HP uCMDB 10.0 integration issue with MS Active Directory

Hi Experts,

 

I was working on the integration between HP uCMDB 10.0 and MS Active Directory.  However I couldnot integrate the two products successfully.

 

I have put the LDAP server url in a form as stated in the example :-- ldap://<ldapHost>:<port>/<baseDN>??scope

 

My question is what does "scope" means?

 

Please share the info.

 

Regards,

Sanjeev

Tags:

  • Hi,

    The question not related to UCMDB.

    Following was taken from http://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html:

     

    Query Components in a URL

    With the exception of the DirContext.search()  methods, when an LDAP or LDAPS URL is passed as a name to the initial context, the URL should not contain any query ('?') components. If it does, then an InvalidNameException  is thrown by the LDAP service provider.

    For the search() methods, if a URL contains query components, then all other arguments (including the filter and SearchControls ) are ignored. The query components of the URL and its defaults are used instead. For example, if an LDAP URL containing a scope component is supplied, then that scope overrides any scope setting that is passed in an argument. If the URL contains other query components but not the scope, then the LDAP URL's default scope ("base object") is used.

    Here is an example that performs a subtree search by using a filter of "(sn=Geisel)".

    // Perform the search by using URL
    NamingEnumeration answer = ctx.search(
    	"ldap://localhost:389/ou=People,o=JNDITutorial??sub?(sn=Geisel)",
    	"" /* ignored*/, 
            null /* ignored */);

    If you won't sharing the details on forum, opening the support case will b ea shortest way to go.

  • Hi Dima, Thanks for the post.

     

    I got stuck on the HP uCMDB and MSAD integration part. Followed the OTB example and configured HP uCMDB as shown below:

     

     

    LDAP Server Url:--  ldap://<server_ip>:389/cn=Users,dc=domain,dc=com??scope

    Groups Base DN:--  cn=Users,dc=domain,dc=com

    Root groups base DN:-- cn=Users,dc=domain,dc=com

     

    and left other fields as it is.

     

    Now when I go to Security and click LDAP Mapping I am greeted with an error : LDAP is not configured correctly.

     

    Please share your idea on this.

     

    Thanks,

    Sanjeev

     

     

  • My suggestion is to start from installing Softerra LDAP Browser http://www.ldapbrowser.com/download.htm (or any other LDAP browser) on UCMDB server and try to connect with external tool using URL and credentials provided by your LDAP admin.

    Whenever you'll have successful connection, this will work for you in UCMDB as well.

  • Hey thanks for the quick response.

     

    I will download the LDAP Browser from the link posted by you and carry out the integration with the LDAP parameters.

     

    Thanks,

    Sanjeev

  • Hey thanks for the quick response.

     

    I will download the LDAP Browser from the link posted by you and carry out the integration with the LDAP parameters.

     

    Thanks,

    Sanjeev

  • Hey thanks for the quick response.

     

    I will download the LDAP Browser from the link posted by you and carry out the integration with the LDAP parameters.

     

    Thanks,

    Sanjeev

  • Hello,

     

    Here you can find a similar topic:

     http://h30499.www3.hp.com/t5/CMS-and-Discovery-Support-and/How-to-configure-LDAP-Integration-for-uCMDB-10-00/td-p/6004261

     

    More, if ldap has to be configured using the SSL protocol (you mention security), below is an example.

     

    If your AD accounts number is quite big, a more specific filter is needed as a query, when you want to map only specific AD security groups to uCMDB groups:

     

    Example from the link above:

     

    ===

    Users object class      user   
     
    Is case-sensitivity enforced in LDAP authentication     false  
     
    Groups member attribute member 
     
    Distinguished Name (DN) Resolution      true   
     
    Root Group Filter       (&(objectClass=group)(CN=*))   
     
    LDAP connection string  ldaps://ldaps.dd.dd.ca:3269/??sub     
     
    LDAP Search User        cn=srv.opsware.ad,OU=Tools and Automation,OU=ddt Users,dc=dd,dc=dd,dc=dd,dc=dd,dc=ca      
     
    Group class object      group  
     
    Use bottom up algorithm for find parent groups  false  
     
    UUID attribute  sAMAccountName 
     
    Groups name attribute   name   
     
    Group Base Filter       (&(objectClass=group)(CN=*))   
     
    Users filter   (&(sAMAccountName=*)(objectClass=user)(sAMAccountType=805306368)(memberof=CN=ALL_UCMDB_USERS,OU=UCMDB,OU=Tools and Automation,OU=ddt Users,DC=dd,DC=dd,DC=dd,DC=dd,DC=ca))
     
    Search Retries Count    5      
     
    Groups display name attribute   name   
     
    Root groups scope       sub    
     
    User display name attribute     sAMAccountName 
     
    Scope for groups search sub   
     
    Enable LDAP authentication      true   
     
    Enable LDAP synchronization     true   
     
    Root Group      OU=UCMDB,OU=Tools\20and\20Automation,OU=ddt\20Users,DC=dd,DC=dd,DC=dd,DC=dd,DC=ca Group
     
    Base      OU=UCMDB,OU=Tools\20and\20Automation,OU=ddt\20Users,DC=dd,DC=dd,DC=dd,DC=dd,DC=ca 

     ===

     

     

    Another useful free ldap browser is the Apache Directory Studio:

    http://directory.apache.org/studio/

     

     

    HTH,

     

    Konstantin

  • Thanks guys, for the reply

     

    But seems like I am missing some steps or doing it wrong. Still stuck with the issue. May be I have to raise a ticket with HP Support for this.

     

    Thanks,

    Sanjeev

  • Thanks guys, for the reply

     

    But seems like I am missing some steps or doing it wrong. Still stuck with the issue. May be I have to raise a ticket with HP Support for this.

     

    Thanks,

    Sanjeev