NNMi LDAP Issue

Hi Experts,

We have configured the LDAP as per the doc but unfortunately we are getting the below error although port is opened from NNMi server. We have imported the LDAP cert as well.

2024-09-18 12:13:56.940 INFO [com.hp.ov.nms.ui.ejb.ldap.LdapServiceImpl] (tomcat-exec-9) No ldap.properties file found
2024-09-18 12:13:56.946 INFO [com.hp.ov.nms.as.server.auth.NmsAuthConfigParser] (tomcat-exec-9) Loading configuration from /var/opt/OV/nmsas/NNM/conf/nms-auth-config.xml
2024-09-18 12:13:56.947 INFO [com.hp.ov.nms.as.ejb.auth.AuthTokenServiceBean] (tomcat-exec-9) Internal token provider is enabled
2024-09-18 12:13:56.949 INFO [com.hp.ov.nms.as.ejb.auth.InternalTokenProvider] (tomcat-exec-9) Loading issuer key from /var/opt/OV/nmsas/NNM/data/nms-idp/internal_ec.pub
2024-09-18 12:13:56.949 INFO [com.hp.ov.nms.as.ejb.auth.InternalTokenProvider] (tomcat-exec-9) Configured JWT validator using SHA256withECDSA with a 256 bit key
2024-09-18 12:13:56.949 INFO [com.hp.ov.nms.as.ejb.auth.AuthTokenServiceBean] (tomcat-exec-9) Initialized token validator f4ef3535a8ce8284f606aa7497cd0a8c14d77169 with algorithm SHA256withECDSA
2024-09-18 12:13:56.949 INFO [com.hpe.sw.nms.idp.services.oauth2.ClientsBean] (tomcat-exec-9) Loaded 1 clients
2024-09-18 12:13:56.950 INFO [com.hp.ov.nms.as.ejb.NmsCertificateValidatorServiceImpl] (tomcat-exec-9) Reloaded X.509 authentication handlers
2024-09-18 12:13:56.950 INFO [com.hp.ov.nms.ui.ejb.ldap.LdapServiceImpl] (tomcat-exec-9) Legacy LDAP is not enabled
2024-09-18 12:13:56.950 INFO [com.hp.ov.nms.ui.ejb.ldap.LdapServiceImpl] (tomcat-exec-9) Re-loading principal cache using multiconfig LDAP
2024-09-18 12:13:56.950 FINE [com.hp.ov.nms.topo.ejb.security.internal.ldap.LdapQueryServiceImpl] (tomcat-exec-9) Querying LDAP getGroupMembers
2024-09-18 12:13:56.954 TRACE [com.hp.ov.nms.as.server.security.NmsAsDbSecurity] (tomcat-exec-9) initialize
2024-09-18 12:13:56.954 TRACE [com.hp.ov.nms.as.server.security.NmsAsDbSecurity] (tomcat-exec-9) Security domain: EncryptDBPassword
2024-09-18 12:13:56.954 TRACE [com.hp.ov.nms.as.server.security.NmsAsDbSecurity] (tomcat-exec-9) login
2024-09-18 12:13:56.972 FINE [com.hp.ov.nms.topo.ejb.security.internal.ldap.LdapQueryServiceImpl] (tomcat-exec-9) Queried groups: []
2024-09-18 12:13:56.973 INFO [com.hp.ov.nms.ui.ejb.ldap.LdapServiceImpl] (tomcat-exec-9) Loaded 0 users into the principal cache
2024-09-18 12:14:14.173 FINER [com.hp.ov.nms.ldap.LdapServiceImpl] (tomcat-exec-11) Attempting to connect to LDAP server: ldaps://servername:636
2024-09-18 12:14:14.184 FINE [com.hp.ov.nms.ldap.LdapServiceImpl] (tomcat-exec-11) Unable to connect to server: ldaps://servername:636, due to: servername:636
2024-09-18 12:14:14.184 FINE [com.hp.ov.nms.ldap.LdapServiceImpl] (tomcat-exec-11) May not have found an available server or the action may have failed on this config. Action could not run in any server
2024-09-18 12:14:14.184 FINER [com.hp.ov.nms.ldap.LdapServiceImpl] (tomcat-exec-11) Attempting to connect to LDAP server: ldaps://servername:636
2024-09-18 12:14:14.196 FINE [com.hp.ov.nms.ldap.LdapServiceImpl] (tomcat-exec-11) Unable to connect to server: ldaps://servername:636, due to: servername:636
2024-09-18 12:14:14.196 FINE [com.hp.ov.nms.ldap.LdapServiceImpl] (tomcat-exec-11) May not have found an available server or the action may have failed on this config. Action could not run in any server
2024-09-18 12:14:14.196 FINER [com.hp.ov.nms.ldap.LdapServiceImpl] (tomcat-exec-11) Attempting to connect to LDAP server: ldaps://servername:636
2024-09-18 12:14:14.207 FINE [com.hp.ov.nms.ldap.LdapServiceImpl] (tomcat-exec-11) Unable to connect to server: ldaps://servername:636, due to: servername:636
2024-09-18 12:14:14.207 FINE [com.hp.ov.nms.ldap.LdapServiceImpl] (tomcat-exec-11) May not have found an available server or the action may have failed on this config: Action could not run in any server
2024-09-18 12:14:14.210 FINE [com.hp.ov.nms.topo.ejb.security.internal.ldap.LdapQueryServiceImpl] (tomcat-exec-11) Querying LDAP getGroupMembers
2024-09-18 12:14:14.211 FINE [com.hp.ov.nms.topo.ejb.security.internal.ldap.LdapQueryServiceImpl] (tomcat-exec-11) Queried groups: []

For security reasons I have removed the hostname and mentioned the server name.

NNMi Version: 24.2

OS: RHEL 9.x

Environment: Classic NNMi

Regards,

Pranav R N

  • 0  

    Hello Pranav,

    please check the reachability and certificate response with keytool:

    /opt/OV/nonOV/jdk/zulu/zulu8.72.0.17-ca-jdk8.0.382-linux_x64/bin/keytool -printcert -sslserver server:636

    Do you see the certificate?

    What is the ouput of "nnmldap.ovpl -diagnose <LDAP-User>"?

    Please share the active entries in /var/opt/OV/nmsas/NNM/conf/nms-auth-config.xml (anonymized).

    There are some very good KB articles like support.microfocus.com/.../kmdoc.php might help.

      

    Best regards



    Allessandro Soloperto
    ITC GmbH - Senior Consultant
    If this answered your question, please mark it as "Suggest as Answer" or "Verify as Answer".
    If you found this response useful, please give it a "Like".

  • 0 in reply to   

    Hi Allessandro,

    Thanks for the reply.

    Yes I was able to connect successfully last 1hr back and  it was a problem with the certificate and I manage to resolve that one.

    Now after one hour i just check unable to login. If I did the diagnose it's giving me the below error.

    Error: Exception trying to diagnose LDAP configuration

    Regards,

    Pranav R N

  • 0   in reply to 

    Hi,

    are you sure that your LDAP configuration file is correct?  It seems it is not because diagnostic tool says: "Error: Exception trying to diagnose LDAP configuration" .

    And one more point. Did you editd log file before attaching it to the discussion? Did you replaced LDAP server name in it? If you don't - then this points to  incorrect configuration:

    2024-09-18 12:14:14.207 FINE [com.hp.ov.nms.ldap.LdapServiceImpl] (tomcat-exec-11) Unable to connect to server: ldaps://servername:636, due to: servername:636

    my 2 cents,
    Gedas

    V

  • 0   in reply to 

    Hello Pranav,

    please do a "tail -F /var/opt/OV/log/nnm/nnm-trace.log" and try to login with an LDAP user on NNM UI.

    Any error message?

    As I assume from above you are already able to enable tracing (nnmsetlogginglevel.ovpl), correct?

    Best regards



    Allessandro Soloperto
    ITC GmbH - Senior Consultant
    If this answered your question, please mark it as "Suggest as Answer" or "Verify as Answer".
    If you found this response useful, please give it a "Like".