Symantec Access Management

I'm trying to create an external Administrator. I'm able to connect to the CA directory successfully which I want to use as the External Store, however as soon as I reach the "Select Super User" tab under "Configure Administrative Authentication" in Admin UI, no user is showing up.

Just to be sure, you have user accounts located under the 'dc=idmacc,dc=com' root?  On your slide 3, you specified the search root.  That is where the search will begin for the superuser account.

Yes, the user accounts are under the mentioned root only. I even tried the AD Directory. The same is happening with AD directory also. The authentication is getting through but as soon as I reach the "Select Super User", no users are showing up. What can be the reason for this?

also verify that the accounts you want to see listed as superuser have the 4 objectclasses listed on slide 3?  inetOrgPerson, organizationalPerson, person, top need to be on those accounts.

What are you seeing in the query log for the directory you are connecting to?  Are you seeing the bind used on slide 2 and then any searches?

We use external authentication on all of our installations and it has worked great for us.

Bind is successful, however Search is coming up with errors.

[228] 20151113.201022.802 3.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[228] 20151113.201022.802 3.1 RESULT success

[244] 20151113.201022.859 4.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[244] 20151113.201022.859 4.1 RESULT success

[48] 20151113.201119.360 5.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[48] 20151113.201119.360 5.1 RESULT success

[112] 20151113.201119.783 6.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[112] 20151113.201119.783 6.1 RESULT success

[4] 20151113.201119.987 7.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[4] 20151113.201119.987 7.1 RESULT success

[228] 20151113.201120.191 8.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[228] 20151113.201120.191 8.1 RESULT success

[32] 20151113.201120.194 8.2 SEARCH dn="dc=idmacc,dc=com" scope=subtree filter=(uid=*) eis=1

[32] 20151113.201120.194 8.2 RESULT success 24 entries 0 msecs

[244] 20151113.201120.195 9.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[244] 20151113.201120.195 9.1 RESULT success

[4] 20151113.201120.197 10.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[4] 20151113.201120.197 10.1 RESULT success

[48] 20151113.201120.198 9.2 SEARCH dn="dc=idmacc,dc=com" scope=subtree filter=(&(cn=)(&(objectClass=inetOrgPerson)(objectClass=organizationalPerson)(objectClass=person))) eis=6

[48] 20151113.201120.198 9.2 RESULT error service 3

[24] 20151113.201953.744 11.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[24] 20151113.201953.744 11.1 RESULT success

[112] 20151113.201953.746 11.3 ABANDON id=2

[112] 20151113.201953.746 11.3 RESULT success

[4] 20151113.201953.799 12.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[4] 20151113.201953.799 12.1 RESULT success

[228] 20151113.201953.851 13.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[228] 20151113.201953.852 13.1 RESULT success

[244] 20151113.202028.415 14.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[244] 20151113.202028.415 14.1 RESULT success

[24] 20151113.202028.818 15.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[24] 20151113.202028.818 15.1 RESULT success

[112] 20151113.202029.019 16.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[112] 20151113.202029.019 16.1 RESULT success

[4] 20151113.202029.221 17.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[4] 20151113.202029.221 17.1 RESULT success

[48] 20151113.202029.224 17.2 SEARCH dn="dc=idmacc,dc=com" scope=subtree filter=(uid=*) eis=1

[48] 20151113.202029.224 17.2 RESULT success 24 entries 0 msecs

[24] 20151113.202029.225 17.3 ABANDON id=2

[24] 20151113.202029.226 17.3 RESULT success

[32] 20151113.202029.227 18.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[32] 20151113.202029.227 18.1 RESULT success

[244] 20151113.202029.229 19.1 BIND 10.0.2.16 dn="uid=idmadmin,ou=admin,ou=employee,dc=idmacc,dc=com"

[244] 20151113.202029.229 19.1 RESULT success

[60] 20151113.202029.230 18.2 SEARCH dn="dc=idmacc,dc=com" scope=subtree filter=(&(cn=*idmadmin*)(&(objectClass=inetOrgPerson)(objectClass=organizationalPerson)(objectClass=person))) eis=6

[60] 20151113.202029.230 18.2 RESULT success 0 entries 0 msecs

Sreekanth

I would recommend checking CA Directory side first.

1. Have we added any custom ObjectClasses OR are we using the default ObjectClasses that are shipped OOB.
2. The audio attribute that is being used for Disabled Flag, Please ensure that is BLANK attribute. If it is prepopulated, then it could cause issues.
3. In image-5 we are selecting "*"; instead could we specify an exact Username and try it first.
4. The network connectivity looks good, otherwise we would not go beyond Image-2.
5. Have we enabled using Access Control in CA Dir ($DXHOME/config/access/default.dxc)?
6. Would it be possible to run a dxsearch (run dxsearch on CA Dir machine) and print the output here for a single User. See Example below.

Example :

dxsearch -h <hostname> -p <portnumber> -D <adminUser> -w <password> -b <Search Base>

dxsearch -h 10.0.2.15 -p 10389 -D cn=cadiradmin,ou=employee,dc=idmacc,dc=com -p ********** -b cn=smadmin,ou=employee,dc=dcidmacc,dc=com

NOTE :

-D Use the same user you are trying to connect to CA Dir in Image-2.

-b Use the Search Base as the User you are trying to search in Image-5.

Regards

Hubert

1. No, there are no custom ObjectClasses.
2. audio attribute is blank and not being used for any other purpose.
3. I tried with “idmadmin”, but got the same result “no result”.
4. No Access Control is not enabled.
5. Here is the screenshot of dxsearch command.

You're close.  If you look at the search you provided:

[60] 20151113.202029.230 18.2 SEARCH dn="dc=idmacc,dc=com" scope=subtree filter=(&(cn=*idmadmin*)(&(objectClass=inetOrgPerson)(objectClass=organizationalPerson)(objectClass=person))) eis=6

[60] 20151113.202029.230 18.2 RESULT success 0 entries 0 msecs

The issue is that you are entering *idmadmin* in the search box but if you look at your screen shot of the idmadmin account, the cn for that account is 'Idmacc Admin' so try entering 'idmacc' (no asterisks needed) and see if you then see the admin account show up.

Such a silly mistake I was making. Thank you