1 Reply Latest reply on Oct 4, 2018 10:32 AM by richard.watt

    CentOS identity store configuration error with simple Active Directory bind.




      I'm trying to configure a simple single 2018.2 server on CentOS 7.5.1804. I've got everything installed and was proceeding with the trial activation before putting anything into production -- I have our production license keys if needed. This is a standalone CentOS server not joined to Active Directory, however, I am wanting to allow it to authenticate with Active Directory for user access control. I cannot get past the step to set up an identity store (either via the web console or the command line).


      I'm configuring the identity store json file like so:




          "identityStore": {

          "_type": "identityStoreType",

          "type": "activedirectory",

          "domain": "ad.domain.edu",

          "nickname": "DOMAIN",

          "directoryServiceType": "activedirectory",

          "hostname": "ldap.ad.domain.edu",

          "sslPort": "636",

          "bind": "simple",

          "username": "dept-tableausa",

          "password": "password"





      The password does not contain any special characters. It did initially, but I am trying to rule that out.


      Importing this file returns the following error: "Identity store Configuration Error: Invalid credentials. Failed to login to external identity store"


      I've verified the service account I'm using for the bind is correct, because running ldapsearch from the command line authenticates and returns the query results. I've also imported the LDAP SSL certificate  into the tableauservicesmanagerca.jks keystore.


      If I change the username to be:


      "username": "DOMAIN\\dept-tableausa",


      I get a different error: "Identity store Configuration Error: External identity store was unreachable. The external store is either down or Tableau Server is unable to establish a connection."


      Do I have the json file misconfigured? I'm at a loss. Any ideas? We have numerous other CentOS boxes authenticating against AD LDAP in our environment, so I know this works. Obviously, they are not the same services/applications, but it's not something we're doing for the first time, so to speak.