Managing users with LDAP and Microsoft Active Directory within BPPM is easy and quick to integrate. It provides users even more authentication security and helps BPPM easily integrate with the existing user setup. After all is said and done, what we see most often in Support…. is the failure of Active Directory to authenticate the BPPM user
So let’s take a quick look at the basics of configuration and then we’ll look at some of the more common errors and issues.
Basic LDAP and Active Directory configuration
The Basic LDAP and Active Directory configuration details are listed in our documentation starting on page 1607 of http://documents.bmc.com/supportu/documents/97/40/449740/449740.pdf.
Here are a few details worth noting about Active Directory use
Basic group configuration for LDAP and Active Directory
Every user must belong to a group which maps to the groups in BMC ProactiveNet Server. Groups assign the user’s roles and responsibilities to each other. That is, the external authentication system must be able to identify and authenticate the user but must also be able to identify which group that user belongs to. Following methods ensure proper functionality and identification between systems:
• Add the BMC ProactiveNet Server groups to your LDAP system
This method allows to take the desired BMC ProactiveNet Server groups and create them in your LDAP or Active Directory system. You must ensure that the users that you want to allow to log in, are members of those groups.
• Add the LDAP groups to your BMC ProactiveNet Server
This method allows to create the desired LDAP or Active Directory groups and create them in the BMC ProactiveNet Server.
Warning: All group names are case sensitive. You must spell and ensure the correct case of the group names while implementing any of the methods.
• Port 389 is used by Active Directory. An LDAP server port can also be accessible from the BMC ProactiveNet Server. If you use an LDAP integration, port 389 can be accessed from the BMC ProactiveNet Server (from the server to the Active Directory port).
• Kerberos authentication to Active Directory is not currently supported.
• Siteminder authentication is not currently supported
What info does Support need to troubleshoot Active Directory problems?
While the type of information will vary depending on platform and customer environment. We will always ask for the following:
We will ask for FINEST level debug. So please change the level of default logging details in the pw\pronto\conf\ias_logging.properties file
pw process restart jserver
Login using an LDAP username so we can detect something in the logs.
Then send to Support the following logs:
1) From pw\pronto\logs\ias\
2) From pw\pronto\conf\
We may need more details but the majority of issues seen will require the details and files referenced above.
Common Active Directory Issues and topics:
If you are seeing the following error: "failed to create DirContext for LDAP server HOST.DOMAIN.COM due to javax.naming.CommunicationException: HOST.DOMAIN.COM:389 [Root exception is java.net.ConnectException: Connection timed out: connect]. Please check your LDAP configuration." You will want to check out this link: Logging into BPPM via LDAP sometimes work, yet other times fails. There is no consistent reasoning for when it works or fails
What can I do if I want to query several Active Directory groups? Can this be configured? For example: I want to include all Active Directory Groups which start with ‘BPPM_*’
If you have several LDAP user groups to query, the format used is comma separate list by using "com.bmc.sms.ixs.search.ldap.group" in ias.properties file. For example, if you have LdapGroup1, LdapGroup2, LdapGroup3,groups configured on LDAP and you want only the user "username" to be validated against LdapGroup1 and LdapGroup2 then the ias.properties file should have the entry for example:
How do you configure Active Directory?
Here are the basics in terms of the procedure to configure Active Directory with BPPM. Please see the full documentation here: http://documents.bmc.com/supportu/documents/97/40/449740/449740.pdf
Please take note that some of some of this configuration can be done via ops console (options > administration tab > scroll to bottom and select integrations). The gui updates the ldap_configuration.xml and ias.properties, but the map file would need to be manually edited.
1. Access the /pw/pronto/conf folder.
2. Edit the ias.properties file, update the following entry to TRUE and save the file. com.bmc.sms.ixs.enable.ldap.login=true. This will enable you to log into LDAP if you are a LDAP user.
3. Open the ldap_configuration.xml file using a text editor and Configure a LDAP server host by adding the following lines for example, before the </ldapList> tag
<connectionPassword encrypted="false">password</connectionPassword> <userIdAttribute>sAMAccountName</userIdAttribute>
<groupMemberAttribute>member</groupMemberAttribute> memberOfAttribute>memberOf</memberOfAttribute> <userSearchFilter>(objectClass=organizationalPerson)</userSearchFilter>
and save the ldap_configuration.xml file
4. Open the ldap_ppm_group_mapping.xml file using a text editor and create a map between LDAP groups and BMC ProactiveNet Performance Management (PPM) groups.
For example, if you have a LDAP group called MyLdapGroup and you need to map it against a PPM group called "Full Access" then the ldap_ppm_group_mappings.xml file should have an entry for example,
<entry key="MyLdapGroup">Full Access</entry>
You can find out the group membership of the ldap user using the command
net user ldapuser /DOMAIN
net user nmadmin /DOMAIN
5. Enter the comma separated list of LDAP groups that you need to authenticate the user against in the ias.properties file. The property used to store this value is com.bmc.sms.ixs.search.ldap.group in the ias.properties file.
For example, if you have LdapGroup1, LdapGroup2, LdapGroup3, LdapGroup4 groups configured on LDAP and you want only the user "username" to be validated against LdapGroup1 and LdapGroup2 then the ias.properties file should have the entry for example,
6. Check whether the property com.bmc.sms.ixs.default.group.present.check is set to false in the ias.properties file. By default this property is set to false. If this property is set to true, create a separate group for the corresponding LDAP group in the PPM environment.
BPPM 9.5 was impacted by the Heart Bleed vulnerability. Please note that this security concern only exists in BPPM 9.5. All other versions of BPPM are not affected as they are using older versions of OpenSSL. BPPM 9.5 runs with Open SSL 1.0.1c and so it IS vulnerable. We have generated patches for each of our supported platforms and the patches can be downloaded from our FTP site under the following location:
Newly Published Knowledge Articles - New Content has been added over the last month!
KA412547 - With a 9.5 cell, a slot modification is not being back propagated.
KA412560 - Running 'pw dbconfig set' results in problems connecting to the database.
KA412861 - All events from PATROL Agent to BPPM cell show "Incoming event information could not be parsed".
KA413355 - A 'pw sys status' or 'pw p l' on Solaris/Linux show both mcell and acell to be not running even though they are.
KA413360 - BPPM 9.5 installation on Windows 2012 cluster is failing on Secondary Node with "Unable to validate custom cluster name".
Popular Knowledge Articles
KA328581 - How can I clear all events and alarms from BMC ProactiveNet Performance Manager Server?
KA314023 - Diagnosing problems with ProactiveNet Integration with PATROL.
KA330178 - What ports are required on the firewall for the BMC PATROL Adapter within ProactiveNet Server 8.5 or 8.6?
KA307241 - How to enable trace for IBRSD?
KA318711 - How to change the hostname/IP Address of BPPM ProactiveNet Server on Windows Platform
“In the Know”…Do you know?
Have you joined our Customer Support Community yet? If not, head on over to the link and learn how you can help us by providing feedback to enhance your Customer Support experience.
Do you use Chat to get quick answers to product questions? If not, check it out as this is another channel of support available to customers. Join us for a quick chat and we’ll get you started on resolving your concerns. Learn more about Chat
Have you heard of the AMIGO program? Looking to upgrade in the near future? Get on board with AMIGO and we’ll help you plan your upgrade to ensure a smooth transition to the next version of the products you are using.
Don’t forget our Webinars! Check out the details here: BMC ProactiveNet Performance Management (BPPM) 9.5 Best Practices Webinar Series
Looking for a previous blog posting? Find them here: BMC TrueSight Support Blogs
Help us determine how we are doing. Use the rating system at the bottom of this blog to rate this post!