To validate the settings on this page, click Test. A Success message appears when validation succeeds; otherwise, errors are flagged for you to fix.
  12. On the Optional Attributes page, add or edit attributes as required.
  13. To validate the settings on this page, click Test. A Success message appears when validation succeeds; otherwise, errors are flagged for you to fix.
  14. Click Finish.

Set up email notification for directory services issues

You can configure Commander to notify administrators for directory services when events occur.

Access:

Configuration > System

Available to:

Commander Roles of Superuser and Enterprise Admin

  1. Click the Notifications tab.
  2. In the For Directory Services Connection Issues section, click Add.
  3. In the Manage Directory Service Notifications dialog, enter the full user ID and click ellipses.

    The user account information is displayed.

  4. Click OK.

Troubleshooting

Handling clock skew issues

If you are unable to sign in with a directory services account, and you see messages like the following in the Commander log:

2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Kerberos error: Clock skew too great (37)
2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - Unable to map site omegapdc.omega.pv/OMEGA.PV: Security.AD.Erro.Krb.clockSkew
2017-09-12 14:10:33,765 [http-bio-443-exec-6] INFO - omegapdc.omega.pv - Final AD map: AD Topology discovered by null
2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - No AD sites could be found while mapping omegapdc.omega.pv
2017-09-12 14:10:33,765 [http-bio-443-exec-6] ERROR - authentication error: trodney@omega.pv; reason:Security.AD.LoginFailed 

To resolve, make sure that the LDAP server and Commander are served by the same network time (NTP) source. As a best practice, all entities on your network should use the same time source to avoid issues with clock skew.

Unable to sign in to Commander as LDAP user

After integrating an LDAP server, if you're able to add an LDAP user to Commander, but trying to sign in to Commander as that user generates an error similar to the following:

2014-06-02 15:49:24,593 [http-bio-443-exec-5] DEBUG - Authenticating user jsmith
2014-06-02 15:49:24,608 [http-bio-443-exec-5] DEBUG - Ldap login as jsmith failed
javax.security.auth.login.FailedLoginException: can't find user's LDAP entry 

Your LDAP server may not allow anonymous searches.

To disable anonymous searches:

  1. Under Configuration > Identity and Access, on the Authentication tab, select your LDAP server and click Edit.
  2. Click Next.
  3. On the Identity page, disable the Anonymous Search option.
  4. Click Next and Finish.

Remove LDAP servers

Access:

Configuration > Identity and Access

Available to:

Commander Role of Superuser

  1. Click the Authentication tab.
  2. Select the directory service and click Delete.

    The Confirm Directory Service Deletion dialog appears.

    If you remove access to a user directory, all user accounts in that directory are unable to access Commander.

  3. Click Yes.