Service Virtualization

Team,

I have devtest 10.0 installed in my system and i am trying to setup LDAP for the same. I am following the below documentation for the same.

https://docops.ca.com/devtest-solutions/10-1/en/administering/security/access-control-acl/configure-authentication-provi… 

i have attached the authentication-providers.xml. But the configuration is not working 

Any idea?

Regards,

Jithendar

DEBUG com.ca.dts.security.authentication.internal.DevTestLdapAuthenticationProvider - Invoking LDAP authentication for user 'akkji01'
2017-03-30 16:28:38,289Z (12:28) [qtp255274945-144] DEBUG org.springframework.ldap.core.support.AbstractContextSource - Got Ldap context on server 'ldap://usildc05.ca.com:389'

Somehow i am unable to login any idea?

I looks like the call to LDAP was not made since I see your password was not encrypted.

Make sure the password is correct.

Hi Nunns,

Now the password also got encrypted. But still no luck. Attaching the acl.log and authentication-providers.xml fyi

This is the error in the acl.log:

Exception encountered while parsing the authentication-providers.xml file: file:/C:/PROGRA~1/CA/DevTest/authentication-providers.xml
Message: Error on line 115 of document file:/C:/PROGRA~1/CA/DevTest/authentication-providers.xml: The entity name must immediately follow the '&' in the entity reference.

<user-search-filter>(&amp;(objectClass=person)(sAMAccountName=*)(memberOf=CN=DevTest-Access-Group,OU=Groups,DC=ca,DC=com)</user-search-filter>

You need an extra ) after DC=ca,DC=com)

Should be

<user-search-filter>(&amp;(objectClass=person)(sAMAccountName=*)(memberOf=CN=DevTest-Access-Group,OU=Groups,DC=ca,DC=com))</user-search-filter>

Let me know if this resolves the problem.

HI Nunns,

I have made the changes but i still see the same issue

Attached the latest acl.log fyi.. and i see there is below error in registry.log when i tried to login using my credentials

Caused by: javax.naming.InvalidNameException: cn=akkji01,ou=users,OU=North America|OU=ITC Hyderabad|OU=Asia Pacific|OU=Europe Middle East Africa|OU=South America,dc=ca,dc=com: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of:
'cn=akkji01,ou=users,OU=North America|OU=ITC Hyderabad|OU=Asia Pacific|OU=Europe Middle East Africa|OU=South America,dc=ca,dc=com'
]; remaining name 'cn=akkji01,ou=users,OU=North America|OU=ITC Hyderabad|OU=Asia Pacific|OU=Europe Middle East Africa|OU=South America,dc=ca,dc=com'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3075)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at com.sun.jndi.ldap.LdapCtx.c_getAttributes(LdapCtx.java:1329)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129)
at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
at org.springframework.security.ldap.SpringSecurityLdapTemplate$1.executeWithContext(SpringSecurityLdapTemplate.java:139)
at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:817)

Hi Nunns,

I am able to resolve this issue with the above corrections. But LDAP configuration is restricting to login with admin account.

Is there any way we can enable both the logins (local & LDAP)?

Yes, you need to also keep this in the authentication-providers.xml file, we enable the built-in accounts by default:

<authentication-provider
name="ITKO Authentication Module"
type="Legacy"
enabled="true"
defaultRole="Guest"/>

Hi Nunns,

It worked for some time. But somehow it's not working. I didn't see any error in the log files.

Attaching the authentication-providers.xml, ldap-mappings.xml and the logs fyi..

Please let me know what i am missing here?

Your error is this:

[LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of:
'cn=akkji01,ou=users,OU=North America|OU=ITC Hyderabad|OU=Asia Pacific|OU=Europe Middle East Africa|OU=South America,dc=ca,dc=com'
]; nested exception is javax.naming.InvalidNameException: cn=akkji01,ou=users,OU=North America|OU=ITC Hyderabad|OU=Asia Pacific|OU=Europe Middle East Africa|OU=South America,dc=ca,dc=com: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001F7, problem 2006 (BAD_NAME), data 8349, best match of:
'cn=akkji01,ou=users,OU=North America|OU=ITC Hyderabad|OU=Asia Pacific|OU=Europe Middle East Africa|OU=South America,dc=ca,dc=com'

You user-dn is
<user-dn>CN=artifactory,OU=Role-Based,OU=North America,DC=ca,DC=com</user-dn>

Then why is your user-dn-pattern this?:

<user-dn-pattern>cn={0},ou=users,OU=North America|OU=ITC Hyderabad|OU=Asia Pacific|OU=Europe Middle East Africa|OU=South America,dc=ca,dc=com</user-dn-pattern>

and I am not familiar with using a |

Try this:

<user-dn-pattern>cn={0},ou=users,OU=North America,dc=ca,dc=com</user-dn-pattern>

I suggest to use something like jxplorer to test your ldap first and then if you can reach to where your users are it will be easier to configure.  JXplorer - an open source LDAP browser 

Jithendar,

Make sure you have the following lines un-commented in the authentication-providers.xml file:

<authentication-provider
  name="ITKO Authentication Module"
  type="Legacy"
  enabled="true"
  defaultRole="Guest"/>

This will allow you to also use your local users.

Regards,

Reid

i see the error

org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1 ]; nested exception is javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1 ]

Any idea?

Your credentials are invalid.

LDAP Error Code 49 - Atlassian Documentation 

there is no issue with credentials also. I did a reboot of the machine..now i am able to login.

I am afraid what if this issue repeat after some time? I see this behavior since yesterday

Remember, anytime your LDAP credential change like a password, you will have to go and change it in the authentication-providers.xml file since the encrypted password will not match the new one.

If you get another LDAP error after it working for sometime, then I would look in the log files for any LDAP errors and contact your LDAP admin.

Nunns,

We have setup LDAP for DevTest portal and we are successfully able to login to the portal with the LDAP account. We found two issues after this

1. Login is working for sometime and after that it's not allowing any user to login to the portal all of sudden and if we do a reboot it's working fine again.
2. When we login as admin and assign roles to LDAP user those changes are not reflecting

request you to help us to fix this issue

Regards,
Jithendar

Hi Nunns,

would you be able to help?

Regards,

Jithendar

Hi Nunns,

Could you please have a look on this issue and update?

Regards,

Jithendar