Visitors

Isilon InsightIQ and OpenDJ LDAP integration

LDAP integration has been configured on Isilon InsightIQ v. 4.1.1.3 and LDAP groups assigned to the appropriate InsightIQ Roles (admin or read-only). N.B. Nested LDAP group are NOT supported, nested LDAP groups do NOT inherit permissions.

When we tried to login, we received the following error message:

You are not a member of a privileged LDAP group in InsightIQ. Please contact your administrator to receive login access.

We were absolutely confident there was nothing wrong with the LDAP server or group membership. We have had some other issues with OpenDJ LDAP implementation in the past therefore we knew we need to dig dipper.

There are so many LDAP implementations and some Directory Service attributes are different to the standard. In this particular case we had to work with OpenDJ 2.6.3 where, for example, the ‘Member Of‘ Attribute is called ‘isMemberOf‘ insted of standard ‘memberOf‘.

Isilon InsightIQ interface does not allow you to change the Advanced LDAP Settings like Isilon OneFS does therefore it is not possible to amend the ‘Member Of ‘ attribute through InsightIQ GUI and you need to edit the configuration files:

  1. Login to the console or SSH to the InsightIQ appliance as administrator;
  2. Navigate to /usr/share/isilon/lib/python2.7/site-packages/insightiq/controllers/;
  3. Edit security.py as the following:
    1. FROM:
      # Group roles list is sorted by role with admin groups first
      for group in self.ldap_service.fetch_group_roles():
          # Search for membership of specified user in privileged group
          # This should cover all RFC 2307 compliant AD servers
          search_str = self.ldap_service.filter_format(
                '(&(objectClass=%s)(memberOf=%s)(uid=%s))',
                [user_object_class, group['dn'], username])
          conn.search(search_dn, search_str)
    2. TO:
      # Group roles list is sorted by role with admin groups first
      for group in self.ldap_service.fetch_group_roles():
          # Search for membership of specified user in privileged group
          # This should cover all RFC 2307 compliant AD servers
          search_str = self.ldap_service.filter_format(
                '(&(objectClass=%s)(isMemberOf=%s)(uid=%s))',
                [user_object_class, group['dn'], username])
          conn.search(search_dn, search_str)
  4. Save the file;
  5. Restart InsightIQ.

Hope this will help.

 

 

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>