I am having problems in integrating ADDM with OID LDAP. In the ldap configuration, I have the following:

Server URI: ldap://otoid.infra:389
Bind Username: cn=orcladmin
Set Bind Password: xxx
Search Base: cn=users,dc=infra
Search Template: (orcluserPrincipalName=%(username)s)
Group Mode: Other
Group Attribute on User node: memberOf
Group Query: (objectclass=groupOfUniqueNames)
Membership Attribute on Group node: UniqueMember

and group mapping is enabled with:

LDAP Group

cn=discovery_users,cn=groups,dc=infra to

ADDM assigned groups

public, discovery.

The test1.user is a member of cn=discovery_users,cn=groups,dc=infra.

At the login prompt, I enter the username = test1.user(basically the orcluserPrincipalName of LDAP) and its corresponding password. It gives me “Permission Denied”. In the tw_svc_security.log, I see the following:

-1298605168: 2010-09-01 16:59:28,910: security.servants: DEBUG: Checking permission on operation ‘appserver/login’ for user ‘test1.user’.
-1298605168: 2010-09-01 16:59:28,911: security.servants: DEBUG: Try validation via standard
-1298605168: 2010-09-01 16:59:28,911: security.access: DEBUG: Checking permission: operation: appserver/login, user: test1.user
-1298605168: 2010-09-01 16:59:28,911: security.access: DEBUG: permitted: NoSuchUser => test1.user
-1298605168: 2010-09-01 16:59:28,911: security.servants: DEBUG: Try validation via ldap
-1298605168: 2010-09-01 16:59:28,911: security.authenticator.ldap: DEBUG: getUser(): Looking for test1.user (cache lookup)
-1298605168: 2010-09-01 16:59:28,912: security.ldapauth.user: DEBUG: Return groups set([]) for user test1.user
-1298605168: 2010-09-01 16:59:28,912: security.validator.ldap: DEBUG: LDAP.permitted(): Performing group mapping for user test1.user
-1298605168: 2010-09-01 16:59:28,912: security.validator.ldap: DEBUG: LDAP.permitted(): Final mapped group list for user test1.user is [ ]
-1298605168: 2010-09-01 16:59:28,912: security.validator.ldap: DEBUG: LDAP.permitted(): user test1.user, operation appserver/login: DENIED
-1298605168: 2010-09-01 16:59:28,912: security.servants: DEBUG: Operation ‘appserver/login’ for user ‘test1.user’ DENIED

What may the problem in giving access denied?

Thanks, Prakash

You would need to work with your LDAP admin to double check your config and access.

You should also raise a case with support, I know they have recently put together a how to for some of the common LDAP servers. I’m not sure OID is covered but it might be useful to you.

Charles,

I raised a support ticket – ISS03661664 with BMC.

Thanks

after you configure ldap.. and/or the group mappings.. you need to make sure you flush the ldap cache. The default configuration will cache the user groups for several hours… so if you tried to login before you got all the settings correct.. then those previous invalid logins are still cached.. and addm won’t re-query the directory for new group information until after its expired.

from the looks of your logs… you did a cache lookup.. and not an external lookup.
-1298605168: 2010-09-01 16:59:28,911: security.authenticator.ldap: DEBUG: getUser(): Looking for test1.user (cache lookup)
-1298605168: 2010-09-01 16:59:28,912: security.ldapauth.user: DEBUG: Return groups set([]) for user test1.user

There is a button on the bottom of the ldap config page to flush the cache.