Edit on GitHub

Active Directory integration issues

1. Overview

If you cannot log into Console with an Active Directory user, the following methods can help debug your setup.

2. Verify connectivity to Active Directory

Verify that you can query Active Directory from the host where Console is installed.

  1. Install ldap-utils.

    On Debian and derivative distros, including Ubuntu:

    $ sudo apt-get install ldap-utils

    On Red Hat and derivative distros, including Fedora:

    $ sudo yum install openldap-clients

  2. Query Active Directory for users.

    Example query: The following command connects to an AD server at ldapserver.example.com as twistlock_server@example.com, prompts for the password on the command line, and shows the name for users in the cn=users,dc=example,dc=com subtree.

    $ ldapsearch \
  -x -h ldapserver.example.com \
  -D "twistlock_service@example.com" \
  -W \
  -b "cn=users,dc=example,dc=com" \
  -s sub "(cn=*)" cn mail sn

Check the Console container logs for clues:

  1. Get the container ID for Console:

    $ sudo docker ps --format "table {{.ID}}\t{{.Status}}\t{{.Names}}"
CONTAINER ID        STATUS              NAMES
530b404fb647        Up 3 hours          twistlock_console
521c6469d644        Up 3 hours          twistlock_db
a47f6a388837        Up 5 hours          twistlock_defender

  2. Get the Console container logs:

    $ sudo docker logs 530b404fb647
2015-12-07T02:18:13.244Z - error: Failed binding for user admin
InvalidCredentialsError: 80090308: LdapErr: DSID-0C0903CF, comment:
AcceptSecurityContext error, data 52e, v2580
.
.
.