Troubleshooting the Morpheus ActiveDirectory Identity source
In this post I want to cover troubleshooting Active Directory Identity sources.
Part 1 deals with checking Windows Security event logs to verify logon to Windows Domain controllers has been successful.
Using Windows Event Viewer connect to the Domain Controller specified in the Identity Source as AD SERVER. If the name resolves to multiple Domain Controllers you will need to check each server that could pick up the login request.
On The Domain Controller, open Event Viewer and select the Windows Security Event Log.
- From the Actions menu select Filter Current Log.
- Select the XML Tab
- Select the checkbox Edit Query Manually and click Yes to acknowledge the warning message
- Delete the current XML Filter.
- Paste in the following XML and edit the contents for your environment before clicking OK
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> Event[System[TimeCreated[timediff(@SystemTime)<=180000] and (EventID=4624 or EventID=4625 or EventID=4776 or EventID=4768 or EventID=4769)]][EventData[Data[@Name='TargetUserName']='adbinding']] </Select> </Query> </QueryList>
The Number 180000 (is 3 * 60 * 1000) is 3 minutes so the filter will only show events for the last 3 minutes. This is reset every time you refresh the view so the log will only ever shows the last 3 minutes. Choose a value using the formula above to customise for your needs.
This filter shows events for the user adbinding. Change the text to match the username you want to track. The name should be the SamAccountName.
In this filter we are looking at the Security event ID’s 4624,4625,4776,4768 and 4769. The critical events are
4624 - Login Successful
4625 - Login Failure.
If you see a 4624 then the user credentials have been authenticated successfully by Windows.
Part 2 of this post shows examples using the linux tool ldapsearch which can be run from the Morpheus Appliance. This should test the Appliance connection to the AD and also troubleshoot related searches for user and group objects.
Use ldapsearch with these parameters
ldapsearch -LLL -x -o ldif-wrap=no \ -b "Base DN for the search" \ # ie DC=mydomain, DC=com" -H "ldap://<your AD Server>" \ # ldap: or ldaps: depending on your Identity Source -D "email@example.com" \ -W \ # Prompt for binding user password "ldap Query String" \ # optional list of attributes to return eg cn dn mail
so in this example
Base DN is “DC=test,DC=mydomain,DC=com”
The AD Server is mydc.test.mydomain.com and we are using standard ldap (Use SSL is No)
binding user is firstname.lastname@example.org
and we are going to search the AD for a user with id (samaccountname) morpheus
ldapsearch -LLL -o ldif-wrap=no -x \ -b "dc=test,dc=mydomain,dc=com" \ -H "ldap://mydc.test.mydomain.com" \ -D "email@example.com" \ -W \ "(&(objectClass=user)(samaccountname=morpheus))"
you should be prompted for the binding user password
if the user exists all associated attributes will be returned.
Another useful query would be to return all the groups a user is a member of. This will help troubleshoot RequiredGroup checks and Role Permission mapping. In the following query I have used LDAP_MATCHING_RULE_IN_CHAIN to return all the nested groups for the user. (see the following article for reference)
To return the group membership for user morpheus we need the dn which will have been returned by the last query
for example to return all groups (just the dn and cn attributes) for morpheus with dn “cn=morpheus,ou=usernames,dc=test,dc=mydomain,dc=com” use
ldapsearch -LLL -o ldif-wrap=no -x \ -b "dc=test,dc=mydomain,dc=com" \ -H "ldap://mydc.test.mydomain.com" \ -D "firstname.lastname@example.org" \ -W \ "(member:1.2.840.1135184.108.40.2061:=cn=morpheus,ou=usernames,dc=test,dc=mydomain,dc=com)" \ dn cn