We recently had multiple Nutanix Blocks installed and I have started configuring them for Active Directory Authentication; however, logging on using AD Accounts is super slow and takes several minutes to logon.
I have configured the Authentication to IP Addresses, FQDN's and DOMAIN but all are still unacceptably slow.
ldap://192.168.1.1:389
ldap://server.domain.org:389
ldap://domain.org:389
For the Prism Role mapping, I have configured AD Groups and Single Users and the logon is still super slow.
There was a post about change recursive authentication to be off; however, there was no command string associated with NCLI.
Anyone experiencing this issue? Would like to know the best practice for configuration AD Authentication.
Thanks for any assistance...
David
Solved
Active Directory Authentication is slow - Takes minutes to Logon
+5Best answer by hatchda
Resolution to AD Logon Slowness (If you are experiencing)
NOTE: Do not use Nested AD Groups and only explicitly add the users to the AD Group you want grant User/Cluster/Read Roles to.
Configure Authentication Configuration:
Name: TEST
DOMAIN: TEST.org
URL: ldap://TEST.org:389
Configure Role Mapping:
Remember you can only have one ROLE Type (Viewer/User Admin/Cluster Admin) per LDAP Type)
Execute the following command on a CVM:
ncli authconfig edit-directory name=NAME group-search-type=NON_RECURSIVE directory-type=ACTIVE_DIRECTORY connection-type=LDAP directory-url=ldap://TEST.org:389 domain=TEST.org
Good Luck,
David
View originalNOTE: Do not use Nested AD Groups and only explicitly add the users to the AD Group you want grant User/Cluster/Read Roles to.
Configure Authentication Configuration:
Name: TEST
DOMAIN: TEST.org
URL: ldap://TEST.org:389
Configure Role Mapping:
Remember you can only have one ROLE Type (Viewer/User Admin/Cluster Admin) per LDAP Type)
Execute the following command on a CVM:
ncli authconfig edit-directory name=NAME group-search-type=NON_RECURSIVE directory-type=ACTIVE_DIRECTORY connection-type=LDAP directory-url=ldap://TEST.org:389 domain=TEST.org
Good Luck,
David
This topic has been closed for comments
+29- Nutanix Employee
I'd place a small bet that recursive lookups is the problem here.
That said, send us a support ticket (portal.nutanix.com for NX or SX, your respective OEM for HX/XC) and we'll get on a WebEx with you and hammer it out.
Jon
That said, send us a support ticket (portal.nutanix.com for NX or SX, your respective OEM for HX/XC) and we'll get on a WebEx with you and hammer it out.
Jon
+5Jon,
Thanks for the post.. I will open a case with Dell and work with them. Thanks again.
David
Thanks for the post.. I will open a case with Dell and work with them. Thanks again.
David
+5Resolution to AD Logon Slowness (If you are experiencing)
NOTE: Do not use Nested AD Groups and only explicitly add the users to the AD Group you want grant User/Cluster/Read Roles to.
Configure Authentication Configuration:
Name: TEST
DOMAIN: TEST.org
URL: ldap://TEST.org:389
Configure Role Mapping:
Remember you can only have one ROLE Type (Viewer/User Admin/Cluster Admin) per LDAP Type)
Execute the following command on a CVM:
ncli authconfig edit-directory name=NAME group-search-type=NON_RECURSIVE directory-type=ACTIVE_DIRECTORY connection-type=LDAP directory-url=ldap://TEST.org:389 domain=TEST.org
Good Luck,
David
NOTE: Do not use Nested AD Groups and only explicitly add the users to the AD Group you want grant User/Cluster/Read Roles to.
Configure Authentication Configuration:
Name: TEST
DOMAIN: TEST.org
URL: ldap://TEST.org:389
Configure Role Mapping:
Remember you can only have one ROLE Type (Viewer/User Admin/Cluster Admin) per LDAP Type)
Execute the following command on a CVM:
ncli authconfig edit-directory name=NAME group-search-type=NON_RECURSIVE directory-type=ACTIVE_DIRECTORY connection-type=LDAP directory-url=ldap://TEST.org:389 domain=TEST.org
Good Luck,
David
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.