5 Replies Latest reply: Feb 18, 2011 10:57 AM by Hemashekar Reddy RSS

LDAP login at IX/IAS not working

ssteger

Hi,

 

I try to configure the LDAP login for Impact Explorer resp. IAS.

Within the config files ldap_configuration.xml and ldap_configuration_query.xml everything seems to be ok - when I try these settings within a LDAP browser I can browse through the entries.

 

<?xml version="1.0" encoding="UTF-8"?><ldapList xmlns="urn:bmc:schemas:impact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:bmc:schemas:impact ldap_definitions.xsd">

    <ldap alias="test">
            <host>ad.oenb.co.at</host>
            <port>389</port>
            <version>3</version>
            <baseDN>dc=ad,dc=oenb,dc=co,dc=at</baseDN>
        <connectionUserName>Ldapuser@ad.oenb.co.at</connectionUserName>
            <connectionPassword encrypted="false">xxxxx</connectionPassword>
            <userIdAttribute>sAMAccountName</userIdAttribute>
            <useSSL>false</useSSL>
            <groupMemberAttribute>member</groupMemberAttribute>
            <memberOfAttribute>memberOf</memberOfAttribute>
            <userSearchFilter>(objectClass=person)</userSearchFilter>
            <groupSearchFilter>(objectClass=group)</groupSearchFilter/>
    </ldap>

 

Within the ias.properties file the config looks like that:

 

#---------------------------------------------------------------
# Enable/disable file login module.
#---------------------------------------------------------------
com.bmc.sms.ixs.enable.file.login=true

#-----------------------------------------------------------------
# Enable/disable LDAP login module.
# When it is enabled, "ldap_configuration.xml" file has to be filled.
#-----------------------------------------------------------------
com.bmc.sms.ixs.enable.ldap.login=true

#-----------------------------------------------------------------
# Allow local, file-based, user groups to apply to LDAP authenticated users.
# When it is enabled, groups defined for users in the user_definitions.xml file
# will apply to the user when authenticating through LDAP.
#-----------------------------------------------------------------
com.bmc.sms.ixs.allow.local.groups.for.ldap=true

 

Is it better to set the file login module to false?

And must the LDAP username, which I try, already exist in the IAS?

 

When I try the follwoing command for testing:

iadmin -tlq username=BRANDSTA:password=xxxxx

I get the error:

Time required to get details :
0s
Authentication is failed for user :BRANDSTA

The same happens if I directly try it within IX.

 

Any ideas?

Thanks & Regards,

Stefan

  • 1. Re: LDAP login at IX/IAS not working
    manohar179

    Hello Stefan,

     

    Could you please follow the steps provided in the attached document for configuring the LDAP and check if this works for you?

     

    Thanks

    Manohar

  • 2. Re: LDAP login at IX/IAS not working
    asdf

    Hi Stefan,

     

    Is this an authentication problem only for IAS?

     

    If you can't login to anywhere with the LDAP credentials you could try to delete the line :

     

      <groupSearchFilter>(objectClass=group)</groupSearchFilter/>

     

    in the ldap_configuration.xml

  • 3. Re: LDAP login at IX/IAS not working
    ssteger

    Hi Manohar,

     

    can you please attach the file you mentioned.

     

    Thanks & Regards,

    Stefan

  • 4. Re: LDAP login at IX/IAS not working
    manohar179

    I did attached that when I sent it via outlook not sure why it did not turn up over here. I put that one over here now.

     

     

     

    To configure IAS to use LDAP authentication, go to Impact/server/conf and in ias.properties, set:

     

    #-----------------------------------------------------------------

    # Enable/disable LDAP login module.

    # When it is enabled, "ldap_configuration.xml" file has to be filled.

    #-----------------------------------------------------------------

    com.bmc.sms.ixs.enable.ldap.login=true

     

    #-----------------------------------------------------------------

    # Allow local, file-based, user groups to apply to LDAP authenticated users.

    # When it is enabled, groups defined for users in the user_definitions.xml file

    # will apply to the user when authenticating through LDAP.

    #-----------------------------------------------------------------

    com.bmc.sms.ixs.allow.local.groups.for.ldap=true

     

    If you don’t set com.bmc.sms.ixs.allow.local.groups.for.ldap to True, the following error message will pop up:

     

    clip_image002.jpg

     

    Now, open ldap_configuration.xml and fill it out with the information you have been provided by the AD administrator. It should look like this:

     

    <?xml version="1.0" encoding="UTF-8"?><ldapList xmlns="urn:bmc:schemas:impact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:bmc:schemas:impact ldap_definitions.xsd">

     

    <!-- Example Active Directory LDAP configuration -->

     

        <ldap alias="SAM">

     

         <host>kratos.sam.com</host>

     

         <port>389</port>

     

         <version>3</version>

     

         <baseDN>DC=SAM,DC=COM</baseDN>

     

            <connectionUserName>struong@sam.com</connectionUserName>

     

         <connectionPassword encrypted="true">jgDY86jLiVcnIw52M4m2tScjDnYziba1JyMOdjOJtrUnIw52M4m2tScjDnYziba1JyMOdjOJtrUnIw52M4m2tQ==</connectionPassword>

     

         <userIdAttribute>sAMAccountName</userIdAttribute>

     

         <useSSL>false</useSSL>

     

         <groupMemberAttribute>member</groupMemberAttribute>

     

         <memberOfAttribute>memberOf</memberOfAttribute>

     

    <userSearchFilter>(objectClass=organizationalPerson)</userSearchFilter>

     

        </ldap>

    </ldapList>

     

     

    If you have multiple domains in your AD forest, then the ldap_configuration.xml file would look like this:

     

    <?xml version="1.0" encoding="UTF-8"?><ldapList xmlns="urn:bmc:schemas:impact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:bmc:schemas:impact ldap_definitions.xsd">

     

    <!-- Example Active Directory LDAP configuration -->

     

        <ldap alias="SAM">

     

         <host>kratos.sam.com</host>

     

         <port>389</port>

     

         <version>3</version>

     

         <baseDN>DC=SAM,DC=COM</baseDN>

     

            <connectionUserName>struong@sam.com</connectionUserName>

     

         <connectionPassword encrypted="true">jgDY86jLiVcnIw52M4m2tScjDnYziba1JyMOdjOJtrUnIw52M4m2tScjDnYziba1JyMOdjOJtrUnIw52M4m2tQ==</connectionPassword>

     

         <userIdAttribute>sAMAccountName</userIdAttribute>

     

         <useSSL>false</useSSL>

     

        <groupMemberAttribute>member</groupMemberAttribute>

     

         <memberOfAttribute>memberOf</memberOfAttribute>

     

    <userSearchFilter>(objectClass=organizationalPerson)</userSearchFilter>

     

        </ldap>

     

     

    <ldap alias="NKHL">

     

         <host>dc1.nkhl.com</host>

     

         <port>389</port>

     

         <version>3</version>

     

         <baseDN>OU=IX Users 2,DC=NKHL,DC=COM</baseDN>

     

            <connectionUserName>struong@nkhl.com</connectionUserName>

         <connectionPassword encrypted="true">jgDY86jLiVcnIw52M4m2tScjDnYziba1JyMOdjOJtrUnIw52M4m2tScjDnYziba1JyMOdjOJtrUnIw52M4m2tQ==</connectionPassword>

     

         <userIdAttribute>sAMAccountName</userIdAttribute>

     

         <useSSL>false</useSSL>

     

         <groupMemberAttribute>member</groupMemberAttribute>

     

         <memberOfAttribute>memberOf</memberOfAttribute>

     

    <userSearchFilter>(objectClass=organizationalPerson)</userSearchFilter>

     

         <groupSearchFilter/>

     

        </ldap>

    </ldapList>

     


    For IAS 7.1, you also need to apply PABXS.7.1.00.05 which has fixes for
    the multiple-domain authentication issue.

    To double-check, you can download Softerra LDAP administrator (or any other free ldap browser) and use the information above to make sure you can connect to your Active Directory with the provided username and baseDN.

     

    It’s now important to know which AD group the users belong to. That will allow those users to assign events to other group-members.

    Regarding the way IAS currently works, it’ll ONLY look at the Active Directory groups for the list of users whom an IX user can assign events to, NOT at the IAS local groups (or local users that you might have in that local group). The presence of local groups is only related to the fact that IAS roles/permissions have to be granted to the corresponding LDAP group.

     

    Unless you know which AD your users belong to, the ldap browser can provide that piece of information:

     

    clip_image002.jpg

     

    Here, I can see that the user “mrao” belongs to the IX Users group and its LDAP representation is :

     

    CN=IX Users,OU=IX Users,DC=SAM,DC=COM

     

    Which means that my “IX Users” group belongs itself to the “IX Users” OU which is located at the root of my SAM.COM domain, please refer to the screenshot below:

    NB: Please DO NOT map an OU to an internal IAS group, that won’t work!

     

    clip_image002.jpg

     

     

    For example, if you have an Active Directory group (please note this is a GROUP here, not OU (organization unit)) named “IX Users” then you have to create the same group within IAS. The user doesn’t not need to belong to that AD group to log into Impact Explorer but DOES, in order to assign events, otherwise, you’ll get the following error message:

     

    clip_image002.jpg

     

     

    Now, create a group named IX Users within IAS:

    This can be done with the following command:

     

    iadmin -ag group="IX Users":roles="Full Access"

    Make sure the group has been created with: iadmin –lg

     

    C:\Documents and Settings\Administrator>iadmin -lg

    BMC Impact Administration Server 7.2.01 [Build 1546294 - 6-Oct-2008]

    Copyright 1998-2008 BMC Software, Inc. as an unpublished work.  All rights reserved.

    List groups:

    Admins

    Full Access

    IX

    IX Users

    Operators

    Read Only

    Service Administrators

    Service Managers

    Service Managers - Senior

    Service Operators

    Service Operators - Senior

    Supervisors

     

    No need to create local users here, IAS will map the AD “IX Users” group to its local one and all AD users will have the Full Access role.

     

    Now, you should be able to log into IX.

    The users you see in the list below are AD users, not IAS local users. Any change in that AD group (IX Users) will be reflected here

     

    clip_image002.jpg

     

     

  • 5. LDAP login at IX/IAS not working
    Hemashekar Reddy

    Hi Manohar,

     

    The solution posted  for this issue was really helpfull and thanks.

     

    I do have same issue and did everyting as poted step by step,but still I authentcation was not suceesfull.

     

    I have made all the changes.

     

    -updated the ias.properties

    - filled the ldap server information

    -added the ldap groups into the IAS groups

     

    I need your suggestion in solving this issue.

     

     

    I got this error message .

     

    ldap.png