10 Replies Latest reply on Jun 24, 2010 11:23 AM by Naveen Anne

    LDAP Implementation RBAC User Table

      I am trying to get LDAP authentication to work for BladeLogic 8.0.0.359 Server Automation Suite and I am running into issues..  I would like to go over the steps of implementing LDAP for BladeLogic to find out what I am missing.

       

      BladeLogic was setup with SRP Authentication only until we had either a self-signed cert, or a verisign cert that worked with LDAPv3.  Our LDAP server is Sparc Solaris and the BladeLogic Appserver is running RHEL x64.  I can login to the BL console via SRP just fine.

       

      However when trying to login with the LDAP profile I get User Authentication Failed.  I have the SRP and LDAP boxes checked.

       

      The appserver.log reads:

       

      [18 Jun 2010 09:27:18,322] [Authentication-Service-Thread-0] [INFO] [::10.25.52.177] [Appserver] UID=meller,OU=people,DC=mcdc,DC=com authenticated to ldap://dsmdc-admin-ldap1:389
      [18 Jun 2010 09:27:18,337] [Authentication-Service-Thread-0] [WARN] [::10.25.52.177] [Appserver] UID=meller,OU=people,DC=mcdc,DC=com does not exist in the RBAC user table
      [18 Jun 2010 09:27:18,339] [Authentication-Service-Thread-0] [INFO] [UID=meller,OU=people,DC=mcdc,DC=com::10.25.52.177] [Appserver] user authentication failed: UID=meller,OU=people,DC=mcdc,DC=com
      [18 Jun 2010 09:27:18,340] [Authentication-Service-Thread-0] [INFO] [UID=meller,OU=people,DC=mcdc,DC=com::10.25.52.177] [Appserver] Authentication Connection closed

       

      I believe I have the x.509 cert working correctly given the authentication to the LDAP server.

       

      Maybe this is a Cross-Registration problem between SRP and LDAP?  The documentation I have does not go into much detail regarding the subject.

       

      Have any ideas?

       

      Thanks

      Michael

        • 1. Re: LDAP Implementation
          Naveen Anne

          Mike

          From the stack trace, it clearly looks like an issue with cross registering the user in bl.

          That term "Cross Registering" is a little confusing. It means, you have to create a user in BL with the same username as the one in LDAP server.

          Then when the user tries to login using his ldap username and ldap protocol, the authentication server checks for the similar username in BL db.

          • 2. Re: LDAP Implementation

            Well my LDAP user and pw is the same as SRP and I have no problem logging in directly to any of our sparc servers.

            • 3. Re: LDAP Implementation

              Anyone else with ideas or things to try?

              • 4. Re: LDAP Implementation

                From the error message, the LDAP user isn't in RBAC. Have you created the user in RBAC and mapped them to a role? (Page 145 of the BMC Administration Guide.)

                • 5. Re: LDAP Implementation

                  My LDAP user is meller and works great outside of BL.  In BL my SRP user and password is the same as my LDAP passwd.

                  • 6. Re: LDAP Implementation

                    You will need to create a new LDAP user within BL. Here try this:

                     

                    1) Open RBAC Manager as someone with RBAC access.

                    2) Create new user.

                    3) For the name field, try this: UID=meller,OU=people,DC=mcdc,DC=com

                    4) Uncheck SRP and check LDAP.

                    5) Add this user to some roles.

                    6) Try to logon to the client with your LDAP account.

                     

                    I may not have the intructions 100% correct, but if you don't have the LDAP account created in RBAC, you won't be able to logon. The SRP account is only for SRP method of authentication.

                    • 7. Re: LDAP Implementation

                      no dice..

                       

                      [24 Jun 2010 10:53:26,877] [Authentication-Service-Thread-1] [WARN] [::10.25.52.177] [Appserver] Could not validate uid=UID=meller,OU=people,DC=mcdc,DC=com, ou=people, dc=mcdc, dc=com
                      [24 Jun 2010 10:53:26,877] [Authentication-Service-Thread-1] [WARN] [::10.25.52.177] [Appserver] Could not authenticate as uid=UID=meller,OU=people,DC=mcdc,DC=com, ou=people, dc=mcdc, dc=com.
                      [24 Jun 2010 10:53:26,879] [Authentication-Service-Thread-1] [INFO] [uid=UID=meller,OU=people,DC=mcdc,DC=com, ou=people, dc=mcdc, dc=com::10.25.52.177] [Appserver] user authentication failed: uid=UID=meller,OU=people,DC=mcdc,DC=com, ou=people, dc=mcdc, dc=com
                      [24 Jun 2010 10:53:26,880] [Authentication-Service-Thread-1] [INFO] [uid=UID=meller,OU=people,DC=mcdc,DC=com, ou=people, dc=mcdc, dc=com::10.25.52.177] [Appserver] Authentication Connection closed

                      • 8. Re: LDAP Implementation

                        and tried the following as well:

                         

                        [24 Jun 2010 10:56:57,856] [Authentication-Service-Thread-0] [INFO] [::10.25.52.177] [Appserver] uid=meller, ou=people, dc=mcdc, dc=com authenticated to ldap://dsmdc-admin-ldap1:389
                        [24 Jun 2010 10:56:57,876] [Authentication-Service-Thread-0] [WARN] [::10.25.52.177] [Appserver] uid=meller, ou=people, dc=mcdc, dc=com does not exist in the RBAC user table
                        [24 Jun 2010 10:56:57,878] [Authentication-Service-Thread-0] [INFO] [uid=meller, ou=people, dc=mcdc, dc=com::10.25.52.177] [Appserver] user authentication failed: uid=meller, ou=people, dc=mcdc, dc=com
                        [24 Jun 2010 10:56:57,878] [Authentication-Service-Thread-0] [INFO] [uid=meller, ou=people, dc=mcdc, dc=com::10.25.52.177] [Appserver] Authentication Connection closed

                        • 9. Re: LDAP Implementation
                          Naveen Anne

                          Following are the steps involved to setup LDAP:

                          1. Set LDAP server URLs using blasadmin

                          2. set LDAP connection timeout

                          3. Add or import the X509 certificate using blcred

                          4. set LDAP trust store

                          5. Enable host validation via blasadmin

                          6. Define LDAP Distinguished Name Template in blasadmin

                          7. Enable LDAP Authentication using blasadmin

                          8. Restart application server

                          9. Create the username in RBAC (as mentioned by Umesh in the previous post)

                           

                          Check if you have completed all the above steps. If you have already done, then try and test it with a new username (not your username). If you are still unable to get through, then I suggest you log a support ticket for this issue.

                          • 10. Re: LDAP Implementation

                            I have not completed step 6.  I was under the impression it was sufficient to add the DN on the BL Gui Console.

                             

                            I will try to add it manually through blasadmin and see what happens...  Thanks