Highlighted
Absent Member.. Absent Member..
Absent Member..
301 views

Active Directory LDAP Authentication

I've tried to configure the UCMDB to enable LDAP authentication for Active Directory, but I'm unable to logon once I set "Remote users repository mode" to "true".    I can still logon using the local sysadmin UCMDB account, but any other account gives me "Authentication failed".

 

I think I'm close as I have 3 different Active Directory groups showing up under Security, LDAP Mapping.  They are UCMDB_Admins, UCMDB_SuperAdmins, UCMDB_Viewers.  Each of these groups is associated with a corresponding group in the UCMDB (i.e. UCMDB_Admins has Admins in the select groups window).

 

I have one user in the UCMDB_SuperAdmins group in Active Directory and still can't logon with that user ID.

 

Here are the settings for the 4 LDAP categories.  I've changed a couple for the purpose of posting them here.

 

*** deprecated *** Security Protocol: 
Automatically assigned user group: 
Enable User Permissions Synchronization: TRUE
Is case-sensitivity enforced when authenticating with LDAP: FALSE
LDAP Server URL: ldap://somedc.its.corp.gwl.com:389/??sub
LDAP vendor type: Microsoft Active Directory
Remote users repository mode: TRUE
Use bottom up algorithm for finding parent groups from the LDAP server.: FALSE
Users filter: (&(objectClass=person)(objectClass=user))
 
Distinguished Name (DN) Resolution: TRUE
Distinguished Name of Search-Entitled User: CN=Some\,\20User,OU=SOMEORG,OU=ORG\20Users,DC=its,DC=corp,DC=gwl,DC=com
Password of Search-Entitled User: *********
Search Retries Count: 5
 
Groups base DN: DC=its,DC=corp,DC=gwl,DC=com
Groups search filter: (&(objectClass=group)(CN=UCMDB*))
Root groups base DN: DC=its,DC=corp,DC=gwl,DC=com
Root groups filter: (&(objectClass=group)(CN=UCMDB*))
Root groups scope: sub
Scope for groups search: sub
 
Group class object: group
Groups description attribute: description
Groups display name attribute: cn
Groups member attribute: member
Groups name attribute: cn
User display name attribute: name
Users object class: user
UUID attribute: sAMAccountName

 

Any suggestions on what to try next?

 

Thanks.

 

0 Likes
11 Replies
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Active Directory LDAP Authentication

Hello,

 

Are you having issues only with this user from UCMDB_SuperAdmins? Are you able to login using users from the other two groups?

 

Please could you login to the jmx-console of uCMDB and follow these steps:

 

  • Go to UCMDB:service=LDAP Services
  • Invoke getLDAPGroupUsers with the group you want to test (UCMDB_SuperAdmins)
  • Let us know if you see the user in the output
  • Invoke verifyLDAPCredentials with the user/password of the user
  • Let us know the result

 

Please could you also verify that you don’t have a user in uCMDB with the same name. If that is the case let me know if the user has "Server administrator privileges" enable.

 

Regards,

 

Rosario Balmaceda

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: Active Directory LDAP Authentication

Hi.

 

getLDAPGroupUsers shows me the single user in the UCMDB_SuperAdmins groups.  This worked.

 

verifyLDAPCredentials failed when I put in the user ID and password.

 

I don't any any users in the other two groups (UCMDB_Viewers and UCMDB_Admins) yet.

 

Not sure if these other JMX commands work as I expect.  But when I try isLdapGroupExists with UCMDB_SuperAdmins, it comes back 'true' which seems good.  When I try isLdapUserExists with my user ID, it comes back 'false'.  I assume this indicates a problem?

 

Any other suggestions?

 

Thanks.

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: Active Directory LDAP Authentication

Also, when I'm in the UCMDB admin console, Security, LDAP Mapping, select the group UCMDB_SuperAdmins, click the "Show Users" button at the top, a list comes back with the correct single user in the Active Directory group.  So it seems to see the user after all from Active Directory.

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Active Directory LDAP Authentication

Hello,

 

Do you have Softerra or any other tool to search the ldap server? Seems that the user doesn’t map the configuration you are using. You need to verify the attributes of that user and map the settings you are using. From the configuration that you sent these are the settings::

 

Users filter: (&(objectClass=person)(objectClass=user))

User display name attribute: name

Users object class: user

UUID attribute: sAMAccountName

 

 

Please verify that the user has both attributes objectClass=person and objectClass=user. Did you also check if a local user exists in uCMDB with the same name?

 

Regards,

 

Rosario Balmaceda

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: Active Directory LDAP Authentication

I have verified with ADSI Edit that the user has both 'user' and 'person' as attributes of objectClass.

 

Also, this user ID does not exist in the UCMDB.

 

When testing with isLdapUserExists or actually logging on to the console with my Active Directory account, should I simply be putting in the user ID without the domain or distinguished name?  I've tried several formats, but get the same results.

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Active Directory LDAP Authentication

Hello,

 

You need to use the value of the attribute sAMAccountName to login. Please could you also add this condition to UserFilter : (sAMAccountName=*). You are using only the condition in the objectclass attribute. If you see the default value for UserFilter is:

 

(&(sAMAccountName=*)(objectclass=user))

 

If that doesn’t work please enable the debug changing this:

 

1) Login to the uCMDB server

2) Edit the file security.properties under \hp\UCMDB\UCMDBServer\conf\log and modifying the following line:

 

      from:

              loglevel.cm=INFO

       to:

               loglevel.cm=DEBUG

3) Reproduce the issue

4) Send me these logs: security.log, security.cm.log, security.lwsso.log and error.log

 

 

Regards,

 

Rosario Balmaceda

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: Active Directory LDAP Authentication

Ok, I've tried to logon twice with the test account 'nalu'.  And I've attached the logs.  But I couldn't find the log file security.lwsso.log on my server.

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: Active Directory LDAP Authentication

Oh yeah, and I made the changes you suggested for the configuration, and it didn't help.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Active Directory LDAP Authentication

I would suggest a ticket for such an issue as this.  The AD integration can be difficult and will probably require a webex or something.

Hope this helps,
Keith Paschal
UCMDB Worldwide Support Lead
Micro Focus Support
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution."

Click the KUDOS star on the left to say 'Thanks'
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: Active Directory LDAP Authentication

Will do, thanks for the assistance.

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: Active Directory LDAP Authentication

I figured this out.  Turns out my value of "LDAP Server URL" was causing the issue.

 

I previously tried these values:

ldap://mydc.mydomain.com:389??sub

ldap://mydc.mydomain.com:389/??sub

 

I changed it to this, and now it works:

ldap://mydc.mydomain.com:389/DC=firstou,DC=secondou,DC=com??sub

 

Obviously, the values above were changed to mask out our real values.  But basically, I had to put in the DC=... stuff representing the root of my AD forest.

 

I am able to logon using the short name from AD and not the UPN.  For example, I can now logon with user IDs like abcd and not like abcd@mydomain.com.

 

Thanks.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.