This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to configure LDAP Integration for uCMDB 10.00

Hi,

 

Please help me on tis ..........

 

 

thanks n advance......

Tags:

  • Hi,

     

    I have it working nicely here so what's your issue? Did you look at the examles in the help?

     

    gr,

    Ronald

  • To check the examples please go to Help ->UCMDB Help from main menu. Choose search and look for "Configure LDAP for Active Directory" or "LDAP Mapping". Let us know what went wrong in your case.

  • Good day all.

    I have the same problem setting up the LDAP integration on uCMDB 10.

    I have gone through all the help files on uCMDB itself but didn't find anything of extra use in resolving my issue.

    The issue I have is that it seems that uCMDB can log in to the LDAP & get all the user info in the logs, but can't pull the info through to the uCMDB gui, in order for me to do the group mappings.

    The error I get in the logs are :

    "returned as a result of a groups search, is not of type ldapGroup or dynamic ldapGroup"

    The groups search filter and root groups filter is as follows :

    (|(objectclass=top)(objectclass=domain)(objectclass=organizationalUnit)(objectclass=person)(objectclass=user)(objectclass=organizationalPerson)(objectclass=groupOfURLs)(objectclass=memberURL))

    I can unfortunately not display the OU, CN & DN details of the company, but the Group Base DN is :

    DC=(country),DC=(domain),DC=(local),DC=com

    Root Groups Base DN is:

    OU=(group),OU=(company),DC=(country),DC=(domain),DC=(local),DC=com

    An interesting thing I noticed is that the group we use doesn't have a group objectclass attribute.

    Will this be the issue?

    Any help would be appreciated.

    Thank you,
    Wynand De Beer.
  • Hi,

    There are several types of groups in LDAP. Only ldapGroup or dynamic ldapGroup are supported. Please contact your LDAP administrator to clarify this.

     

  • Hi Dima.

     

    I have confirmed with the LDAP administrator that the environment does have ldapgroups & dynamic ldapgroups. He has given me one of those groups to test again.

     

    But I get the same problem, I can "see" the Group, but the users of that group doesn't display, only a blank page is returned.

     

    Here's an excerpt from the log:

     

    2013-04-16 07:12:42,834 [qtp1200648207-3386] - <<< Entering findUsersInGroup with the following parameters: groupName = {Test group name}, userAttributeNames = [Ljava.lang.String;@d34408f, filternull
    2013-04-16 07:12:42,834 [qtp1200648207-3386] - <<< Entering findUsersAndGroups with the following parameters: groupName = {Test group name}, userAttributeNames = [Ljava.lang.String;@d34408f, depth = 1, filternull
    2013-04-16 07:12:42,834 [qtp1200648207-3386] - <<< Entering createConnectionAndConnect with the following parameters: com.hp.sw.bto.ast.security.uum.UserManagementLDAPConfiguration@617a730e
    2013-04-16 07:12:42,841 [qtp1200648207-3386] - >>> Exiting createConnectionAndConnect with the connection
    2013-04-16 07:12:42,841 [qtp1200648207-3386] - Calling LDAP search with the following parameters: base = DC=country,DC=area,DC=domain,DC=com, scope2, filter = (&(&(objectClass=*)(name=*))(&(objectClass = group)(name = {Correct Group name was returned}))), searchAttributes = [name, memberOf, name, description, objectclass], attrsOnly = false
    2013-04-16 07:12:42,842 [qtp1200648207-3386] - Received the LDAP result set of the size = 1
    2013-04-16 07:12:42,842 [qtp1200648207-3386] - LDAP entry from result set (will be ignored if not of group type): LDAPEntry: CN=group name,OU=Distribution Groups,OU=Groups,OU=company,DC=country,DC=area,DC=domain,DC=com; LDAPAttributeSet: LDAPAttribute {type='objectClass', values='top,group'} LDAPAttribute {type='name', values='Correct group name'}

     

    What could be the problem?

     

    Thank you.

     

    Kind regards,

     

    Wynand.

  • Hi.

     

    We have succesfully integrated with LDAP.

     

    The problem was that our specified attributes didn't match the attributes of the LDAP system. And our search filter for users had incorrect syntax.

     

    Thank you.

  • Hi Dear,

    I am also trying to Integrate UCMDB with LDAP. I have executed all the steps (Administration->Infrastructure Settings Maps) mentioned in user manual but when I click on security LDAP Mapping I get the following message LDAP is not configured correctly....


    Can you please tell me that what else I have to do?

     

     

  • If you have any spaces in your OUs, group names, etc. They need to be replaced with \20

     

    For example here is what our setup looks like: (Some info filtered).

    If you notice though, the LDAP Search User does not need the spaces replaced. Neither does the User filter if you have spaces.

     

     

    Users object class      user   
    Is case-sensitivity enforced in LDAP authentication     false  
    Groups member attribute member 
    Distinguished Name (DN) Resolution      true   
    Root Group Filter       (&(objectClass=group)(CN=*))   
    LDAP connection string  ldaps://ldaps.dd.dd.ca:3269/??sub     
    LDAP Search User        cn=srv.opsware.ad,OU=Tools and Automation,OU=ddt Users,dc=dd,dc=dd,dc=dd,dc=dd,dc=ca      
    Group class object      group  
    Use bottom up algorithm for find parent groups  false  
    UUID attribute  sAMAccountName 
    Groups name attribute   name   
    Group Base Filter       (&(objectClass=group)(CN=*))   
    Users filter   (&(sAMAccountName=*)(objectClass=user)(sAMAccountType=805306368)(memberof=CN=ALL_UCMDB_USERS,OU=UCMDB,OU=Tools and Automation,OU=ddt Users,DC=dd,DC=dd,DC=dd,DC=dd,DC=ca))
    Search Retries Count    5      
    Groups display name attribute   name   
    Root groups scope       sub    
    User display name attribute     sAMAccountName 
    Scope for groups search sub    
    Enable LDAP authentication      true   
    Enable LDAP synchronization     true   
    Root Group      OU=UCMDB,OU=Tools\20and\20Automation,OU=ddt\20Users,DC=dd,DC=dd,DC=dd,DC=dd,DC=ca 
    Group Base      OU=UCMDB,OU=Tools\20and\20Automation,OU=ddt\20Users,DC=dd,DC=dd,DC=dd,DC=dd,DC=ca 
    Default Group          
    Groups description attribute    description    
  • Why you have written so long value for attribute User filter was only (&(sAMAccountName=*)(objectClass=user) not enough ? whats its reason?

     

  • We have over 60000 users in our LDAP (AD)

     

    The reason I use the memberOf filter is only allow users that we place into a certain group are eligible to log into ucmdb.

    This way, the users can be in any OU, but we restrict access based on that one group.

     

    Ive gotten into habit of doing this since some applications like to cache all users that match a filter.

    This becomes a problem when dealing with our size of environment.

     

    D