Hi , I am running API Gateway 9.2 . I have a AD as Identity Provider authenticating/authorizing users for assertions. For administration purposes, I have created internal users and assigned them certain roles such as 'Manage log sinks'. Instead of creating internal users, can I use a AD group administer gateway? Can someone help me how this can be done. Thanks.
When I search for a internal user I have :
When I search for a group in AD I have: I dont have the roles/Groups tabs. Membership describes which groups this object is a memberOf with in AD.
Have you tried going to Manage Roles, and assign a group or AD user to a Role?
Normally, you are able to assign a AD group/user to a Role, but I have see issues with an AD group assignment. You might be better with AD user assigned to the role directly.
Having a Group assigned might cause performance issues, due to a group being a member of other groups or having too many users that are members of other groups ...
Thanks for your response, Kemal. I tried following your suggestion , but I still dont see AD or my X509 Identity Providers in the drop down. Only Internal Identity Provider shows up.
Hello SamWalker ,
You can add role to a ldap user only when administrative access has been enable for the LDAP Identity Provider.
It's on the first step of ldap identity provider wizard, or first screen when you edit the properties of the LDAP Identity Provider, check the option, "Allow assignment to administrative roles"
I've also noticed that AD users are still subject to deactivation due to inactivity and the only way I find to unlock them is by updating thier login record in the database. Is that a know issue or is there another way to reactivate them?
I may misunderstand your question. But AD users won't be stored in gateway database, if AD users is inactive, or any other problem, need to be fixed on AD side.
As a matter of fact, they are tracked in the logon_info table when used to log in via policy manager.
create an AD provider, mark it to 'allow assignment to administrative roles', allocate an AD account for access to a gateway role, login with that AD account, then run the following query in mysql:
select p.name, u.login, u.fail_count, u.last_attempted, u.last_activity, u.state from logon_info u, identity_provider p where u.provider_goid=p.goid;
I see, thank you. I'm not sure, but I still think the account status should from AD.
And for the users from AD, on its properties window, all properties are gray out and there is no "Activate" button.
If the gateway can still deactivate the AD users, it could be a problem. It could be better to open a support ticket to investigate further.
It is a problem. I'm familier enough with the database that it doesn't bother me (I just update the inactive user on the logon_info table). Please feel free to raise the issue with engineering.