Integrating Windows Active Directory with cnMaestro

Overview:

This documents provides information about configuring Active directory settings on Windows platform for cnMaestro user authentication.

Pre-requisites:

Windows Server 2012R2 with Active Directory installed.

Configuration: The steps below configure cnMaestro for administration account authentication using Active Directory as the primary authenticator (the local user database will become secondary).

Step1: Adding new Organisational unit

  1. Navigate to Administrative Tools > Active Directory Users and Computers
  2. Right click on domain and create new Organisational unit.

Step 2: Adding groups under Organisational unit

  1. Select the Organisational unit.
  2. Right click and select Group.
  3. Add a group name with default setting as shown in below picture.

2.png

Note: Create four groups for each role (super-admin, admin, operator, and monitor). Group names should be unique with allowable characters.

Step 3: Adding Users under Organisational unit.

  1. Select the Organisational Unit.
  2. Right click and create new user.
  3. Fill user details, click next and create password.
  4. Finally submit to create a user

3.png4.png

Note: Create multiple users with unique names

Step 4: Mapping the users with groups

  1. Right click on the user and select properties.
  2. Select Member Of and click Add option.
  3. Select Groups option will pop up.

  1. Type the group name to which the user should be mapped and click Ok.
  2. Map all the users to required groups.

Note: users should be uniquely mapped to groups, and one user cannot exist in multiple groups.

Step 5: cnMaestro Configuration

  1. Navigate to Administration > Users and click on Authentication > External > Add New in the cnMaestro On-Premises UI to create the Active directory entry.

  1. Configure the Authentication Server Name, Select Authentication Server Type as Active Directory , Active Directory Server IP address and Base DN values.

    Note: If SSL/TLS Security is enabled, upload a root certificate of Active Directory server and provide Hostname under IP Address/Hostname column instead of IP Address.

  2. Enter the group names that are created previously in Active Directory server as per requirement under Role Mappings.

For ex: If a group name “super_user_auto” is created in Active directory server, enter the same group name in Super Administrator field. Fill the other group names under remaining fields.

  1. The users under this groups will be differentiated based up on the Role Mappings.
  1. Click on Add button to add the Active Directory Server.

Navigate to Adminstration > Users and click on Authentication > External and set the Authentication Priority to Primary for the Active Directory server created.

The Secondary Authentication will be automatically set to Local Users, which means if the Active Directory server is not reachable, the UI can be accessed using the Local Users database (so it is important to change the default password). If you are unable to log into the UI, you can create a One-Time password in the CLI in order to resolve the issue. (see the User Guide for details on Application Account Recovery.

Note: Use complete user name with domain name to login to cnMaestro as cnMaestro will not do Bind DN to user name.

14 Likes

Excellent step-by-step!

1 Like

Would someone be able to explain what goes into the Account to Verify field when testing? The user documentation is lacking in this regard.

Hi rnelson,

Greetings for the Day.

The Account to verify field is used to know the role of the account or user id which is configured under the user accounts in Active directory. If you provide the user id including the domain name cnmaestro responds with Role being configured for the User Id.

Thanks,
Raghavendra

Hi Raghavendra,

Followed the directions in this guide and are having trouble verifying the user. We created a group in active directory, assigned users to the active directory group, and then mapped the group to the role in cnMaestro in and now want to verify the connection. Is the Test Account tool able to verify this scenario? If so, what do we enter? For example if the group in active directory is named cnmaestro_group, and we have a user assigned to that group named cnmaestro_user, what would we enter into the Test Account tool to verify?

Thanks,
Rachael

Hey Rachael,

Test Account tool is an Additional tool provided to test the Role mapped to the user account which is used for log in to cnMaestro. This tool have three fields, 1. user id along with domain e.g adc@xyz.com 2. password 3. account to verify is another user Id, for which we need to know the role. In your case cnmaestro_user need to be entered in Account to verify so that it will return the Role of that user.
As you have mentioned, group in active directory is named cnmaestro_group, you should configure the same group name under one of the Role in cnmaestro AD configuration, so that all users accounts/ids under that group will have a common Role.

Regards,
Raghavendra

This is the old version guidelines, could you please provide the verison 5 guide lines ?

Hi @Md_Anwar_Hossain ,

This KB article is updated now. Please check it.