Introduction Microsoft’s Active Directory often implemented at customer sites. Customers wish to re-use existing Active Directory users and groups within web applications, such as StreamStudio Collector, Reporter, Composer, and Correspondence Manager. Active Directory is Microsoft’s directory server, with interfaces for Microsoft-proprietary APIs, as well as LDAP v3. Acting as an LDAP server, Active Directory has a few peculiarities. The schemas used to define Users and Groups differ slightly. Objects within Active Directory are identified with multiple naming conventions to maintain backwards compatibility with older Windows networks, modern Windows networks, and LDAP. The commonly-used conventions for Windows login may not always work with pure LDAP queries. StreamStudio (via Service Gateway) makes standard LDAP calls to authenticate users, and map users/groups to internal StreamStudio roles. Note that StreamStudio (and Service Gateway) are intentionally designed to NOT write anything to a customer’s LDAP servers. Because StreamStudio uses standard LDAP calls, in order to integrate with Active Directory, objects must be specified using LDAP naming conventions--as opposed to Windows naming conventions. This phenomenon is not unique to StreamStudio, as most web applications require this as well. This document outlines procedures to determine the necessary LDAP settings in Active Directory. These instructions should work with most Active Directory configurations. This document does not cover integration of the core StreamServer with directory servers; for more information about that, refer to the documentation on scripting functions. Objective You want to fill in the Directory fields in Control Center’s Application Domain Editor. (Screenshot taken from SP3; the dialog box is nearly identical in SP4, so it was not updated.) The Application Domain Editor modifies the master territory.xml file, which defines connectivity parameters for Service Gateway and StreamStudio. In the Directory tab, un-check “Disable directory server settings,” and select the settings for an “Internal” user directory, and under “Vendor” select “Active Directory.” The following fields must be completed in order for StreamStudio to query AD users and groups 1. Hostname – This specifies an Active Directory domain controller 2. BaseDN – This specifies the branch of the LDAP tree from which StreamStudio will search for users and groups. 3. Service user/password – Active Directory requires authentication prior to running any queries or browsing the LDAP tree. The service user does not require any elevated permissions in the Active Directory. 4. StreamStudio Administrator – This user will be mapped to the “System Manager” role in StreamStudio. The StreamStudio Administrator can be the same as the service account, or could be any Windows Domain User. The StreamStudio Administrator user does not require any elevated permissions in the Active Directory. The following fields should be verified for better performance Hostname – This field was specified above. If there are multiple Active Directory controllers, ensure that the server specified here has a copy of the Global Catalog. BaseDN – This field was specified above. More specific RDNs will yield faster searches. Especially with Active Directory, specifying the RootDN of the Active Directory forest will result in extremely slow searches. Verify user attributes – Depending on the naming conventions used in the customer’s Active Directory, most of the time, only one attribute is really needed here. Translate name attributes – Depending on the naming conventions used in the customer’s Active Directory, most of the time, only one attribute is really needed here. Ideally, you should be using a Windows system which is a member of the target Active Directory domain, and logged in as a Domain User on that AD domain as well. You do not need to be a Domain Administrator, nor should you require direct access to a Domain Controller. If you do not have access to a Windows system on the Active Directory domain, and/or cannot log in as a Domain User, this will be more difficult. Ask somebody in the customer’s Windows/Network/Security group for assistance. The following diagram illustrates that StreamStudio connects to LDAP repositories through an instance of Service Gateway. If there are firewalls between Service Gateway and the target Active Directory server, make sure the appropriate TCP port (usually 389) is open. Tools The following tools are freely available, and do not require installation. Download them, and extract them to your workstation. Or run directly from a USB memory stick. ldapsearch.exe This is a command-line tool that comes with most LDAP servers, but not Active Directory It can be copied from most LDAP servers (e.g. Netscape/iPlanet/Sun/AOL/Fedora/Red Hat, Apache, CA, IBM, OctetString, OpenDS, OpenLDAP, Oracle, Siemens…) It can be downloaded from http://www.mozilla.org/directory/ For your convenience, it can also be found on Download Center LDAP Admin This is a Windows GUI tool, which can bind to most LDAP servers It can be downloaded from http://ldapadmin.sourceforge.net/ For your convenience, it can also be found on Download Center Basic Procedure Initially, we just want to establish a working connection to the customer’s Active Directory. We can—and should—look into optimizing these parameters later. 1. Identify an Active Directory Controller If you are running on a Windows system that is a member of the Active Directory Domain, and logged in as a Domain User, a. Open a Command Prompt b. Run the command ‘echo %LOGONSERVER%’ echo %LOGONSERVER% \\BOS3K01 c. The result of this command (minus the backslashes) is the unqualified hostname of an Active Directory controller There may be other AD controllers on the network, but this is the one you are logged into d. To get the server’s fully qualified DNS hostname and IP address, run ‘nslookup’ or ‘ping -a’ nslookup BOS3K01 Name: bos3k01.streamserve.com Address: 192.168.127.25 e. Enter the fully-qualified domain name (or IP address) into the “Host name” field If you are not running on a Windows system that is a member of the Active Directory Domain, or are not logged in as a Domain User, ask the customer’s Windows administrators for assistance. Or, try to guess it… Refer to the later section “Guessing the AD Controller” for hints. 2. Find the Active Directory Root DN Quite often, the Windows Domain Administrators will not remember the LDAP namespaces for their Active Directories. Fortunately, once an AD Controller has been identified, the LDAP namespaces are easy enough to obtain. All you need are some LDAP tools and a single query. You could also try and guess the Root DN. See the corresponding section for hints. Especially with Active Directory, the RootDN is not the optimal BaseDN for LDAP queries. It is the base of the entire directory structure. Choosing a more specific branch of the directory would yield faster queries. After the initial directory server configuration, back and re-examine this field: refer to the sections on BaseDN tuning and Browsing the Active Directory tree with LDAPadmin. a. Run ‘ldapsearch -h [hostname] -s base -b "" (objectclass=*)’ Substitute the hostname or IP address of the AD controller (from Step 1) Append “namingcontexts rootdomainnamingcontext “ to the command line to only return those attributes The multi-valued namingContexts attribute lists the tops of directory trees hosted on the AD Controller The single-valued rootDomainNamingContext attribute identifies the root naming context for the domain ldapsearch -h bos3k01 -p 389 -T -1 -s base -b "" (objectclass=*) namingcontexts rootdomainnamingcontext dn: namingContexts: DC=streamserve,DC=com namingContexts: CN=Configuration,DC=streamserve,DC=com namingContexts: CN=Schema,CN=Configuration,DC=streamserve,DC=com namingContexts: DC=DomainDnsZones,DC=streamserve,DC=com namingContexts: DC=ForestDnsZones,DC=streamserve,DC=com rootDomainNamingContext: DC=streamserve,DC=com b. Copy and paste the value of the rootDomainNaming Context into the “DN Base” field e.g. “DC=streamserve,DC=com” If there is no rootDomainNamingContext, or no defaultNamingContext, select the most appropriate value from namingContexts 3. Specify a StreamStudio service login and password Some LDAP servers, including Active Directory, require authentication prior to running any queries. The StreamStudio service user does not require any special privileges in the Active Directory; it just needs to be a Domain User, able to authenticate, enumerate, and query the directory. You will need to know the password for this account. If a StreamServe service account has already been created, use it. Service accounts should have passwords that do not expire. If a service account has not already been created, any user with a Windows Domain User login can be specified here. With Active Directory, the StreamStudio service account user can be specified in various formats: LDAP Distinguished Name o e.g. CN=StreamServe, CN=Service Accounts, CN=Users, DC=localdomain,DC=com NTLM Domain/Username o e.g. LOCALDOMAIN\STREAMSERVE Active Director User Principal Name (“UPN”) o e.g. [email protected] Refer to the section about Active Directory Naming Formats for more details. With other directory servers, the StreamStudio service user’s login must be specified as an LDAP Distinguished Name. a. First, pick a Windows Domain User for the StreamStudio service account b. Determine the Domain User’s Windows UPN and/or NTLM login If the Windows Administrator is around, ask for the user’s userPrincipalName NTLM login: NT Domain Name\sAMAccountName password You can figure this out yourself A userPrincipalName looks like an e-mail address (e.g. “[email protected]”), with an at symbol separating the username from the domain name An NTLM name consists of a Windows Domain name and a User Name, usually separated by a backslash (e.g. “IDSDOMAIN\dsh01”) If you are logged into Windows as the desired Domain User, your username and the domain name are stored as environment variables Open a command prompt Run ‘echo %USERNAME% This is your username Run ‘echo %USERDOMAIN%’ If the result is one word in ALL_CAPS e.g. “IDSDOMAIN” your NTLM login is %USERDOMAIN%\%USERNAME% If the result looks like a DNS domain name e.g. “streamserve.com” your userPrincipalName is %USERNAME%@%USERDOMAIN% NTLM format UPN format echo %USERNAME% STREAMSERVE echo %USERNAME% strs_service echo %USERDOMAIN% LOCALDOMAIN echo %USERDOMAIN% localdomain.com Use %USERDOMAIN%\%USERNAME% e.g. LOCALDOMAIN\STREAMSERVE Use %USERNAME%@%USERDOMAIN e.g. [email protected] c. Enter the service user’s NTLM login or User Principal Name into “User Name” e.g. “LOCALDOMAIN\STREAMSERVE” or “[email protected]” d. Enter the service user’s network password into its “Password” field. e. Click on the “Check User Name” button… 4. Specify a StreamStudio Administrator user account The StreamStudio Administrator logs into StreamStudio, and performs initial configuration tasks, such as assigning other LDAP users and groups to StreamStudio Roles. This user is automatically mapped to the StreamStudio “System Manager” Role, but does not require any special privileges in Active Directory. Up through Persuasion SP3 (5.0.0-5.3.0), the StreamStudio Administrator user had to be an LDAP user on the Internal directory. It does not require any special privileges; it can just be a regular Domain User in Active Directory. StreamStudio does not need to know this user’s password: just its identity. The LDAP user is mapped to the StreamStudio System Manager Role in the Runtime Repository database. As of Persuasion SP4 (5.4.0+), the initial StreamStudio Administrator is stored in the territory.xml file (i.e. outside of LDAP). The initial StreamStudio configuration is much easier, since the LDAP integration is not entirely necessary. (i.e. StreamStudio can be run with just this one user. Or the integration with LDAP can be postponed until a more convenient time.) In SP4, the StreamStudio system manager user is specified on the Administrator tab in the Application Domain Editor. Since it is not an LDAP user, it will not be discussed further in this document. The following instructions pertain to Persuasion prior to SP4. The StreamStudio Administrator user can be the same user as the service user. It can be any Windows Domain User. If you don’t know, or can’t decide, just use the service user account; it can be changed at a later date. The StreamStudio Administrator user must be specified as an LDAP DN. The StreamStudio Administrator’s LDAP DN must be within the search BaseDN specified in Step 2. e.g. if the BaseDN is “dc=localdomain,dc=com”, and the StreamStudio Administrator is “cn=StreamServe,cn=Users,dc=localdomain,dc=com”, that’s fine e.g. if the BaseDN is “cn=UK,dc=mydomain,dc=com”, and the desired StreamStudio Administrator is “cn=StreamServe,cn=US,dc=localdomain,dc=com”, then it will not work a. First, pick a Windows Domain User that will become the StreamStudio Administrator b. Obtain the username of the desired StreamStudio Administrator sAMAccountName or userPrincipalName, or %USERNAME% e.g. “hol01” c. Determine the LDAP Distinguished Name for the user Run ‘ldapsearch -h [hostname]-b "[BaseDN]" -D "[ UPN]" -w "(|(samaccountname=[username]) (userprincipalname=[username]*))" dn’ Substitute [hostname] with the AD controller’s hostname or IP address, from Step 1 Substitute [BaseDN] with the naming context from Step 2 Substitute [UPN] with the User Principal Name (or NTLM login) from Step 3 You could log in as any user on the Windows Domain, but we might as well test the service user’s login. Why not? Substitute [USERNAME] with just the user name of the desired StreamStudio Administrator user that we are querying In this example, the desired StreamStudio Administrator is “hol01” Enter the service user’s password when prompted Not the password of the StreamStudio Administrator user ldapsearch -h bos3k01 -p 389 -T -1 -b "dc=streamserve,dc=com" -D "[email protected]" -w "(|(samaccountname=hol01)(userprincipalname=hol01*))" dn Enter bind password: ******** dn: CN=Olsson\, Hans,OU=Users,OU=IT,OU=Sth,OU=Sweden,DC=streamserve,DC=com d. Copy and paste the StreamStudio Administator’s DN value to the “StreamStudio Administrator” field e. Click on the “Check StreamStudio Administrator” button The desired net result might look something like this: In this particular example, The LDAP server is bos3k01.streamserve.com o It’s running Active Directory on TCP port 389 o This AD controller is a Global Catalog master The Base DN for StreamStudio queries is “dc=streamserve,dc=com” o Unfortunately, this is the root directory object, so searches could be very slow The service user is a service account called strs_service o Note that this field can take an NTLM, UPN, or DN o We chose the UPN syntax because it’s easier than DN o userPrincipalName: [email protected] The StreamStudio Administrator is Hans Olsson o Note that this field must be in DN syntax o The user specified here must be within the Base DN specified above o DN: CN=Olsson\, Hans,OU=Users,OU=IT,OU=Sth,OU=Sweden,DC=streamserve,DC=com The relevant user attribute for authentication is sAMAccountName o i.e. Hans Olsson would log in as “hol01”, instead of “Olsson\, Hans” or “[email protected]” Basic Procedure - Tuning 1. Hostname – This field was specified earlier, but should be re-examined a. If there are multiple Active Directory controllers on the network, verify that the server specified has a copy of the Global Catalog The Global Catalog is a master copy of the Active Directory tree An AD server without a complete copy of the GC will usually take longer to respond to queries, because it does not have all the data Do an ldapsearch on the RootDSE object of the AD controller, and check the “isGlobalCatalogReady” value ldapsearch -h bos3k01 -p 389 -x -T -1 -s base -b "" (objectclass=*) namingcontexts defaultnamingcontext rootdomainnamingcontext dnshostname issynchronized isglobalcatalogready domainfunctionality forestfunctionality domaincontrollerfunctionality dn: namingContexts: DC=streamserve,DC=com namingContexts: CN=Configuration,DC=streamserve,DC=com namingContexts: CN=Schema,CN=Configuration,DC=streamserve,DC=com namingContexts: DC=DomainDnsZones,DC=streamserve,DC=com namingContexts: DC=ForestDnsZones,DC=streamserve,DC=com defaultNamingContext: DC=streamserve,DC=com rootDomainNamingContext: DC=streamserve,DC=com dnsHostName: bos3k01.streamserve.com isSynchronized: TRUE isGlobalCatalogReady: TRUE domainFunctionality: 2 forestFunctionality: 0 domainControllerFunctionality: 2 If “isGlobalCatalogReady” is not “TRUE” then try to find another AD controller If “forestFuncionality” is anything but “0”, then this Active Directory Domain is actually part of a Forest b. The Windows Domain Administrators can log into an existing AD Controller, and add the Global Catalog FSMO role 2. BaseDN – This field was specified earlier, but should be re-examined a. We specified the top of the Active Directory tree as the root for all queries b. More specific RDNs will yield faster searches c. Especially with Active Directory, specifying the RootDN of the Active Directory forest can result in extremely slow searches Within the root naming context, Active Directory stores many other trees See the sample above… searches on all of “dc=streamserve,dc=com” would also reference “CN=Configuration,dc=streamserve,dc=com”, “CN=Schema,CN=Configuration,dc=streamserve,dc=com”, “DC=DomainDnsZones,dc=streamserve,dc=com”, “DC=ForestDnsZones,dc=streamserve,dc=com” With Active Directory, there are thousands of additional entries in those other d. The BaseDN specified here must include All User objects that will be mapped to StreamStudio Roles All Group objects that will be mapped to StreamStudio Roles (Up through SP3) The special StreamStudio Administrator user that will be mapped to the StreamStudio System Manager Role e. See the section (below) on browsing the directory tree with LDAP Admin 3. Verify user attributes a. This field defines which LDAP attribute(s) can be used for the StreamStudio login username b. Most of the time, only one attribute is really needed here c. Depending on the naming conventions used in the customer’s Active Directory, the key attribute could be “sAMAccountName”, “cn”, or “userPrincipalName” d. Most of the time, just use sAMAccountName="%1" e. See the section (below) on Active Directory Naming Conventions 4. Translate name attributes a. Most of the time, only one attribute is really needed here b. Most of the time, just use the same value as in the “Verify user attributes” field Assigning StreamStudio Administrator (Up through SP3), the StreamStudio Administrator user’s role is mapped in the Runtime Repository database After specifying (or modifying) the StreamStudio Administrator user, it is necessary to update the Runtime Repository database o In Control Center, select your Application Domain o Right-click on it, and go to Create Database… o Choose “Assign Administrator role to the StreamStudio Administrator account” o Click on Start o Enter the database credentials for a user that has write access to the Runtime Repository database for this Application Domain In SQL Server, this could be the “sa” user or the “StrsSecurity” user In Oracle, this could be the “SYSTEM” user, or the database schema owner like “StrsRuntimeAccess” (As of SP4), the StreamStudio Administrator is specified on the “Administrator” tab of Control Center’s Application Domain Editor. The StreamStudio Administrator account is stored in the territory.xml file, with its password encrypted using a reversible hash. The user does not reside within the LDAP repository, and its role is not mapped in any of the databases. Updating StreamServe Application Domain file After specifying or updating information in the Application Domain Editor, it is necessary to update the Application Domain configuration file (territory.xml). If prompted “Do you want to update the domain information for all applications in the Application Domain?” just click on “Yes” o Up through SP3, make sure to restart the StreamStudio J2EE engine (i.e. Tomcat) after updating the territory.xml file o As of SP4, it is not necessary to restart Tomcat, though it probably wouldn’t hurt Alternately, the file can be updated manually through Control Center o In Control Center, select your Application Domain o Right-click on it, and go to Update Application Domain file o Restart the StreamStudio J2EE engine, if necessary If the StreamStudio J2EE engine is not running on a node with Management Gateway, the Application Domain file must be copied manually o Find a copy of the territory.xml file e.g. from Service Gateway (C:\ManagementGateway\1.0\root\applications\ServiceGateway\wd\) o Copy it to the $STRS_DOC_PORTAL_ROOT directory e.g. with Tomcat running on Windows, that might be C:\Program Files\Apache Tomcat 5.5\webapps\applications\WEBINF\spring\properties\ o Restart the StreamStudio J2EE engine, if necessary Active Directory Naming Formats Some of the naming conventions supported by Active Directory and Window systems include Old Windows standalone sAMAccountName o This is a single-part username o The sAMAccountName identifies a user on an NTLM host o e.g. “DSH01” Old Windows domain NTLM login o This Windows-specific format consists of the NTLM domain name, plus the sAMAcountName o Prepending the NTLM domain name allows identification of a user within an NTLM workgroup or domain o This syntax is extremely common, but is not actually stored as an attribute in AD o USERDOMAIN\SAMACCOUNTNAME o e.g. “IDSDOMAIN\DSH01” Newer Active Directory userPrincipalName o This Windows-specific format looks like an e-mail address, but should not be confused with an e-mail address o The userPrincipalName uniquely identifies a user within an Active Directory forest o [email protected] o e.g. “[email protected]” LDAP Distinguished Name (“DN”) o This LDAP format uniquely identifies objects within an LDAP directory tree o An object’s full distinguished name consists of multiple relative distinguished name components, in a comma-separated list o e.g. “cn=Shih\, David, OU=Users,OU=Bos, OU=USA, DC=streamserve, DC=com” LDAP Common Name (“CN”) o This LDAP format refers to a single attribute o e.g. “Shih\, David” In general, CN, sAMAccountName, and userPrincipalName are all completely independent of one another, and do not have to resemble each other at all CN, sAMAccountName, and the username portion of the userPrincipalName often are identical, though In Active Directory, the Distinguished Name (DN) is always based on the CN Here are the results of an ldapsearch, showing examples of the different ways one user can be identified by Active Directory. ldapsearch -h bos3k01 -p 389 -T -1 -b "dc=streamserve,dc=com" -D "%USERDOMAIN%\%USERNAME%" -w - "(samaccountname=%USERNAME%)" dn cn samaccountname userprincipalname Enter bind password: ******** dn: CN=Shih\, David,OU=Users,OU=Bos,OU=USA,DC=streamserve,DC=com cn: Shih, David sAMAccountName: dsh01 userPrincipalName: [email protected] In this example CN bears no resemblance to the sAMAccountName or userPrincipalName sAMAccountName and the username portion of the userPrincipalName are identical CN contains a comma-space, so when used in an RDN syntax, the comma must be escaped CN is probably not a good choice of attribute for StreamStudio login sAMAccountName should be used for the StreamStudio login instead Browsing the Active Directory tree with LDAP Admin LDAP Admin is a free, open source graphical LDAP browser tool for Windows. More information can be found at http://ldapadmin.sourceforge.net/. LDAP Admin allows you to easily view the hierarchy of an Active Directory tree. Among other things, it can help you decide the most appropriate Base DN for your queries. Download and run LDAPAdmin Define a new conection Start | Connect | New Connection Provide a name for the connection, e.g. “My Active Directory” Enter the hostname of a domain controller, e.g. “bos3k01.streamserve.com” Enter the Root DN, e.g. “dc=streamserve,dc=com” Un-check Anonymous Connection Enter the Username of the service account user, e.g. “[email protected]” Enter the service account user’s password (or leave it blank to be prompted every time) Click on “Test connection” Click on “OK” to save Open the connection, and start browsing! Example 1: All the users and groups were within “CN=Users,DC=streamserve,DC=com” The BaseDN for StreamStudio should be “CN=Users,DC=streamserve,DC=com” Example 2: UK-based users are within “OU=Users,OU=UK,DC=streamserve,DC=com” UK-based groups are within “OU=Groups,OU=UK,DC=streamserve,DC=com” Swedish-based users are within “OU=Users ,OU=SE,DC=streamserve,DC=com” Swedish-based groups are within “OU=Groups,OU=SE,DC=streamserve,DC=com” If StreamStudio is only going to be used in the UK, then the BaseDN for StreamStudio should be “OU=UK,DC=streamserve,DC=com” Example 3: UK-based users are within “OU=Users,OU=UK,DC=streamserve,DC=com” UK-based groups are within “OU=Groups,OU=UK,DC=streamserve,DC=com” Swedish-based users are within “OU=Users ,OU=SE,DC=streamserve,DC=com” Swedish-based groups are within “OU=Groups,OU=SE,DC=streamserve,DC=com” If StreamStudio is going to be used in the UK and Sweden, then the BaseDN for StreamStudio should be “DC=streamserve,DC=com” Example 4: UK-based users are within “OU=Users,OU=UK,DC=streamserve,DC=com” UK-based groups are within “OU=Groups,OU=UK,DC=streamserve,DC=com” All groups are within “OU=Groups ,DC=streamserve,DC=com” The BaseDN for StreamStudio should be “DC=streamserve,DC=com” Example 5: Regular users are within “CN=Users,C=streamserve,DC=com” Regular groups are within “OU=Groups,CN=Users,DC=streamserve,DC=com” The StreamStudio Administrator is in “OU=Service Accounts,DC=streamserve,DC=com” The BaseDN for StreamStudio should be “DC=streamserve,DC=com” Guessing the AD Controller If you are not logged into the AD Domain as a Domain User, or aren’t running on Windows, try asking a knowledgeable Windows Admin. If they’re not available, you can try finding the AD controller on your own. a. AD Controllers are often used as DNS, WINS, and DHCP servers Run ‘ipconfig /all’ Check the DNS, WINS, and DHCP servers listed there b. AD Controllers tend to have the Master Computer Browser role on a network segment Run ‘nbtstat -A [IP Address]’ and look for “MSBROWSE” nbtstat -A 192.168.127.25 NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------BOS3K01 <00> UNIQUE Registered IDSDOMAIN <00> GROUP Registered IDSDOMAIN <1C> GROUP Registered BOS3K01 <20> UNIQUE Registered IDSDOMAIN <1E> GROUP Registered IDSDOMAIN <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered c. AD Controllers tend to be extremely chatty Note that customers’ security administrators object violently to us running packet sniffers on their networks If you happen to have a packet sniffer or traffic analyzer, like ‘netcat’, note the busiest broadcast hosts on SMB (TCP ports 135, 139) and ARP d. AD Controllers often have IP addresses that are relatively easy to remember Quite often, the last numbers of the IP address will be 254, 253, or 250 e. AD controllers often have hostnames that are easy to guess It all depends on the customer site and naming convention f. Functional-based naming conventions often have AD controllers with the strings “DC” “PDC” or “AD” somewhere in their hostnames Sequential naming conventions often reserve lower numbers like 0, 1, 00, or 01 for AD controllers AD Controllers almost always listen on TCP port 389 Note that many customers’ security administrators get upset if we run port scanners like ‘nmap’ on their networks You can check whether a single host has TCP:389 open by using a telnet command: ‘telnet [hostname] 389’ Guessing Active Directory’s LDAP namespaces If you are lazy, cannot remember the appropriate LDAP queries, or your LDAP tools do not seem to be working properly, you can try guessing the LDAP namespaces of Active Directory. Over ninety percent of the time with Active Directory, the LDAP Root namespace is based on the DNS domain name. This is the default setting in ‘dcpromo’ and most Windows admins do not change it. Example 1. Running ‘ipconfig’ reports that the local DNS domain name is “streamserve.com”. For the LDAP root DN, try “dc=streamserve,dc=com”. Example 2. If the local DNS domain name is “uk.mycompany.com”, try “dc=uk,dc=mycompany,dc=com” or “dc=mycompany,dc=com” Example 3. If the external DNS domain name is “megacompany.com” and the internal DNS domain name is “london.uk.megacompany.net”, then try “dc=megacompany,dc=net”, “dc=uk,dc=megacompany,dc=net”, “dc=london,dc=uk,dc=megacompany,dc=net”, “dc=megacompany,dc=com”… The Active Directory’s LDAP Root DN does not have to be of the format “dc=x,dc=y” but could be something like “o=MyAD” or “ou=uk,o=internaldomain”. But most of the time, with Active Directory, the root namespace does look like “dc=whatever,dc=com”. Active Directory Attributes, versus what Windows Admins usually see AD stores a lot of information about objects. In LDAP, each object has multiple attributes; some attributes are mandatory, others are optional; some attributes are multi-valued, others can only be single-valued. Some AD attributes and values are easily visible in common Microsoft Windows administrative tools, but others are hidden and only used internally. Here are some screen shots, illustrating the appearance of common LDAP attributes, in the Windows world. The attribute mappings can be helpful for defining StreamStudio Administrator/Customers queries. In the main Active Directory Users and Computers (dsa.msc) display The Name column corresponds to the LDAP “cn” (or commonName) attribute The Description column corresponds to the LDAP “description” attribute In Active Directory Users and Computers (dsa.msc), General Properties of an individual User object (objectClass: top, person, organizationalPerson, user) First Name = LDAP “givenname” Initials = LDAP “initials” Last Name = LDAP “sn” Display Name = LDAP “displayName”, “name” Description = LDAP “description” Office = LDAP “physicalDeliveryOfficeName” Telephone number = LDAP “telephoneNumber”, “otherTelephone” E-mail = LDAP “mail” Web page = LDAP “wWWHomePage”, “url” In Active Directory Users and Computers (dsa.msc), Account Properties of an individual User object User logon name: LDAP “userPrincipalName” The first part of the UPN can be mapped to %USERNAME% The second part of the UPN can be mapped to %USERDOMAIN% User logon name (pre-Windows 2000): LDAP “sAMAccountName” The first part of the NTLM login is not stored in Active Directory, but can be mapped to %USERDOMAIN% The second part of the NTLM login is the sAMAccountName, and can be mapped to %USERNAME% Address tab: Street = LDAP “streetAddress” or “street” P.O. Box = LDAP ”postOfficeBox” City = LDAP ”l” State/province = LDAP ”st” Zip/Postal Code = LDAP ”postalCode” Country/region: United States = LDAP c: US, co: USA, countryCode:840 Telephones tab: Home = LDAP ”homePhone”, “otherHomePhone” Pager = LDAP ”pagerPhone”, “otherPager” Mobile = LDAP ”mobile”, “otherMobile” Fax = LDAP ”facsimileTelephoneNumber”, “otherFacsimileTelephoneNumber” IP phone = LDAP ”ipPhone”, “otherIpPhone” Notes = LDAP ”info” Organization tab: Title = LDAP ”title” Department = LDAP ”department” Company = LDAP ”company” Manager = LDAP ”manager” Member Of tab: Member Of = LDAP ”memberOf” Groups (main display): LDAP “cn”, “displayName”, “name” Groups: (objectClass: top, group) Group name (pre-Windows 2000) = LDAP ”sAMAccountName” Description = LDAP ”description” E-mail = LDAP ”mail” Group scope (Domain local, Global, Universal) = LDAP ”groupType” Group type (Security, Distribution) = LDAP ”groupType” Notes = LDAP ”info” Members = LDAP ”member” Member Of = LDAP ”memberOf” Managed By Name = LDAP ”managedBy” Troubleshooting StreamStudio login fails o Is the Service Gateway instance running? By default, it’s only set to start Manually o Is there a Service Gateway instance? o Is the Service Gateway configured in the Application Domain Editor e.g. Primary URL “http://sgw-host” on TCP Port 2718 o Has the Application Domain file been updated? o Have you restarted Tomcat and Service Gateway? o Did the “Check User Name” button work in the Application Domain Editor? o Did the “Check StreamStudio Administrator” button work in the Application Domain Editor? o Did you remember to Assign the StreamStudio Administrator user in the Runtime Repository database? o Check the StreamStudio framework.log file C:\Program Files\Apache Tomcat 5.5\webapps\applications\WEB-INF\ o Check the Service Gateway servicegateway.log file C:\ManagementGateway\1.0\root\applications\ServiceGateway\wd\ o Check the Tomcat stdout.log and stderr.log files C:\Program Files\Apache Tomcat 5.5\logs\ “Check User Name” button fails in the Application Domain Editor o ldapsearch -h [hostname] -p [port] -D "[username]" -w "[password]" -b "[basedn]" -s sub (objectclass=*) Copy and paste the AD Controller’s hostname into the [hostname] Copy and paste the AD Controller’s port number (389) into the [port] Copy and paste the service account’s username into the [username] Copy and paste the service account’s password into the [password] Copy and paste the BaseDN into the [basedn] o If running SP4 GA, the Get Domain Controller, Get Naming Context, and Check User buttons do not always seem to work; if those buttons fail, take it with a grain of salt “Check StreamStudio Administrator” button fails in the Application Domain Editor o ldapsearch -h [hostname] -p [port] -D "[username]" -w "[password]" -b "[administrator_rdn]" -s one (objectclass=*) Copy and paste the AD Controller’s hostname into the [hostname] Copy and paste the AD Controller’s port number (389) into the [port] Copy and paste the service account’s username into the [username] Copy and paste the service account’s password into the [password] Copy and paste the StreamStudio Administrator’s Distinguished Name into the [administrator_rdn] Verify connectivity to the Active Directory controller from Service Gateway o ping [hostname] o telnet [hostname] 389 o nslookup [hostname] o make sure there are no firewalls blocking TCP:389 LDAP errors o Double-check your typing o Pay attention to the double quotes o If an RDN is specified in a command line, look at the comma-space delimiters o Look up the LDAP error codes online: http://leto.net/docs/ldap_error_code.php Anything else? o Please don’t call me. o Well, if it’s necessary or interesting, let me know.