Join us at the CMS Virtual Customer Forum December 9th
Please join us at the CMS Virtual Customer Forum December 9, 2020 | 7:30 a.m. PDT | 4:30 p.m. CEST
Highlighted
Absent Member.
Absent Member.
5146 views

How to configure LDAP Integration for uCMDB 10.00

Hi,

 

Please help me on tis ..........

 

 

thanks n advance......

Tags (1)
0 Likes
14 Replies
Highlighted
Absent Member.. Absent Member..
Absent Member..

Hi,

 

I have it working nicely here so what's your issue? Did you look at the examles in the help?

 

gr,

Ronald

0 Likes
Highlighted
Fleet Admiral Fleet Admiral
Fleet Admiral

To check the examples please go to Help ->UCMDB Help from main menu. Choose search and look for "Configure LDAP for Active Directory" or "LDAP Mapping". Let us know what went wrong in your case.

Regards
-Dmitry Gomel, PMP
Click the Like button at the bottom to say 'Thanks'.
0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Good day all.

I have the same problem setting up the LDAP integration on uCMDB 10.

I have gone through all the help files on uCMDB itself but didn't find anything of extra use in resolving my issue.

The issue I have is that it seems that uCMDB can log in to the LDAP & get all the user info in the logs, but can't pull the info through to the uCMDB gui, in order for me to do the group mappings.

The error I get in the logs are :

"returned as a result of a groups search, is not of type ldapGroup or dynamic ldapGroup"

The groups search filter and root groups filter is as follows :

(|(objectclass=top)(objectclass=domain)(objectclass=organizationalUnit)(objectclass=person)(objectclass=user)(objectclass=organizationalPerson)(objectclass=groupOfURLs)(objectclass=memberURL))

I can unfortunately not display the OU, CN & DN details of the company, but the Group Base DN is :

DC=(country),DC=(domain),DC=(local),DC=com

Root Groups Base DN is:

OU=(group),OU=(company),DC=(country),DC=(domain),DC=(local),DC=com

An interesting thing I noticed is that the group we use doesn't have a group objectclass attribute.

Will this be the issue?

Any help would be appreciated.

Thank you,
Wynand De Beer.
Highlighted
Fleet Admiral Fleet Admiral
Fleet Admiral

Hi,

There are several types of groups in LDAP. Only ldapGroup or dynamic ldapGroup are supported. Please contact your LDAP administrator to clarify this.

 

Regards
-Dmitry Gomel, PMP
Click the Like button at the bottom to say 'Thanks'.
0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi Dima.

 

I have confirmed with the LDAP administrator that the environment does have ldapgroups & dynamic ldapgroups. He has given me one of those groups to test again.

 

But I get the same problem, I can "see" the Group, but the users of that group doesn't display, only a blank page is returned.

 

Here's an excerpt from the log:

 

2013-04-16 07:12:42,834 [qtp1200648207-3386] - <<< Entering findUsersInGroup with the following parameters: groupName = {Test group name}, userAttributeNames = [Ljava.lang.String;@d34408f, filternull
2013-04-16 07:12:42,834 [qtp1200648207-3386] - <<< Entering findUsersAndGroups with the following parameters: groupName = {Test group name}, userAttributeNames = [Ljava.lang.String;@d34408f, depth = 1, filternull
2013-04-16 07:12:42,834 [qtp1200648207-3386] - <<< Entering createConnectionAndConnect with the following parameters: com.hp.sw.bto.ast.security.uum.UserManagementLDAPConfiguration@617a730e
2013-04-16 07:12:42,841 [qtp1200648207-3386] - >>> Exiting createConnectionAndConnect with the connection
2013-04-16 07:12:42,841 [qtp1200648207-3386] - Calling LDAP search with the following parameters: base = DC=country,DC=area,DC=domain,DC=com, scope2, filter = (&(&(objectClass=*)(name=*))(&(objectClass = group)(name = {Correct Group name was returned}))), searchAttributes = [name, memberOf, name, description, objectclass], attrsOnly = false
2013-04-16 07:12:42,842 [qtp1200648207-3386] - Received the LDAP result set of the size = 1
2013-04-16 07:12:42,842 [qtp1200648207-3386] - LDAP entry from result set (will be ignored if not of group type): LDAPEntry: CN=group name,OU=Distribution Groups,OU=Groups,OU=company,DC=country,DC=area,DC=domain,DC=com; LDAPAttributeSet: LDAPAttribute {type='objectClass', values='top,group'} LDAPAttribute {type='name', values='Correct group name'}

 

What could be the problem?

 

Thank you.

 

Kind regards,

 

Wynand.

0 Likes
Highlighted
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Hi.

 

We have succesfully integrated with LDAP.

 

The problem was that our specified attributes didn't match the attributes of the LDAP system. And our search filter for users had incorrect syntax.

 

Thank you.

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Dear,

I am also trying to Integrate UCMDB with LDAP. I have executed all the steps (Administration->Infrastructure Settings Maps) mentioned in user manual but when I click on security LDAP Mapping I get the following message LDAP is not configured correctly....


Can you please tell me that what else I have to do?

 

 

0 Likes
Highlighted
Vice Admiral Vice Admiral
Vice Admiral

If you have any spaces in your OUs, group names, etc. They need to be replaced with \20

 

For example here is what our setup looks like: (Some info filtered).

If you notice though, the LDAP Search User does not need the spaces replaced. Neither does the User filter if you have spaces.

 

 

Users object class      user   
Is case-sensitivity enforced in LDAP authentication     false  
Groups member attribute member 
Distinguished Name (DN) Resolution      true   
Root Group Filter       (&(objectClass=group)(CN=*))   
LDAP connection string  ldaps://ldaps.dd.dd.ca:3269/??sub     
LDAP Search User        cn=srv.opsware.ad,OU=Tools and Automation,OU=ddt Users,dc=dd,dc=dd,dc=dd,dc=dd,dc=ca      
Group class object      group  
Use bottom up algorithm for find parent groups  false  
UUID attribute  sAMAccountName 
Groups name attribute   name   
Group Base Filter       (&(objectClass=group)(CN=*))   
Users filter   (&(sAMAccountName=*)(objectClass=user)(sAMAccountType=805306368)(memberof=CN=ALL_UCMDB_USERS,OU=UCMDB,OU=Tools and Automation,OU=ddt Users,DC=dd,DC=dd,DC=dd,DC=dd,DC=ca))
Search Retries Count    5      
Groups display name attribute   name   
Root groups scope       sub    
User display name attribute     sAMAccountName 
Scope for groups search sub    
Enable LDAP authentication      true   
Enable LDAP synchronization     true   
Root Group      OU=UCMDB,OU=Tools\20and\20Automation,OU=ddt\20Users,DC=dd,DC=dd,DC=dd,DC=dd,DC=ca 
Group Base      OU=UCMDB,OU=Tools\20and\20Automation,OU=ddt\20Users,DC=dd,DC=dd,DC=dd,DC=dd,DC=ca 
Default Group          
Groups description attribute    description    
Highlighted
Absent Member.
Absent Member.

Why you have written so long value for attribute User filter was only (&(sAMAccountName=*)(objectClass=user) not enough ? whats its reason?

 

0 Likes
Highlighted
Vice Admiral Vice Admiral
Vice Admiral

We have over 60000 users in our LDAP (AD)

 

The reason I use the memberOf filter is only allow users that we place into a certain group are eligible to log into ucmdb.

This way, the users can be in any OU, but we restrict access based on that one group.

 

Ive gotten into habit of doing this since some applications like to cache all users that match a filter.

This becomes a problem when dealing with our size of environment.

 

D

0 Likes
Highlighted
Fleet Admiral Fleet Admiral
Fleet Admiral

Trying to retrive all users existigng on enterprise LDAP will have performance implications on every connection to UCMDB.

Regards
-Dmitry Gomel, PMP
Click the Like button at the bottom to say 'Thanks'.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.