Configuring Gluu with Active Directory

By: John Norton user 08 Jul 2016 at 2:46 p.m. CDT

6 Responses
John Norton gravatar
There does not appear to be a place where the configuration of Gluu with an Active Directory integration is clearly laidout. The videos refer to it, but you don't see the configuration all in one place. This is a configuration that does the following: A Gluu server is installed on the same network as the Domain Controller. GLuu Cache Refresh is configured to import users from AD. Then Gluu is configured to authenticate against AD. This is the same thing that occurs in the videos for configuring Cache Refresh. First, start in the Customer Backend Key/Attibutes tab for CR. For the key attribute put sAMAccountName. Add the source attributes cn and sn. (These appear to be the minimum necessary to make this work - with only cn, the log was showing an LDAP mapping error) ![Backend Key Entries](http://i.imgur.com/QX353zQ.png "Customer Backend Key-Attibutes") Next, configure the Source Backend LDAP Servers. For AD, the port is 389, and you will have to navigate and translate your AD tree to get the values for your bind DN user (this user is in the top level Users container in AD) and your base DN - but likely it is CN=domainame,CN=com. Make sure there are no spaces between the comma and the entry - that seems to be a problem. ![Source Backend LDAP Servers](http://i.imgur.com/YzpNyh0.png "Source Backend LDAP Servers") Then go to the Cache Refresh tab and add the source attribute mappings and your server ip (this is your Gluu server ip). ![Cache Refresh](http://i.imgur.com/N5pBVze.png "Cache Refresh") It will take a bit to import from AD but you want to see something in the Last Run and other entries - more than 0 on the Updates on the first run. Once you have the users imported, you can change your authentication for Gluu to use the AD server rather than the Gluu LDAP. In the video this is done and the admin user can no longer login - and an external LDAP user (and in this case, and AD user) can login. **NOTE:** The presenter stays logged in with admin and tests with a new browser - this is important!!! If you somehow have AD not quite right, you won't be able to get back in. As long as you stay logged in with admin you can continue to admin. Another good idea would be to make the user that you log in with a member of the Gluu Manager Group - that way you can still admin it when you log in! So, that being said, go to Manage Authentication and change the LDAP configuration. It should look very much like the configuration for the Backend Server. ![Manage Authentication](http://i.imgur.com/yZY1bDO.png "Manage Authentication") This configuration works - it imports from AD, and then you can authenticate when logging into Gluu with your AD user. I tested changing passwords and adding new users in AD. I did note some "fiddliness" - not sure if it was user error or if some things just took a little while to work. Sometimes I would set up a configuration and update, it would error in the log, then I would change it back, then re-set it up, and then it would work.
U1404
closed

Answers

By Aliaksandr Samuseu staff 08 Jul 2016 at 4:20 p.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, John. Is it supposed to be a guide, or an issue? :) Zico's videos don't bother with AD specifically, as, as long as CR/oxAuth cares, AD in no way more special than other directories. You provide ports to connect, binding credentials, DNs to search for users beneath of, and key attribute you will use (which supposed to be unique amongst all entries you'll be pulling in). But actually there is a guide specifically for AD, written by me long before. I've seen somebody provided a link to pdf with it before, though not sure is there a link to it in docs. Why do you think we need a guide just for AD, have you encountered any difficulties while configuring it, which you haven't with other LDAP directories?

By John Norton user 09 Jul 2016 at 3:17 p.m. CDT

Copy
John Norton gravatar
A guide, not an issue. I was going to enter an issue but then I got it working :) I am working on integrating some different pieces of my environment and using Gluu as the hub for SSO, and looking to use my AD as the source of truth. Since I had some trial and error to get mine working, and it wasn't totally clear to _me_ how to configure it, I thought I would put all the parts together in one place.

By Thomas Maerz user 18 Jul 2016 at 1:55 p.m. CDT

Copy
Thomas Maerz gravatar
This should be in the wiki.

By Loreto Puyod user 08 May 2019 at 2:45 a.m. CDT

Copy
Loreto Puyod gravatar
Following what John Norton did to his AD and Gluu cache refresh config. corrupted mu Gluu server authentication Admin cannot login now. So be very carefull. Now im resinstalling back again from scratch. Since backup and restore of Gluu dir wont work at all. tar -xvf gluu301-backup.tar -C /opt/gluu-server-3.1.6/ Do you have a copy of PDF - AD and Gluu cache refresh config ? or any Gluu wiki publish the AD and Gluu cache refresh config ? Have you tested the Gluu backup command and tested it yung restore tar command ? thanks Loreto

By Mohib Zico staff 08 May 2019 at 5:06 a.m. CDT

Copy
Mohib Zico gravatar
>> Since backup and restore of Gluu dir wont work at all. tar -xvf gluu301-backup.tar -C /opt/gluu-server-3.1.6/ Seems like you are trying to run a Gluu Server-3.0.1 as 'Gluu-Server-3.1.6'; which will never work for sure. Same version of Gluu Server will work as backup-restore tarball.

By Loreto Puyod user 08 May 2019 at 10:26 p.m. CDT

Copy
Loreto Puyod gravatar
gluu301-backup.tar is just a filename of a TAR .. its in your Docs [https://gluu.org/docs/ce/operation/backup/](http://) anyway .. Our topics is MS AD Cache Refresh Gluu config using SSO. Any link guide or wiki ?

Post an answer