IGA 4.2 Login issues with LDAP user

I have done a fresh install on SLES 15 SP 6 server with IGA 4.2 and after the Installation I am able to login with the bootstrap admin . After logging with bootstrap admin I have ran the full collection and publishing but instead of bootstrap admin I am not able to login with any other users .I have added that user in Global Administrator as well but still not able to login.Whenever I am trying to login with other user getting an error page . Can someone help me on this ??

  • 0  

    Hello,

    1) During the OSP install, what Authoriation Server did you point to: Active Directory or eDirectory?

    2) In Indentity Governance,
    2.a) How many Identity Sources do you have defined?
    2.b) Is at least of of your Identity sources the same LDAP server that OSP is pointing to?
    2.c) Are you utilizing: Publish without Merging or Publish and Merge?
    2.c.1) If you are merging, what attributes is you select for the Matching (outline both the IG and the incoming)
    2.c.2) If you have more than one (1) Identity Source and are Merging, which one is listed as #1 and what are the merging rules?

    3) There should be more information in the logs, (catalina.%date%.log, catalia.out, localhost.%date%.log, and osp)


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • Verified Answer

    +1 in reply to   

    I have used eDirectory for authorization but in ism-configuration.properties I am not getting the LDAP host and container dn all LDAP related information in that file .Do I need to add it manually ?

    I have defined one Identity Source 

    Local host .log:-

    10.40.139.134 - - [26/Aug/2024:13:35:13 +0200] "GET /api/whoami HTTP/1.1" 401 171 10.40.139.134 - - [26/Aug/2024:13:35:13 +0200] "GET /api/download/count HTTP/1.1" 401 171 10.40.139.134 - - [26/Aug/2024:13:35:13 +0200] "GET /custom/custom.css HTTP/1.1" 200 - 10.40.139.134 - - [26/Aug/2024:13:35:13 +0200] "GET /assets/i18n/ig-serverLocalization.json HTTP/1.1" 302 - 10.40.139.134 - - [26/Aug/2024:13:35:13 +0200] "GET /api/download/count HTTP/1.1" 401 171 10.40.139.134 - - [26/Aug/2024:13:35:13 +0200] "GET /osp/a/idm/auth/app/activity HTTP/1.1" 200 17 10.40.139.134 - - [26/Aug/2024:13:35:13 +0200] "GET /osp/a/idm/auth/oauth2/.well-known/openid-configuration HTTP/1.1" 200 4174 10.40.139.134 - - [26/Aug/2024:13:35:13 +0200] "GET /osp/a/idm/auth/oauth2/auth?response_type=code&redirect_uriHTTP/1.1" 200 10318 10.40.139.134 - - [26/Aug/2024:13:35:16 +0200] "GET / HTTP/1.1" 200 7238 10.40.139.134 - - [26/Aug/2024:13:35:20 +0200] "GET / HTTP/1.1" 200 7238 10.40.139.134 - - [26/Aug/2024:13:35:26 +0200] "POST /osp/a/idm/auth/app/login?acAuthCardId=np-contract-%24default-card%24&sid=1 HTTP/1.1" 303 - 10.40.139.134 - - [26/Aug/2024:13:35:26 +0200] "GET / HTTP/1.1" 200 7238 10.40.139.134 - - [26/Aug/2024:13:35:26 +0200] "GET /osp/a/idm/auth/oauth2/authcodecontinue?sid=1&privateId=8ba50c9139c977de1f33&client_id=ig&irdpkg=1724672113921-Qow3EGOfEe-VsQBQVrAz8A HTTP/1.1" 303 - 10.40.139.134 - - [26/Aug/2024:13:35:26 +0200] "GET /oauth.html?code=eH8AIBsto9inBzgVXl1Z4tcDwH7T2RU14KZ75myeF1bavX77-76X0mJ_Gq1a0cf1XEGshc_20TuOh64-UC1Azb2GiekWowrHZ-g5XxQXoTlFWHFsIDz7ktVlT1vjEg02-5ehqdOM33bCxLQe2LInBURPYtAvZ0mVV-PnBJJcIjKvs6meRZ8W2k4V48vEtaE-0HQxPO4oLmvOKEGQbnTOVpGyrtjLTohPPdstHp6lL4MKcSs7cebBBOzQmtMU7aCVaqo7fSVtPLT5Ujd9pkI996y_wduu12at5MusTV6wMb6HQBhRHa8-dGN3rncAFXYpdWPCe33ihyhsRvSi-3bVuM4FAkEhrnA43HUiFrZPAipaQ7GPMsydR2zP96RRgepOWeEPN_WmRKD3A1He1W9N-7Xj7CfuAf0DOAdKCfw58MPk8Mblm5hGNIevOcxoIYIixsFJqFMrOe36j2Jtmt1zZtfW-VFiUIiHlBWbBCB99h5DxdNoMzrXxz-Bm3n3JnmlxIjBRUHsACFsKN7axpZOgImYiuYvhFtBXl1LoUZgozaITjUDyfFexeHZyXzDBssYK8_Nwfi3s1SRMtsqpxqSkmlwSoIVV_UHDqPjI6XQSJvav2959kN-yKBDgDDQcIN3Gr2HeDPcpRNJNRbGWeR0n0pe03iL-ea5jhfB23KRGUXile8UYMCyz2Jd0x4VCMhW9fzaQHW4Asne0lTLgEbGRNmR4sIlucqRrmlf3ojlSlzp7M20oRWEWCh8hdnJ4tPhLuHZOPNRSG2-ZbYqtc1t3pZ-ExzfI8YcrkkBzMUgyUtyt-NYY9R9n6mNIsC28pfwSeS8ln60Kas6KdxDBMJd1m80tiR7jHzRC9efQQdtJKvK5RfXq_Df7ekWVdaN7pdX0r0-qAI7UqtQji60IpykcjArGt7-xC_MxgZVUtj3c5cYTkb0eWjDNHGe_kGzGucMot9W-tOM33bCxLQe2LInBURPYtAvZ0mVV-PnBJJcIjKvs6meRZ8W2k4V48vEtaE-0HQxPA53mhYM7yzSPgUEbdtRiFVhwGuvEmsCd7HfuEE4O-l9qjqofN-20zL1l4leFzVSxUaP71SRymXeHjtuz6iO-kE&state=gp01060277134%2Cgp1140059054%2Cgp21803035906%2Cgp31148226143%2Cgp42587946081%2Cgp54068625664%2Cgp6814928427%2Cgp71850056502%2Cgp81984594385&iss=https%3A%2F%2Figadev%2Evolvocars%2Ebiz%2Fosp%2Fa%2Fidm%2Fauth%2Foauth2 HTTP/1.1" 200 11645 10.40.139.134 - - [26/Aug/2024:13:35:26 +0200] "POST /osp/a/idm/auth/oauth2/token HTTP/1.1" 500 99 10.40.139.134 - - [26/Aug/2024:13:35:30 +0200] "GET / HTTP/1.1" 200 7238

    osp-idm.log:-

    Preamble: [OIDP idm]
    Txn: ogPy8WOGEe-VsQBQVrAz8A
    Priority Level: WARNING
    Java: internal.osp.oidp.service.source.ldap.LDAPSource.setAttributes() [1027] thread=https-jsse-nio-443-exec-2
    Elapsed time: 1.136 milliseconds
    Time: 2024-08-26T13:35:26.248+0200
    Log Data: Modify attributes:
    Attributes: oidpInstanceData
    Get next available admin connection:
    Get admin connection from pool:
    Pool: PL48ff8faf-e15b-455d-95e8-8c07b9a85efc:fcf461f6-3514-437f-99ca-77f494e9613c
    Reserve connection:
    Type: admin
    Wait filled from existing admin connection: 8
    Obtained existing connection: 8
    Modify object:
    Error while modifying an LDAP object: javax.naming.NoPermissionException: [LDAP: error code 50 - NDS error: no access (-672)]
    Put connection:
    Connection: 8
    No pending reservation, check in connection: 8

    Preamble: [OIDP idm]
    Txn: ogPy8WOGEe-VsQBQVrAz8A
    Priority Level: FINER
    Java: internal.osp.oidp.service.principal.store.SingleAttrStore.writeData() [287] thread=https-jsse-nio-443-exec-2
    Elapsed time: 5.151 milliseconds
    Time: 2024-08-26T13:35:26.244+0200
    Log Data: Writing user instance data:

    Merge: false

    Preamble: [OIDP idm]
    Txn: ogPy8WOGEe-VsQBQVrAz8A
    Priority Level: WARNING
    Java: internal.osp.oidp.service.oauth2.handler.OAuth2Handler.writeTokenRevocationEntries() [813] thread=https-jsse-nio-443-exec-2
    Time: 2024-08-26T13:35:26.249+0200
    Log Data: Error writing user's OAuth token revocation entries to trust store.
    Class: CoreExceptionWithOutcome
    Logged: false
    Class: LoggableMessage
    Level: SEVERE
    Code: internal.osp.oidp.service.principal.store.SingleAttrStore.putInstanceData() [224]
    Thread: https-jsse-nio-443-exec-2
    Correlation Id: 96a6e113-3da1-4e70-b881-18b79498261f
    Text: Error writing instance data for '
    Reason: XDAS_OUT_SERVICE_FAILURE

    internal.osp.oidp.service.principal.store.SingleAttrStore: SingleAttrStore.java: putInstanceData: 224
    internal.osp.oidp.service.principal.store.SingleAttrStore: SingleAttrStore.java: writeData: 310
    internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: writeTokenRevocationEntries: 807
    internal.osp.oidp.service.oauth2.handler.AuthCodeResolve: AuthCodeResolve.java: handle: 340
    internal.osp.oidp.service.oauth2.handler.Token: Token.java: handle: 54
    internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: processRequest: 472
    internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler: AuthenticationServiceRequestHandler.java: handleRequest: 285
    internal.osp.framework.handler.TenantRequestHandler: TenantRequestHandler.java: handleRequest: 156
    internal.osp.framework.handler.OSPHandler: OSPHandler.java: handleRequest: 162
    internal.osp.framework.servlet.OSPServlet: OSPServlet.java: process: 273
    internal.osp.framework.servlet.OSPServlet: OSPServlet.java: doPost: 183
    internal.osp.servlet.http.HttpServlet: HttpServlet.java: service: 126
    internal.osp.servlet.http.HttpServlet: HttpServlet.java: service: 162
    internal.osp.servlet.javax.ServletJavax: ServletJavax.java: service: 81
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 199
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 144
    org.apache.tomcat.websocket.server.WsFilter: WsFilter.java: doFilter: 51
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 168
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 144
    org.apache.tomcat.websocket.server.WsFilter: WsFilter.java: doFilter: 51
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 168
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 144
    org.apache.catalina.core.StandardWrapperValve: StandardWrapperValve.java: invoke: 168
    org.apache.catalina.core.StandardContextValve: StandardContextValve.java: invoke: 90
    org.apache.catalina.authenticator.AuthenticatorBase: AuthenticatorBase.java: invoke: 596
    org.apache.catalina.core.StandardHostValve: StandardHostValve.java: invoke: 130
    org.apache.catalina.valves.ErrorReportValve: ErrorReportValve.java: invoke: 93
    org.apache.catalina.valves.AbstractAccessLogValve: AbstractAccessLogValve.java: invoke: 660
    org.apache.catalina.core.StandardEngineValve: StandardEngineValve.java: invoke: 74
    org.apache.catalina.connector.CoyoteAdapter: CoyoteAdapter.java: service: 346
    org.apache.coyote.http11.Http11Processor: Http11Processor.java: service: 388
    org.apache.coyote.AbstractProcessorLight: AbstractProcessorLight.java: process: 63
    org.apache.coyote.AbstractProtocol$ConnectionHandler: AbstractProtocol.java: process: 936
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor: NioEndpoint.java: doRun: 1,791
    org.apache.tomcat.util.net.SocketProcessorBase: SocketProcessorBase.java: run: 52
    org.apache.tomcat.util.threads.ThreadPoolExecutor: ThreadPoolExecutor.java: runWorker: 1,190
    org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker: ThreadPoolExecutor.java: run: 659
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable: TaskThread.java: run: 63
    java.lang.Thread: Thread.java: run: 829

    Preamble: [OIDP idm]
    Txn: ogPy8WOGEe-VsQBQVrAz8A
    Priority Level: FINE
    Java: internal.osp.oidp.service.oauth2.handler.RequestHandler.setJsonError() [1091] thread=https-jsse-nio-443-exec-2
    Time: 2024-08-26T13:35:26.251+0200
    Log Data: Error processing OAuth 2.0 request.: internal.osp.oidp.service.oauth2.handler.HandlerException: Unexpected error.
    =>internal.atlaslite.jcce.exception.CoreExceptionWithOutcome: Error writing instance data for '
    internal.osp.oidp.service.oauth2.handler.AuthCodeResolve: AuthCodeResolve.java: handle: 350
    internal.osp.oidp.service.oauth2.handler.Token: Token.java: handle: 54
    internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: processRequest: 472
    internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler: AuthenticationServiceRequestHandler.java: handleRequest: 285
    internal.osp.framework.handler.TenantRequestHandler: TenantRequestHandler.java: handleRequest: 156
    internal.osp.framework.handler.OSPHandler: OSPHandler.java: handleRequest: 162
    internal.osp.framework.servlet.OSPServlet: OSPServlet.java: process: 273
    internal.osp.framework.servlet.OSPServlet: OSPServlet.java: doPost: 183
    internal.osp.servlet.http.HttpServlet: HttpServlet.java: service: 126
    internal.osp.servlet.http.HttpServlet: HttpServlet.java: service: 162
    internal.osp.servlet.javax.ServletJavax: ServletJavax.java: service: 81
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 199
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 144
    org.apache.tomcat.websocket.server.WsFilter: WsFilter.java: doFilter: 51
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 168
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 144
    org.apache.catalina.core.StandardWrapperValve: StandardWrapperValve.java: invoke: 168
    org.apache.catalina.core.StandardContextValve: StandardContextValve.java: invoke: 90
    org.apache.catalina.authenticator.AuthenticatorBase: AuthenticatorBase.java: invoke: 596
    org.apache.catalina.core.StandardHostValve: StandardHostValve.java: invoke: 130
    org.apache.catalina.valves.ErrorReportValve: ErrorReportValve.java: invoke: 93
    org.apache.catalina.valves.AbstractAccessLogValve: AbstractAccessLogValve.java: invoke: 660
    org.apache.catalina.core.StandardEngineValve: StandardEngineValve.java: invoke: 74
    org.apache.catalina.connector.CoyoteAdapter: CoyoteAdapter.java: service: 346
    org.apache.coyote.http11.Http11Processor: Http11Processor.java: service: 388
    org.apache.coyote.AbstractProcessorLight: AbstractProcessorLight.java: process: 63

    internal.atlaslite.jcce.exception.CoreExceptionWithOutcome: Error writing instance data for 'cn=PRXIGADEV,ou=Employees,ou=Active,ou=Identities,ou=Meta,o=VCC'
    internal.osp.oidp.service.principal.store.SingleAttrStore: SingleAttrStore.java: putInstanceData: 224
    internal.osp.oidp.service.principal.store.SingleAttrStore: SingleAttrStore.java: writeData: 310
    internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: writeTokenRevocationEntries: 807
    internal.osp.oidp.service.oauth2.handler.AuthCodeResolve: AuthCodeResolve.java: handle: 340
    internal.osp.oidp.service.oauth2.handler.Token: Token.java: handle: 54
    internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: processRequest: 472
    internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler: AuthenticationServiceRequestHandler.java: handleRequest: 285
    internal.osp.framework.handler.TenantRequestHandler: TenantRequestHandler.java: handleRequest: 156
    internal.osp.framework.handler.OSPHandler: OSPHandler.java: handleRequest: 162
    internal.osp.framework.servlet.OSPServlet: OSPServlet.java: process: 273
    internal.osp.framework.servlet.OSPServlet: OSPServlet.java: doPost: 183
    internal.osp.servlet.http.HttpServlet: HttpServlet.java: service: 126
    internal.osp.servlet.http.HttpServlet: HttpServlet.java: service: 162
    internal.osp.servlet.javax.ServletJavax: ServletJavax.java: service: 81
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 199
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 144
    org.apache.tomcat.websocket.server.WsFilter: WsFilter.java: doFilter: 51
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 168
    org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 144
    org.apache.catalina.core.StandardWrapperValve: StandardWrapperValve.java: invoke: 168
    org.apache.catalina.core.StandardContextValve: StandardContextValve.java: invoke: 90
    org.apache.catalina.authenticator.AuthenticatorBase: AuthenticatorBase.java: invoke: 596
    org.apache.catalina.core.StandardHostValve: StandardHostValve.java: invoke: 130

  • Suggested Answer

    0   in reply to 

    Hello,

    Here is the root error from the log you provide:
    "
    Log Data: Error writing user's OAuth token revocation entries to trust store.
    "

    This generally happens because of one of the following:

    (a) the schema was not eztended in the Authoriation Server as outlined in the documentation:
    www.microfocus.com/.../b1iq4nvf.html

    (b) Not enough rights to read/write/update the attribute


    Note: If this is an IDM Vault (eDirectory + IDM), the necessary schema is extended during the IDM install. However, if this is just an eDirectory server then you will need to extend the schema


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    We have a fresh install of eDirectory of 9.2.8 and IDM 4.8.7 and it is not working there .But if we move to IGA 3.7.3 it is working with eDirectory 9.2.5 and IDM 4.8.4 and both are on the same tree currently .

    Extending the schema means we need to run the ndssch functionality on eDirectory ??

    I hope already it should be there .

    Can you guide me with the proper steps .