Highlighted
Super Contributor.
Super Contributor.
488 views

Help with LDAP (AD) login to IG 3.6

Jump to solution

Hi,

I have previously installed IG 3.5 with LDAP login without issues, I even have a demo lab with 3.6+eDirectory and everything works.

This is the first time that I install IG3.6 in Windows  with login via Active Directory (no IDM) and I have encountered an issue that I've never seen before:

error1.png

 

What I find strange is that in the osp log,  I can see that the sAMAccountName is translated to the right DN:

Spoiler

Preamble: [OIDP]
Priority Level: WARNING
Java: internal.osp.oidp.service.oauth2.handler.OAuth2Handler.writeTokenRevocationEntries() [772] thread=https-openssl-nio-8443-exec-7
Time: 2020-01-30T16:36:59.335-0300
Log Data: Error writing user's OAuth token revocation entries to trust store.
Class: CoreExceptionWithOutcome
   Logged: false
   Class: LoggableMessage
      Level: SEVERE
      Code: internal.osp.oidp.service.principal.store.SingleAttrStore.putInstanceData() [224]
      Thread: https-openssl-nio-8443-exec-7
      Correlation Id: c31cd415-a63b-451c-8de0-8c9477271586
      Text: Error writing instance data for 'CN=user,DC=acme,DC=local'
      Root cause:
null
   Reason: XDAS_OUT_SERVICE_FAILURE

internal.osp.oidp.service.principal.store.SingleAttrStore: SingleAttrStore.java: putInstanceData: 224
internal.osp.oidp.service.principal.store.SingleAttrStore: SingleAttrStore.java: writeData: 310
internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: writeTokenRevocationEntries: 766
internal.osp.oidp.service.oauth2.handler.AuthCodeResolve: AuthCodeResolve.java: handle: 249
internal.osp.oidp.service.oauth2.handler.Token: Token.java: handle: 52
internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: processRequest: 454
internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler: AuthenticationServiceRequestHandler.java: handleRequest: 371
internal.osp.framework.handler.TenantRequestHandler: TenantRequestHandler.java: handleRequest: 156
internal.osp.framework.handler.OSPHandler: OSPHandler.java: handleRequest: 172
internal.osp.framework.servlet.OSPServlet: OSPServlet.java: process: 245
internal.osp.framework.servlet.OSPServlet: OSPServlet.java: doPost: 144
javax.servlet.http.HttpServlet: HttpServlet.java: service: 660
javax.servlet.http.HttpServlet: HttpServlet.java: service: 741
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 231
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 166
org.apache.tomcat.websocket.server.WsFilter: WsFilter.java: doFilter: 53
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 193
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 166
org.apache.catalina.core.StandardWrapperValve: StandardWrapperValve.java: invoke: 202
org.apache.catalina.core.StandardContextValve: StandardContextValve.java: invoke: 96
org.apache.catalina.authenticator.AuthenticatorBase: AuthenticatorBase.java: invoke: 607
org.apache.catalina.core.StandardHostValve: StandardHostValve.java: invoke: 139
org.apache.catalina.valves.ErrorReportValve: ErrorReportValve.java: invoke: 92
org.apache.catalina.valves.AbstractAccessLogValve: AbstractAccessLogValve.java: invoke: 678
org.apache.catalina.core.StandardEngineValve: StandardEngineValve.java: invoke: 74
org.apache.catalina.connector.CoyoteAdapter: CoyoteAdapter.java: service: 343
org.apache.coyote.http11.Http11Processor: Http11Processor.java: service: 408
org.apache.coyote.AbstractProcessorLight: AbstractProcessorLight.java: process: 66
org.apache.coyote.AbstractProtocol$ConnectionHandler: AbstractProtocol.java: process: 853
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor: NioEndpoint.java: doRun: 1,587
org.apache.tomcat.util.net.SocketProcessorBase: SocketProcessorBase.java: run: 49
java.util.concurrent.ThreadPoolExecutor: ThreadPoolExecutor.java: runWorker: 1,149
java.util.concurrent.ThreadPoolExecutor$Worker: ThreadPoolExecutor.java: run: 624
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable: TaskThread.java: run: 61
java.lang.Thread: Thread.java: run: 748

Preamble: [OIDP]
Priority Level: SEVERE
Java: internal.osp.oidp.service.oauth2.handler.RequestHandler.setJsonError() [564] thread=https-openssl-nio-8443-exec-7
Time: 2020-01-30T16:36:59.342-0300
Log Data: Error processing OAuth 2.0 request.: internal.atlaslite.jcce.exception.CoreExceptionWithOutcome: Error writing instance data for 'CN=user,dc=acme,DC=local'
      internal.osp.oidp.service.principal.store.SingleAttrStore: SingleAttrStore.java: putInstanceData: 224

I found another thread (https://community.microfocus.com/t5/Identity-Governance-User/Need-help-with-Authorization-on-API/td-p/2277236/page/2) with the same error code, but it never got a solution.

I also have attached the ism-configuration.properties (redacted), but I don't see anything strange.

Any ideas would be welcomed.

 

1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Help with LDAP (AD) login to IG 3.6

Jump to solution

Greetings,
      Did you extend the AD schema with the oidpinstancedata attribute as outlined in the documentation. There are a number of changes in 3.6 as compared to 3.5.x and one of those is that we now write to an attribute when the login. In 3.5 and earlier, this was only necessary when you were using the REST endpoints directly.

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

View solution in original post

8 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Help with LDAP (AD) login to IG 3.6

Jump to solution

Greetings,
      Did you extend the AD schema with the oidpinstancedata attribute as outlined in the documentation. There are a number of changes in 3.6 as compared to 3.5.x and one of those is that we now write to an attribute when the login. In 3.5 and earlier, this was only necessary when you were using the REST endpoints directly.

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

View solution in original post

Highlighted
Super Contributor.
Super Contributor.

Re: Help with LDAP (AD) login to IG 3.6

Jump to solution

Hello Steven

 


@stevewdj wrote:

Greetings,
      Did you extend the AD schema with the oidpinstancedata attribute as outlined in the documentation.


I did not. Shame on me for not reading the documentation! I will ask the AD admin to extend the schema and report back.

Thank you

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Help with LDAP (AD) login to IG 3.6

Jump to solution

Greetings,


 https://www.netiq.com/documentation/identity-governance-36/install-guide/data/b1iq4nvf.html#t4b64uo9k3m6

 

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

Highlighted
Respected Contributor.
Respected Contributor.

Re: Help with LDAP (AD) login to IG 3.6

Jump to solution
Hello,
it is very critical to do a schema extension for a company and about a governance product (IG)
sure there is no other way?

PS: why Microfocus decides to modify the method if in IG 3.5 it works?
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: Help with LDAP (AD) login to IG 3.6

Jump to solution
Hi Steve,

Does the AD service account needs to have read/write permissions after extending the AD schema?
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Help with LDAP (AD) login to IG 3.6

Jump to solution
Hi Nihii,
effectively the AD account needs to be able to write the attribute to use, however it is very difficult to apply at AD level that the user can only write the attribute that IG writes...,simply if you have Domain Admin rights it would be super easy ...
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Help with LDAP (AD) login to IG 3.6

Jump to solution
Greetings,
    Yes, the service account that OSP utilizes to connect to Active Directory or eDirectory needs to have read, write, delete, and update rights
    
 
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
Highlighted
Super Contributor.
Super Contributor.

Re: Help with LDAP (AD) login to IG 3.6

Jump to solution
Thanks All.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.