Active Directory LDAP Authentication

I've tried to configure the UCMDB to enable LDAP authentication for Active Directory, but I'm unable to logon once I set "Remote users repository mode" to "true".    I can still logon using the local sysadmin UCMDB account, but any other account gives me "Authentication failed".

 

I think I'm close as I have 3 different Active Directory groups showing up under Security, LDAP Mapping.  They are UCMDB_Admins, UCMDB_SuperAdmins, UCMDB_Viewers.  Each of these groups is associated with a corresponding group in the UCMDB (i.e. UCMDB_Admins has Admins in the select groups window).

 

I have one user in the UCMDB_SuperAdmins group in Active Directory and still can't logon with that user ID.

 

Here are the settings for the 4 LDAP categories.  I've changed a couple for the purpose of posting them here.

 

*** deprecated *** Security Protocol: 
Automatically assigned user group: 
Enable User Permissions Synchronization: TRUE
Is case-sensitivity enforced when authenticating with LDAP: FALSE
LDAP Server URL: ldap://somedc.its.corp.gwl.com:389/??sub
LDAP vendor type: Microsoft Active Directory
Remote users repository mode: TRUE
Use bottom up algorithm for finding parent groups from the LDAP server.: FALSE
Users filter: (&(objectClass=person)(objectClass=user))
 
Distinguished Name (DN) Resolution: TRUE
Distinguished Name of Search-Entitled User: CN=Some\,\20User,OU=SOMEORG,OU=ORG\20Users,DC=its,DC=corp,DC=gwl,DC=com
Password of Search-Entitled User: *********
Search Retries Count: 5
 
Groups base DN: DC=its,DC=corp,DC=gwl,DC=com
Groups search filter: (&(objectClass=group)(CN=UCMDB*))
Root groups base DN: DC=its,DC=corp,DC=gwl,DC=com
Root groups filter: (&(objectClass=group)(CN=UCMDB*))
Root groups scope: sub
Scope for groups search: sub
 
Group class object: group
Groups description attribute: description
Groups display name attribute: cn
Groups member attribute: member
Groups name attribute: cn
User display name attribute: name
Users object class: user
UUID attribute: sAMAccountName

 

Any suggestions on what to try next?

 

Thanks.

 

Parents
  • Hello,

     

    Are you having issues only with this user from UCMDB_SuperAdmins? Are you able to login using users from the other two groups?

     

    Please could you login to the jmx-console of uCMDB and follow these steps:

     

    • Go to UCMDB:service=LDAP Services
    • Invoke getLDAPGroupUsers with the group you want to test (UCMDB_SuperAdmins)
    • Let us know if you see the user in the output
    • Invoke verifyLDAPCredentials with the user/password of the user
    • Let us know the result

     

    Please could you also verify that you don’t have a user in uCMDB with the same name. If that is the case let me know if the user has "Server administrator privileges" enable.

     

    Regards,

     

    Rosario Balmaceda

  • Hi.

     

    getLDAPGroupUsers shows me the single user in the UCMDB_SuperAdmins groups.  This worked.

     

    verifyLDAPCredentials failed when I put in the user ID and password.

     

    I don't any any users in the other two groups (UCMDB_Viewers and UCMDB_Admins) yet.

     

    Not sure if these other JMX commands work as I expect.  But when I try isLdapGroupExists with UCMDB_SuperAdmins, it comes back 'true' which seems good.  When I try isLdapUserExists with my user ID, it comes back 'false'.  I assume this indicates a problem?

     

    Any other suggestions?

     

    Thanks.

  • Also, when I'm in the UCMDB admin console, Security, LDAP Mapping, select the group UCMDB_SuperAdmins, click the "Show Users" button at the top, a list comes back with the correct single user in the Active Directory group.  So it seems to see the user after all from Active Directory.

Reply Children