The following document will help you on how to configure Group, Profile, User, Roles on the Active Directory and Configuration & Troubleshooting on Versa Director


Assumption: The Active Directory installation is already completed. Below is the process to prepare the configuration for the Versa Director.

  1. The protocol we use to communicate with AD is “LDAP-over-clear-text”
  2. AD-supported version is 3.

      To check AD-supported versions, we need to import active directory 

      Command: Import-Module activedirectory

      Version verification,

      Screen: A


cid:8c885401-cc5e-4015-ab66-5212a0b80768

Active Directory Configuration: 

Step 1: Create an “organization unit”  under “Active Directory”.

                   EX:  Active Directory name: versa.com (In our case domain name is versa.com)

                   *Organization name can be anything, it is defined by user

                   Organization name:  <My_Organization> (user-defined name) 

                   For more detail refer to the screenshot (Screen1)

                    

       Create “organization unit”: Right-click on “versa.com”-> Select “new”-> select “organization unit”             

  •      Give Name: <any name>

                Example: “My_Organization”   Eg: Versa-Networks, Comcast, Lumen, Etc

                Note: “My_Organization” can be created anywhere, under the versa.com hierarchy or any of the                            organization

 

Screen:1



Example: To verify the properties of “My_Organization”, the screenshot is attached.

Screen:2


 

Note:

OU: Organization Unit

Tenant is an Organization


Step:2 Create Tenants -OU, Users -OU, and Roles -OU under “My_Organization”   

Note: you can create Tenants -OU, Roles -OU, and Users -OU anywhere under “versa.com”. it is not mandatory to keep tenants, roles, and users under the same OU(My_Organization)users

  1. You can create <Tenants> -OU, with user-defined

           Ex:  Test <user defined name>

                  “Tenants”-OU can be named as “Test”-OU. It is user-defined.

                  We can create, “Tenants”-OU with any name.


        2. You can create <Roles> -OU, with user-defined

            Ex: Test1 <user defined name>

            “Roles”-OU can be named as “Test”-OU. It is user-defined. We can create, “Roles”-OU with any name.


        3. You can create <Users> -OU, with user-defined

            Ex: Test2 <user defined name>

            “Users”-OU can be named as “Test2”-OU. It is user-defined. We can create, “Users”-OU with any name.

 

Example: Tenant-OU, User-OU, and Roles-OU can be part of 3 different or same organization units

Creation:  Create “organization unit”: Right-click on “My_Organization”-> Select “new”-> select “organization unit


Note: It is not mandatory to create 3 different organization units, for tenants, Roles, and Users. We can create all users, tenants, and roles under the same organization units.,

 

Screen:3



To add a Tenant: Click on your “your tenant organization unit-> right click->select  “new”-> “Group”

Ex: Tenant -> right click->select “new”-> “Group”. (Here organization name is Tenants)

Screen:4


 

Screen:5



Note: Tenant name “VersaTestTeam” is case-sensitive


Add a Role : Click on “your role organization”-> right click-> select “new”->select “group”

Ex: click on “Roles”->right click-> select “new”-> select “group”

Different Pre-defined Roles supported(Apart from this user can also configure Custom roles):

  1. ProviderDataCenterAdmin
  2. ProviderDataCenterSystemAdmin
  3. ProviderDataCenterOperator
  4. TenantSuperAdmin
  5. TenantSecurityAdmin
  6. TenantDashboardOperator
  7. TenantOperator


Note:  Roles are case sensitive, it must be the same as screen7

 

Screen:6



Screen:7



Add a user: Select “your user organization unit”-> right click-> select “new”-> select User

Ex: select “User”->right click-> select “new”-> Select User


Screen:8


 

Screen:9



Screen:10



Note: Users’ are case-insensitive


Screen:11


 

To Configure a newly created user, use the option mentioned below:

We must add roles and tenants (org) to the newly created user.

EX: The “JHON “user we created, needs to add tenant (org-> VersaTestTeam) and role (any versa supported role which is required (shown in screen7)


Screen:12



To Associate the Created user with the respective Org (For the System user this is not needed):


Screen:13



To Assign the Role of that user


Screen:14



Screen:15


 

Screen:16


Configuration  Versa-Director with AD:

Login to “Versa Director”, go to “Administrator”-> click on “Connectors” -> click on “Authentication”

In “Authentication Connectors” section, please click on “+” button (as shown in the screen)


Screen: 17


   

Add the values as entered below(screen19),


The Versa Director uses BIND credentials to authenticate and grant access to the user's DB 

For BIND DN:  In AD, open powershell->Import-Module activedirectory-> enter command “Get-ADUser <username>”

 

Note: Here we can use service user or versa delegated role assigned user (any user(with Versa Roles or without versa Roles)).

 Example: Get-ADUser JHON

(To run the above command, we need to import the Active Directory module)

Command to import module: Import-Module activedirectory

 

Screen:18

 


Bind DN:CN=JHON,OU=Users,OU=My_Organization,DC=versa,DC=com

Note: DistinguishedName value is Bind Dn value

Which is highlighted on screen 18’green color’


Base DN:  DC=versa, DC=com

Which is highlighted in screen 18 ‘yellow color'

There are two types of AD connectors Logins, Default Authentication login (In screen 19, if you check the default connector) or (Non-Default authentication login In screen 19, if you uncheck the default connector)

 

Keys

Values

Example

Screen Nos

Name 

<user defined>

Name_123

screen 19

IP address/ FQDN

 Active director username or password

10.192.90.9

Screen 19

BIND DN

Distinguish name ( BIND DN)

CN=JHON,OU=Users,OU=My_Organization,DC=versa,DC=com

Screen 18

BIND Credentials

Password for BIND DN user

password

Screen 19

Base DN

 Extracted from Distinguished name

,DC=versa,DC=com

Screen 18( highlighted in yellow color)

Default Connector

If check default connector box

System users and tenant users can able to login

Assumption (connector is associated with tenant (org))

 

Screen 19 and screen-21

If we uncheck default connector

Only tenant users can able to login

Assumption (connector is associated with tenant (org))

 

screen 21

 

System user-login: 

If we enable the Default Authentication connector, only system users (such as Provider data center admin user or Provider data center system admin or Provider data operator. These roles should be assigned to the user in the Active directory) could able login into Versa Director.

                  

Screen:19


 

The username for login must be the versa delegated role assigned (roles are Provider Data Center Admin, Provider Data Center System Admin, Provider Data Operator in AD) user. The user is case insensitive.

Example: JHON/jHon /Jhon (anything will work as it is case insensitive)


Screen:20



Tenant Login: assume that, user “JHON” is associated with tenant roles (either Tenant dashboard operator, Tenant Security admin, Tenant Super admin, and Tenant operator in AD) and associated with tenant “VersaTestTeam” as mentioned in screen 16

Example: <user>@<tenant name>

Username:  jhon@VersaTestTeam


Try to log in to Director as shown on screen 22

If the default connector is disabled, then one needs to associate the connector under “Authentication connector” corresponding to the org as shown in screen 21, with that all tenant users could Login to Versa Director


Navigation:  Login to VD->“Administrator”-> organization-> click on the org


Screen:21


 

Example user-defined: In screen 19, the name of connector is “name_123”(“name_123” is user-defined, instead of “name_123” can be named as  “<anything>”).  This connector (name_123) needs to be associated with the tenant name “VersaTestTeam”, ”VersaTestTeam” is user defined, instead of “VersaTestTeam” can be named as “<anything>” But, make sure “org(VersaTestTeam)” is created in AD as shown in screen5), as shown in screenshot 21 be named user-defined

 

As mentioned above, To allow the tenant user to login, it is required to associate an Authenticator Connector under the tenant's Org configuration

 

Screen:22      


 

Troubleshooting steps:

  • Logs path to Debug the issue

           /var/log/vnms/ncs/vnms-external-auth.log

  • Command to run directly from the shell to check if the client can connect and bind to the server.

 

Command: /opt/versa/vnms/scripts/externalauth/ad_client.py --address <AD IP> --ad-username "<BindDN>" --ad-password <password>  --username <username> --password <user password>  --base-dn "dc=<base-dn> "

Example:

/opt/versa/vnms/scripts/externalauth/ad_client.py --address 10.192.90.9 --ad-username "cn=srv-nms,ou=Service Accounts,ou=users,ou=OSS,dc=versa,dc=com" --ad-password Versa@123 --username test --password Versa@123 --base-dn "dc=versa,dc=com"