CA APM - LDAP authentication working using "cn" as "usernameAttribute" but not when using "sAMAccountName"
Article ID: 116700
Updated On:
Products
CA Application Performance Management Agent (APM / Wily / Introscope)
INTROSCOPE
Issue/Introduction
With the CA APM Enterprise Manager realms.xml file having property "usernameAttribute" set to use "cn" login testing using Active Directory "cn" names is successful.
However, after switching the realms.xml file to have "usernameAttribute" set to "sAMAccountName" similar testing using Active Directory "sAMAccountName" names returns an error and unable to login.
For successful use of "cn" the DEBUG em.log shows:
[DEBUG] [main] [Manager.UserManagementService] groupMemberQuery=(&(objectClass=group)(member={0}))
[DEBUG] [main] [Manager.UserManagementService] bindAuthentication=simple
[DEBUG] [main] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0}))
[DEBUG] [main] [Manager.UserManagementService] groupObjectQuery=(&(objectClass=group)(cn={0}))
[DEBUG] [main] [Manager.UserManagementService] groupNameAttribute=cn
[DEBUG] [main] [Manager.UserManagementService] disallowEmptyPassword=true
[DEBUG] [main] [Manager.UserManagementService] usernameAttribute=cn ...
[DEBUG] [main] [Manager.RegistryService] Added registry entry at: /service/com.wily.introscope.spec.server.beans.usermgmt.IUserManagementService
...
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0}))
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] Found user firstname lastname
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] javaNamingReferral=follow
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0}))
[VERBOSE] [PO:main Mailman 7] [Manager.UserManagementService] Attempting to authenticate user by binding to the LDAP server using "CN=firstname lastname,OU=...,OU=...,DC=...,DC=...,DC=..."
...
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] User 'firstname lastname' is reported by ACA to be a member of groups [groupname]
For unsuccessful use of "sAMAccountName" the DEBUG em.log shows:
[DEBUG] [main] [Manager.UserManagementService] groupMemberQuery=(&(objectClass=group)(member={0}))
[DEBUG] [main] [Manager.UserManagementService] bindAuthentication=simple
[DEBUG] [main] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0}))
[DEBUG] [main] [Manager.UserManagementService] groupObjectQuery=(&(objectClass=group)(cn={0}))
[DEBUG] [main] [Manager.UserManagementService] groupNameAttribute=cn
[DEBUG] [main] [Manager.UserManagementService] disallowEmptyPassword=true
[DEBUG] [main] [Manager.UserManagementService] usernameAttribute=sAMAccountName ...
[DEBUG] [main] [Manager.RegistryService] Added registry entry at: /service/com.wily.introscope.spec.server.beans.usermgmt.IUserManagementService
...
[DEBUG] [PO:main Mailman 4] [Manager.UserManagementService] javaNamingReferral=follow
[DEBUG] [PO:main Mailman 4] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0}))
[INFO] [PO:main Mailman 4] [Manager.UserManagementService] "firstname.lastname" Failed to login from host "Node=Workstation_0, Address=..., Type=socket"
However, after switching the realms.xml file to have "usernameAttribute" set to "sAMAccountName" similar testing using Active Directory "sAMAccountName" names returns an error and unable to login.
For successful use of "cn" the DEBUG em.log shows:
[DEBUG] [main] [Manager.UserManagementService] groupMemberQuery=(&(objectClass=group)(member={0}))
[DEBUG] [main] [Manager.UserManagementService] bindAuthentication=simple
[DEBUG] [main] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0}))
[DEBUG] [main] [Manager.UserManagementService] groupObjectQuery=(&(objectClass=group)(cn={0}))
[DEBUG] [main] [Manager.UserManagementService] groupNameAttribute=cn
[DEBUG] [main] [Manager.UserManagementService] disallowEmptyPassword=true
[DEBUG] [main] [Manager.UserManagementService] usernameAttribute=cn ...
[DEBUG] [main] [Manager.RegistryService] Added registry entry at: /service/com.wily.introscope.spec.server.beans.usermgmt.IUserManagementService
...
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0}))
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] Found user firstname lastname
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] javaNamingReferral=follow
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0}))
[VERBOSE] [PO:main Mailman 7] [Manager.UserManagementService] Attempting to authenticate user by binding to the LDAP server using "CN=firstname lastname,OU=...,OU=...,DC=...,DC=...,DC=..."
...
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] User 'firstname lastname' is reported by ACA to be a member of groups [groupname]
For unsuccessful use of "sAMAccountName" the DEBUG em.log shows:
[DEBUG] [main] [Manager.UserManagementService] groupMemberQuery=(&(objectClass=group)(member={0}))
[DEBUG] [main] [Manager.UserManagementService] bindAuthentication=simple
[DEBUG] [main] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0}))
[DEBUG] [main] [Manager.UserManagementService] groupObjectQuery=(&(objectClass=group)(cn={0}))
[DEBUG] [main] [Manager.UserManagementService] groupNameAttribute=cn
[DEBUG] [main] [Manager.UserManagementService] disallowEmptyPassword=true
[DEBUG] [main] [Manager.UserManagementService] usernameAttribute=sAMAccountName ...
[DEBUG] [main] [Manager.RegistryService] Added registry entry at: /service/com.wily.introscope.spec.server.beans.usermgmt.IUserManagementService
...
[DEBUG] [PO:main Mailman 4] [Manager.UserManagementService] javaNamingReferral=follow
[DEBUG] [PO:main Mailman 4] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0}))
[INFO] [PO:main Mailman 4] [Manager.UserManagementService] "firstname.lastname" Failed to login from host "Node=Workstation_0, Address=..., Type=socket"
Environment
CA APM 9.x, 10.x
Cause
Incorrect CA APM Enterprise Manager realms.xml configuration
Resolution
In the realms.xml file:
1. The "usernameAttribute" property was correctly set to use "sAMAccountName" i.e.
<property name="usernameAttribute">
<value>sAMAccountName</value>
</property>
2. However "userObjectQuery" was still set to use "cn" and needed to be changed to "sAMAccountName" i.e.
FROM:
<property name="userObjectQuery">
<value>(&(objectClass=organizationalPerson)(cn={0}))</value>
</property>
TO:
<property name="userObjectQuery">
<value>(&(objectClass=organizationalPerson)(sAMAccountName={0}))</value>
</property>
1. The "usernameAttribute" property was correctly set to use "sAMAccountName" i.e.
<property name="usernameAttribute">
<value>sAMAccountName</value>
</property>
2. However "userObjectQuery" was still set to use "cn" and needed to be changed to "sAMAccountName" i.e.
FROM:
<property name="userObjectQuery">
<value>(&(objectClass=organizationalPerson)(cn={0}))</value>
</property>
TO:
<property name="userObjectQuery">
<value>(&(objectClass=organizationalPerson)(sAMAccountName={0}))</value>
</property>
Feedback
Yes
No
Powered by
