Highlighted
Absent Member.
Absent Member.
836 views

CAE Policy issue

Hi everyone,

 

I have encountered a strange issue with HPCA 7.9 policy manager and wanted to see if anyone may have an idea of how to resolve this issue.

 

I am supporting CAE environment that supports multiple Windows Active Directory domains.  Recently, we started mirgating single domain infrastructure.  After a migration of a security group that that did not have any CAE policy assigned to it, all systems that are members of the group started getting 650 errors. The systems in the group are still in the other domain and the group is a universal group  I have check and verified that the Group is not inheriting any policy.  

 

When looking in the Radish.log, I see the following

 

"Error:  policy resolution error: partial catalog received"

 

In addition, when looking in one of the ldap.logs in Policy Server I see :

 

LDAP: getPolicy -> DN: ldap:///CN%3dComputerX%2cOU%3dLaptop%Systems%2cOU%3dUS-Resources%2cDC%, DS: US (secure) will be used for Search. 

LDAP: cn=laptops, ou=groups, dc=customer, dc=org: search returned nothing

LDAP: Warning: dn "cn=laptops, ou=groups, dc=customer, dc=org"  not found.

 

The group, "laptops" is definitely in the location, but it appears to be using the wrong directory service to perform it's search or there is conflict with the systems being in one domain and the group being in another.  

Can anyone give me any insight on what's happening here and how might go about solving it?  Thanks!

 

 

 

0 Likes
7 Replies
Highlighted
Absent Member.
Absent Member.

Re: CAE Policy issue

This error is most probably due to a referral being generated during policy resolution. The referral is generated by the AD domain controller contacted by HPCA policy Server in response to an LDAP search. HPCA policy Server is unable to contact the referred domain controller which results in an incomplete LDAP search and hence returns a partial catalog.

 

Can you please confirm the following:

1. Do you have any referral related setting in pm.cfg, you may look up LDAP_REFERRALS attribute?

2. Do the AD domain controllers, contacted by HPCA policy server, serve LDAP queries over SSL(LDAPS) on port 636?

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: CAE Policy issue

Thanks for the reply Gowhar! In response to your questions:

 

1. Do you have any referral related setting in pm.cfg, you may look up LDAP_REFERRALS attribute?

 

Ans: No, there is not an entry for LDAP_REFERRALS in our PM.CFG files.

 

2. Do the AD domain controllers, contacted by HPCA policy server, serve LDAP queries over SSL(LDAPS) on port 636?

 

Ans: Yes, the AD domain controllers HPCA is talking to does serve LDAP queries over SSL on Port 636.

 

Is there anything else you need for me to confirm?  Thanks!

 

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: CAE Policy issue

I suggest you submit a ticket with HP Support. It will require some investigation to arrive at the root cause and more importantly there is more than one solution to the issue you're observing so the solution you choose will depend on multiple factors.

 

And the issue is most probably not because of HPCA policy server's interaction with AD. You should be able to reproduce this issue outside of HPCA as long as you run an appropriate LDAP search against the same AD domain controller that policy server is configured to use.

 

Briefly put, here is what I guess the issue may be all about based on a similar situation I worked on sometime back:

HPCA Policy Server runs LDAP queries against an AD domain controller, one of the queries involves an LDAP object(maybe a security group or distribution list membership) in a different domain hosted on another domain controller resulting in a referral being returned to policy server. The referral may use LDAPS and the SSL certificate presented by the referred domain controller may be rejected by policy server because of hostname mismatch. Solution is to either update the certificate(s) or configure policy server to retrieve policy entitlements only from a single domain.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: CAE Policy issue

Gowhar,

 

Thanks for the help.  Unfortunately, this customer has let their support contract lapse, so I am limited on what can ask HP Support for.  I will check the certificates and make sure we that we have the right onces and that they have been created and imported correctly.  As far a single domain for policy resolution, will be a reality one day, just not any time soon.  Is there anything else you can suggest?  Once again, thanks for your help.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: CAE Policy issue

In that case let's confirm the root cause of the issue first. Following steps should get us there:

1. Stop policy server

2. Rename policy server log files or move to a different directory

3. Open pm.cfg and add the following parameters to enable ldap and debug logging:

    LDAP_DEBUG          1
    DEBUG 4

4. Start policy server

5. Run HPCA Agent connect from the target machine that causes policy resolution to generate the

"Error:  policy resolution error: partial catalog received" message

6. Share the following logs:

HPCA-PM-3468.log
All logs that look like ldap-n.log files

 

Can you also confirm whether customer has created certificates specific to each AD domain controller, i.e., the certificate subject contains the DNS hostname of the AD domain controller and if each certificate contains any SAN(subject alternate name) attributes?

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: CAE Policy issue

Gowhar,

 

Attached is a copy of the  PM logs along with the Radish log that shows the partial catalog resolution error.  The systems used were SNS-L-X-3201 and SNS-L-X- 2913.

 

There are certificates specific for each AD Domain Controller that CAE is talking to.  Only one certificate has a SAN attribute, that is the one for the DC that the systems mentioned previously belong to.  The atrribute contains the FQDN of the server.

 

 

 

0 Likes
Absent Member.
Absent Member.

Re: CAE Policy issue

I have attached a tcl script to gather information that will enable us to confirm the issue. You may run the script as follows and share the log file generated:

nvdkit ldapSSLRefTest.tcl -binddn "administrator@us.ent.sbu.dea.doj.gov" -pass "xxx" > ldapSSLRefTest.log 2>&1

 

-binddn is an AD administartor service account and -pass is the password for the account

 

I have assumed default values for hostname, port etc based on the log file you sent earlier.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.