Active Directory integration issues
1. Overview
If you cannot log into Console with an Active Directory user, the following methods can help debug your setup.
2. Verify connectivity to Active Directory
Verify that you can query Active Directory from the host where Console is installed.
-
Install ldap-utils.
On Debian and derivative distros, including Ubuntu:
$ sudo apt-get install ldap-utils
On Red Hat and derivative distros, including Fedora:
$ sudo yum install openldap-clients
-
Query Active Directory for users.
Example query: The following command connects to an AD server at ldapserver.example.com as twistlock_server@example.com, prompts for the password on the command line, and shows the name for users in the cn=users,dc=example,dc=com subtree.
$ ldapsearch \ -x -h ldapserver.example.com \ -D "twistlock_service@example.com" \ -W \ -b "cn=users,dc=example,dc=com" \ -s sub "(cn=*)" cn mail sn
3. Print Console logs
Check the Console container logs for clues:
-
Get the container ID for Console:
$ sudo docker ps --format "table {{.ID}}\t{{.Status}}\t{{.Names}}" CONTAINER ID STATUS NAMES 530b404fb647 Up 3 hours twistlock_console 521c6469d644 Up 3 hours twistlock_db a47f6a388837 Up 5 hours twistlock_defender
-
Get the Console container logs:
$ sudo docker logs 530b404fb647 2015-12-07T02:18:13.244Z - error: Failed binding for user admin InvalidCredentialsError: 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580 . . .