Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

thread690-1803251 kyle555 (Techn

Status
Not open for further replies.
Imrma1

Imrma1

Technical User
Jun 16, 2022
5
KW
thread690-1803251

kyle555 (TechnicalUser)15 Jun 20 15:44
Didn't have time to answer yesterday.

When you're logged in and type a name to search, AADS uses the Bind DN as the account it logs into LDAP with to make the search.

That has nothing to do with getting users authenticated.

AADS supports many different roles - only the Users are the ones that use IX Workplace. Service Admin, Auditor, etc are roles that are for specific tasks. So, if you want someone to be able to restart AADS but not make config changes, you'd make them a Service Admin.

So, those role fields are groups or folders in LDAP. So, if mohamed@lab.com with DN=mohamed,CN=users,dc=lab,dc=com logs in to IX Workplace and the user role = CN=users,dc=lab,dc=com, then you'll be allowed to login and AADS will try to match your userPrincipalName to a SMGRLogin name in the attribute mappings and associate your LDAP account with your Avaya account.

Now, lets say you have a group CN=AADSAdmins,CN=users,dc=lab,dc=com and mohamed is a member of that group and if I did a ldap search for members of CN=AADSAdmins,CN=users,dc=lab,dc=com and you showed up, then if you went to in your browser and logged in as mohamed, you'd be allowed to login as an admin.


Does that means to get the users authenticated through AADS (finally AD), the users should be added to the AADSUser group ?
 
Sort by date Sort by votes
Thanks Kyle555

Now I have the authentication working from the URL. However when I enter the URL address>:443/acs/resources/configurations in the Equinox error it gives error Check Your Web Address and try again.

SIP controller List is defined with only 2 entries in the Dynamic Configuration but it is listing out many more.
 
Upvote 0 Downvote
Sounds like a DNS problem, either just use IP addresses in the dynamic config or enable split horizon and ensure that DNS A records exist for everything in use.
 
Upvote 0 Downvote
If you're internal and using IP only then make generate a new cert via SMGR as if it was 3rd party and have the IP as a subjectAltName - I've never tried it.

But, regardless, the AADS cert on 443 is for it's FQDN, you're probably getting a cert error.

If it's on a Windows PC, add the FQDN to the hosts file and try with the FQDN

Can you try just the IP in the browser, login and see your settings?
 
Upvote 0 Downvote
I am trying to access the AADS autologin URL from the internet but it is giving error "504 Gateway Time-out nginx"

Frontend FQDN, AADS FQDN is same and it is resolving in Public and local DNS

Internally the URL is working fine.

Reverse_Proxy_dv2hky.png
Reverse_Proxy_fynlxn.png
SBC_trce_vpdlzx.png
 
Upvote 0 Downvote
I see you have a FQDN in the bottom of your reverse proxy.

What interface is the SBC doing DNS out of?

Have you tried just popping in the AADS IP/cluster IP in there instead?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

wtmckown
  • Locked
  • Question
Ref thread690-1816512 I have a s
Replies
0
Views
237
wtmckown
wtmckown
mikespeak20
  • Locked
  • Question
thread690-1615875 Does anyone have
Replies
1
Views
254
Arlo555
Arlo555
LisaJP
  • Locked
  • Question
thread690-1807872 There is a newer
Replies
0
Views
203
LisaJP
LisaJP
Prashant Dhonde
  • Locked
  • Question
thread690-1751211 Hey How do i g
Replies
0
Views
145
Prashant Dhonde
Prashant Dhonde
HarshalMangale
  • Locked
  • Question
thread690-1810981 Getting same s
Replies
0
Views
141
HarshalMangale
HarshalMangale

Part and Inventory Search

Sponsor

Back
Top