Highlighted
Trusted Contributor.
Trusted Contributor.
242 views

ZCM Agent not Passing full DN Login Fails

Jump to solution

The Zenworks agent & CASA, all of a sudden, stopped passing the full DN LDAP name for the user source for authentication on ALL workstations. As a test of this , I try logging in with my credentials as "fname lname" and password, Login to the Zenworks Agent on the workstation fails. If I put the full DN of my user from AD/User source, IE:

[(ClientAddr=10.10.10.253)Not able to parse : Joe Blow. It is not a valid LdapName

"cn=fname lname, ou=office,ou=school,dn=place,dn=ca" and my password, the agent then logs into the user source, and I am authenticated.  The ATS log on Zenworks, shows that the username is being sent in plane format, instead of the properly translated DN LDAP format IE:

ClientAddr=10.10.10.253)invoke()] [authtoksvc.PwdAuthenticate] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.36] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr=10.10.10.253)getSetting()- Setting value = /etc/CASA/authtoken/svc/iaRealms.xml] [authtoksvc.SvcConfig] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.36] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr=10.10.10.253)invoke()- It Seems Proxy Credentials are in iaRealms file] [authtoksvc.PwdAuthenticate] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.61] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr=10.10.10.253)Starting Authentication for Joe Blow] [authtoksvc.PwdAuthenticate] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.62] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr=10.10.10.253)Not able to parse : Joe Blow. It is not a valid LdapName ] [authtoksvc.PwdAuthenticate] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.62] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr=10.10.10.253)Search Roots are configured- Below is the list] [authtoksvc.PwdAuthenticate] [] [] [CASA]
[DEBUG] [02/13/2020 16:47:19.62] [3809] [ATS] [126] [zenworks] [CASAServer] [] [(ClientAddr=10.10.10.253)SearchRoot: DC=nlpsad,DC=ca] [authtoksvc.PwdAuthenticate] [] [] [CASA]

This seems to be where authentication Falls Down, does anyone know why this started or how to fix it?

 

 

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ZCM Agent not Passing full DN Login Fails

Jump to solution

I'll Take option 1 for $5000 Alex.  Okay, this is an interesting suggesiton, so I try this different port in the user source conneciton, correct?

View solution in original post

0 Likes
5 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ZCM Agent not Passing full DN Login Fails

Jump to solution

How are your "User Containers" defined in the User Source?

Is it?

dn=place,dn=ca

or

OU=school1,dn=place,dn=ca

OU=school2,dn=place,dn=ca

OU=school3,dn=place,dn=ca

---

If the 1st, try using Port 3269 instead of 636 (Assuming you are using SSL...If using 389 try 3268 instead).  

 

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ZCM Agent not Passing full DN Login Fails

Jump to solution

I'll Take option 1 for $5000 Alex.  Okay, this is an interesting suggesiton, so I try this different port in the user source conneciton, correct?

View solution in original post

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: ZCM Agent not Passing full DN Login Fails

Jump to solution

The alternate port I suggested is the "Catalog Port".  Any LDAP Requests to the Catalog Port do not generate any referral requests.    LDAP Requests to the Standard LDAP Port can result in Referrals where the requester is told to send queries to additional different LDAP servers. 

And the "Server" to which the requester is redirected is not based on any high level of intelligence, but tends to just be another random AD Controller.  These referrals can be generated even if every single AD controller contains the entire tree.....These referrals can fail, especially with SSL,  because one of the AD controllers where it is sent may not even have any SSL certs configured.  

Even excluding referral issues, the Catalog Port should in theory be slightly faster..

( in eDir, the LDAP Server itself will handle the referrals rather than tell the requester to go check with different LDAP servers.)

 

 

 

--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ZCM Agent not Passing full DN Login Fails

Jump to solution
Craig, you bloody Genius!!!! Actually, I used a mix of your solution and my own. You triggered me to look at my defined User container when you did, that, I changed it to point at a Base OU INSTEAD of the base of the AD domain, and this Fixed it!!! Thank-you!!! You're the man!!!
0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: ZCM Agent not Passing full DN Login Fails

Jump to solution
Just as a side note, Technically the user container used to point to:
dc=mydomain,dc=ca

Now it points to base:
ou=myuserOUs,dc=mydomain,dc=ca
Which looks like this in Zenworks:
mydomain.ca/myuserOUs

I hope that helps others, and what a great explanation Craig!! Thank-you!
ou=user
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.