PowerVC

 View Only

Setting up Active Directory Service on Windows 2016 Server and Configuring with PowerVC

By SUJEET PAI posted Fri February 21, 2020 03:57 PM

  
Setting up Active Directory Service on Windows 2016 Server and Configuring with PowerVC

This blog describes how to setup Active Directory Service on Windows 2016 Server and configure the same with PowerVC. PowerVC supports two identity providers:
  1. Local OS registry

  2. LDAP registry



By default, PowerVC uses OS registry for authentication. To use LDAP server authentication with PowerVC, use powervc-config command. In this blog, we will show you how to use Microsoft Active Directory Server (ADS) as LDAP Server. You can also check out the links in the references section, that will help you with more resources on PowerVC and LDAP configuration.

Towards the end of this blog, we have also provided some troubleshooting tips in case you come across any issues during configuration process.

Steps to Install ADS on Windows 2016 server




  1. From the Windows Start menu, search and start the 'Server Manager'.


  2. From the Dashboard, select Add Roles and feature.


  3. Click Next in the subsequent screen.


  4. Select Role-based or feature based installation.


  5. Select a destination server and click Next.



  6. Select Active Directory Domain Services and DNS Server checkboxes, and click Next.



  7. Select AD DS and AD LDS Tools and DNS Server Tools checkboxes, and then click Next.



  8. In the confirmation window, verify all details, and then click Install.



  9. After installation is complete, click Promote this server to a domain controller link.

  10. Select Add a new forest option and enter the domain name i.e adspower. Click Next.

  11. Enter password details.


  12. On the 'DNS Options' window, click Next.

    a. Click Next in the 'Additional options' page.
    b. Click Next on the 'Paths Sections' page.
    c. Click Next on the 'Review Options' screen, and then click Install on the 'Prerequisites Check' page. After successful installation, the installation server restarts.
    d. Verify Active Directory is setup.

  13. Open Server Manager and select Tools -> Activer Directory Users and Computer.


    14. You should see the new server displayed.



  14. Run Active Directory Administrative Center (dsac command from the Windows search)
    To Create Organization Unit and Different users


  15. Verify the LDAP connection using some of the tools i.e. ldp (on Windows) and ldapsearch
    ldapsearch -H ldap://


Configure LDAP Server with PowerVC



Once the connection is successful, you are ready to configure ADS with PowerVC using powervc-config command.

PowerVC does not install LDAP server. The server should be available and loaded with groups and users before PowerVC can be configured to use.


Groups and users available in the LDAP server will not be copied to PowerVC. PowerVC passes on the user credentials provided to it to the LDAP server for authentication.

PowerVC does not support creation or deletion of users or groups in the LDAP server. It uses LDAP only for validating the credentials. LDAP configuration of PowerVC is not required every time a new user is added to the LDAP server. User authentication happens seamlessly whenever a user is added into one of the groups that is already recognized by PowerVC.


A valid LDAP user cannot successfully login to PowerVC until a PowerVC role is assigned to it. For more details on the different roles available in PowerVC, see Managing roles.
On successful configuration, user will get similar output, with the powervc-config command as shown below (The below example uses anonymous and insecure communication from PowerVC to the LDAP server. In production environments, authentication and secure communication is strongly recommended).
___________________________________________________________________________

# powervc-config identity repository -t ldap --anon --insecure -u admin2
LDAP user/group information will be stored in PowerVC database.
Do you want to proceed? [y/n] y

Configuring PowerVC for LDAP.

URL [ldap://

_________________________________________________________________________________

Troubleshooting



1. Bind error


Unexpected Error querying user (&(objectClass=User)(cn=ads_admin1)): {'info': u'000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v3839', 'desc': u'Operations error'}



To resolve this, update dsHeuristics parameter value – perform the steps below:
  1. Start the ADSI Edit program Adsiedit.msc.


  2. On the 'Action' menu, click Connect To.


  3. In the 'Connection name' field, specify a label under which this connection appears in the console tree of AD LDS ADSI Edit. For this connection, type: Configuration.


  4. Under 'Connection Point], select well known Naming Context and choose Configuration from the list.


  5. Under Computer, enter the server name and port for the AD LDS instance in the 'Select or type a domain or server' section. If the AD LDS instance is on the local system, you can use localhost as the server name.


  6. Click OK. The term, Configuration, must now appear in the console tree.


  7. Expand the 'Configuration' sub-tree by double-clicking Configuration.


  8. Double-click CN=Configuration, CN=GUID, where GUID was generated when the configuration of the AD LDS instance was performed.


  9. Double-click the CN=Services folder to expand it, and then double-click CN=Windows NT.


  10. Highlight and right-click CN=Directory Service and click Properties.


  11. Click dsHeuristics.


  12. Click Edit.


  13. Edit the value. Modify the seventh character (counting from the left) to 2. The value must be similar to 0000002001001 in the 'String Attribute Editor'.


  14. Click OK.


2. User tree not found Error


Error: User Tree DN "ou=ads_pvc_ou1,dc=adspowervc,dc=internal" was not found.

  • Navigate to 'Extensions' window and select ANONYMOUS LOGON.



    • __________________________________________________________________________________

    # powervc-config identity repository -t ldap --anon --insecure -u ads_admin1
    LDAP user/group information will be stored in PowerVC database.
    Do you want to proceed? [y/n] y

    Configuring PowerVC for LDAP.

    URL [ldap://

    __________________________________________________________________________________


    References



    [1] https://www.ibm.com/support/knowledgecenter/en/SSXK2N_1.4.4/com.ibm.powervc.standard.help.doc/powervc_ldap_hmc.html
    [2] https://developer.ibm.com/powervc/2018/10/24/examples-running-powervc-ldap-configuration/
    [3] https://developer.ibm.com/powervc/2018/07/11/ibm-powervc-ldap-configuration-faqs/
    [4] https://www.youtube.com/watch?v=pXQyhbIZZ4M


    If you have any questions about this topic, please comment below. Don't forget to follow us on LinkedIn, Facebook, and Twitter.

    Blog Author:
    Sujeet Pai (mailto:psujeet@in.ibm.com)
    #security
    0 comments
    11 views

    Permalink