Skip to main content
Cloud Insights

Configuring an Active Directory (AD) User Directory Collector

Contributors netapp-alavoie dgracenetapp

Workload Security can be configured to collect user attributes from Active Directory servers.

Before you begin
  • You must be a Cloud Insights Administrator or Account Owner to perform this task.

  • You must have the IP address of the server hosting the Active Directory server.

  • An Agent must be configured before you configure a User Directory connector.

Steps to Configure a User Directory Collector
  1. In the Workload Security menu, click:
    Collectors > User Directory Collectors > + User Directory Collector and select Active Directory

    The system displays the Add User Directory screen.

Configure the User Directory Collector by entering the required data in the following tables:

Name

Description

Name

Unique name for the user directory. For example GlobalADCollector

Agent

Select a configured agent from the list

Server IP/Domain Name

IP address or Fully-Qualified Domain Name (FQDN) of server hosting the active directory

Forest Name

Forest level of the directory structure.
Forest name allows both of the following formats:

x.y.z ⇒ direct domain name as you have it on your SVM. [Example: hq.companyname.com]

DC=x,DC=y,DC=z ⇒ Relative distinguished names [Example: DC=hq,DC= companyname,DC=com]

Or you can specify as the following:

OU=engineering,DC=hq,DC= companyname,DC=com [to filter by specific OU engineering]

CN=username,OU=engineering,DC=companyname, DC=netapp, DC=com [to get only specific user with <username> from OU <engineering>]

CN=Acrobat Users,CN=Users,DC=hq,DC=companyname,DC=com,O= companyname,L=Boston,S=MA,C=US [to get all Acrobat Users within the Users in that organization]

Trusted Active Directory domains are also supported.

Bind DN

User permitted to search the directory. For example: username@companyname.com or username@domainname.com
In addition, Domain Read Only permission is required.
User must be a member of the Security group Read-only Domain Controllers.

BIND password

Directory server password (i.e. password for username used in Bind DN)

Protocol

ldap, ldaps, ldap-start-tls

Ports

Select port

Enter the following Directory Server required attributes if the default attribute names have been modified in Active Directory. Most often these attributes names are not modified in Active Directory, in which case you can simply proceed with the default attribute name.

Attributes

Attribute name in Directory Server

Display Name

name

SID

objectsid

User Name

sAMAccountName

Click Include Optional Attributes to add any of the following attributes:

Attributes

Attribute Name in Directory Server

Email Address

mail

Telephone Number

telephonenumber

Role

title

Country

co

State

state

Department

department

Photo

thumbnailphoto

ManagerDN

manager

Groups

memberOf

Testing Your User Directory Collector Configuration

You can validate LDAP User Permissions and Attribute Definitions using the following procedures:

  • Use the following command to validate Workload Security LDAP user permission:

    ldapsearch -o ldif-wrap=no -LLL -x -b "dc=netapp,dc=com" -h 10.235.40.29 -p 389 -D Administrator@netapp.com -W

  • Use AD Explorer to navigate an AD database, view object properties and attributes, view permissions, view an object's schema, execute sophisticated searches that you can save and re-execute.

    • Install AD Explorer on any windows machine which can connect to the AD Server.

    • Connect to the AD server using the username/password of the AD directory server.

AD Connection

Troubleshooting User Directory Collector Configuration Errors

The following table describes known problems and resolutions that can occur during collector configuration:

Problem: Resolution:

Adding a User Directory connector results in the ‘Error’ state. Error says, “Invalid credentials provided for LDAP server”.

Incorrect username or password provided. Edit and provide the correct user name and password.

Adding a User Directory connector results in the ‘Error’ state. Error says, “Failed to get the object corresponding to DN=DC=hq,DC=domainname,DC=com provided as forest name.”

Incorrect forest name provided. Edit and provide the correct forest name.

The optional attributes of domain user are not appearing in the Workload Security User Profile page.

This is likely due to a mismatch between the names of optional attributes added in CloudSecure and the actual attribute names in Active Directory. Edit and provide the correct optional attribute name(s).

Data collector in error state with "Failed to retrieve LDAP users. Reason for failure: Cannot connect on the server, the connection is null"

Restart the collector by clicking on the Restart button.

Adding a User Directory connector results in the ‘Error’ state.

Ensure you have provided valid values for the required fields (Server, forest-name, bind-DN, bind-Password).
Ensure bind-DN input is always provided as ‘Administrator@<domain_forest_name>’ or as a user account with domain admin privileges.

Adding a User Directory connector results in the ‘RETRYING’ state. Shows error “Unable to define state of the collector,reason Tcp command [Connect(localhost:35012,None,List(),Some(,seconds),true)] failed because of java.net.ConnectionException:Connection refused.”

Incorrect IP or FQDN provided for the AD Server. Edit and provide the correct IP address or FQDN.

Adding a User Directory connector results in the ‘Error’ state. Error says, “Failed to establish LDAP connection”.

Incorrect IP or FQDN provided for the AD Server. Edit and provide the correct IP address or FQDN.

Adding a User Directory connector results in the ‘Error’ state. Error says, “Failed to load the settings. Reason: Datasource configuration has an error. Specific reason: /connector/conf/application.conf: 70: ldap.ldap-port has type STRING rather than NUMBER”

Incorrect value for Port provided. Try using the default port values or the correct port number for the AD server.

I started with the mandatory attributes, and it worked. After adding the optional ones, the optional attributes data is not getting fetched from AD.

This is likely due to a mismatch between the optional attributes added in CloudSecure and the actual attribute names in Active Directory. Edit and provide the correct mandatory or optional attribute name.

After restarting the collector, when will the AD sync happen?

AD sync will happen immediately after the collector restarts. It will take approximately 15 minutes to fetch user data of approximately 300K users, and is refreshed every 12 hours automatically.

User Data is synced from AD to CloudSecure. When will the data be deleted?

User data is retained for 13months in case of no refresh. If the tenant is deleted then the data will be deleted.

User Directory connector results in the ‘Error’ state. "Connector is in error state. Service name: usersLdap. Reason for failure: Failed to retrieve LDAP users. Reason for failure: 80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839"

Incorrect forest name provided. See above on how to provide the correct forest name.

Telephone number is not getting populated in the user profile page.

This is most likely due to an attribute mapping problem with the Active Directory.

1. Edit the particular Active Directory collector which is fetching the user’s information from Active Directory.
2. Notice under optional attributes, there is a field name “Telephone Number” mapped to Active Directory attribute ‘telephonenumber’.
4. Now, please use the Active Directory Explorer tool as described above to browse the Active Directory and see the correct attribute name.
3. Make sure that in Active Directory there is an attribute named ‘telephonenumber’ which has indeed the telephone number of the user.
5. Let us say in Active Directory it has been modified to ‘phonenumber’.
6. Then Edit the CloudSecure User Directory collector. In optional attribute section, replace ‘telephonenumber’ with ‘phonenumber’.
7. Save the Active Directory collector, the collector will restart and get the telephone number of the user and display the same in the user profile page.

If encryption certificate (SSL) is enabled on the Active Directory (AD) Server, the Workload Security User Directory Collector can not connect to the AD Server.

Disable AD Server encryption before Configuring a User Directory Collector.
Once the user detail is fetched it will be there for 13 months.
If the AD server gets disconnected after fetching the user details, the newly added users in AD won’t get fetched. To fetch again, the user directory collector needs to be connected to AD.

Data from Active Directory is present in CloudInsights Security.
Want to delete all the user information from CloudInsights.

It is not possible to ONLY delete Active Directory user information from CloudInsights Security. In order to delete the user, the complete tenant needs to be deleted.