Active Directory LDAP Authentication

I've tried to configure the UCMDB to enable LDAP authentication for Active Directory, but I'm unable to logon once I set "Remote users repository mode" to "true".    I can still logon using the local sysadmin UCMDB account, but any other account gives me "Authentication failed".

 

I think I'm close as I have 3 different Active Directory groups showing up under Security, LDAP Mapping.  They are UCMDB_Admins, UCMDB_SuperAdmins, UCMDB_Viewers.  Each of these groups is associated with a corresponding group in the UCMDB (i.e. UCMDB_Admins has Admins in the select groups window).

 

I have one user in the UCMDB_SuperAdmins group in Active Directory and still can't logon with that user ID.

 

Here are the settings for the 4 LDAP categories.  I've changed a couple for the purpose of posting them here.

 

*** deprecated *** Security Protocol: 
Automatically assigned user group: 
Enable User Permissions Synchronization: TRUE
Is case-sensitivity enforced when authenticating with LDAP: FALSE
LDAP Server URL: ldap://somedc.its.corp.gwl.com:389/??sub
LDAP vendor type: Microsoft Active Directory
Remote users repository mode: TRUE
Use bottom up algorithm for finding parent groups from the LDAP server.: FALSE
Users filter: (&(objectClass=person)(objectClass=user))
 
Distinguished Name (DN) Resolution: TRUE
Distinguished Name of Search-Entitled User: CN=Some\,\20User,OU=SOMEORG,OU=ORG\20Users,DC=its,DC=corp,DC=gwl,DC=com
Password of Search-Entitled User: *********
Search Retries Count: 5
 
Groups base DN: DC=its,DC=corp,DC=gwl,DC=com
Groups search filter: (&(objectClass=group)(CN=UCMDB*))
Root groups base DN: DC=its,DC=corp,DC=gwl,DC=com
Root groups filter: (&(objectClass=group)(CN=UCMDB*))
Root groups scope: sub
Scope for groups search: sub
 
Group class object: group
Groups description attribute: description
Groups display name attribute: cn
Groups member attribute: member
Groups name attribute: cn
User display name attribute: name
Users object class: user
UUID attribute: sAMAccountName

 

Any suggestions on what to try next?

 

Thanks.

 

Parents
  • Hello,

     

    Are you having issues only with this user from UCMDB_SuperAdmins? Are you able to login using users from the other two groups?

     

    Please could you login to the jmx-console of uCMDB and follow these steps:

     

    • Go to UCMDB:service=LDAP Services
    • Invoke getLDAPGroupUsers with the group you want to test (UCMDB_SuperAdmins)
    • Let us know if you see the user in the output
    • Invoke verifyLDAPCredentials with the user/password of the user
    • Let us know the result

     

    Please could you also verify that you don’t have a user in uCMDB with the same name. If that is the case let me know if the user has "Server administrator privileges" enable.

     

    Regards,

     

    Rosario Balmaceda

  • Hi.

     

    getLDAPGroupUsers shows me the single user in the UCMDB_SuperAdmins groups.  This worked.

     

    verifyLDAPCredentials failed when I put in the user ID and password.

     

    I don't any any users in the other two groups (UCMDB_Viewers and UCMDB_Admins) yet.

     

    Not sure if these other JMX commands work as I expect.  But when I try isLdapGroupExists with UCMDB_SuperAdmins, it comes back 'true' which seems good.  When I try isLdapUserExists with my user ID, it comes back 'false'.  I assume this indicates a problem?

     

    Any other suggestions?

     

    Thanks.

  • Also, when I'm in the UCMDB admin console, Security, LDAP Mapping, select the group UCMDB_SuperAdmins, click the "Show Users" button at the top, a list comes back with the correct single user in the Active Directory group.  So it seems to see the user after all from Active Directory.

  • Hello,

     

    Do you have Softerra or any other tool to search the ldap server? Seems that the user doesn’t map the configuration you are using. You need to verify the attributes of that user and map the settings you are using. From the configuration that you sent these are the settings::

     

    Users filter: (&(objectClass=person)(objectClass=user))

    User display name attribute: name

    Users object class: user

    UUID attribute: sAMAccountName

     

     

    Please verify that the user has both attributes objectClass=person and objectClass=user. Did you also check if a local user exists in uCMDB with the same name?

     

    Regards,

     

    Rosario Balmaceda

  • I have verified with ADSI Edit that the user has both 'user' and 'person' as attributes of objectClass.

     

    Also, this user ID does not exist in the UCMDB.

     

    When testing with isLdapUserExists or actually logging on to the console with my Active Directory account, should I simply be putting in the user ID without the domain or distinguished name?  I've tried several formats, but get the same results.

  • Hello,

     

    You need to use the value of the attribute sAMAccountName to login. Please could you also add this condition to UserFilter : (sAMAccountName=*). You are using only the condition in the objectclass attribute. If you see the default value for UserFilter is:

     

    (&(sAMAccountName=*)(objectclass=user))

     

    If that doesn’t work please enable the debug changing this:

     

    1) Login to the uCMDB server

    2) Edit the file security.properties under \hp\UCMDB\UCMDBServer\conf\log and modifying the following line:

     

          from:

                  loglevel.cm=INFO

           to:

                   loglevel.cm=DEBUG

    3) Reproduce the issue

    4) Send me these logs: security.log, security.cm.log, security.lwsso.log and error.log

     

     

    Regards,

     

    Rosario Balmaceda

  • Ok, I've tried to logon twice with the test account 'nalu'.  And I've attached the logs.  But I couldn't find the log file security.lwsso.log on my server.

    logs.zip
  • Ok, I've tried to logon twice with the test account 'nalu'.  And I've attached the logs.  But I couldn't find the log file security.lwsso.log on my server.

    logs.zip
Reply Children
No Data