Cannot authenticate with LDAPs after configuring LDAP Settings in DevTest
search cancel

Cannot authenticate with LDAPs after configuring LDAP Settings in DevTest

book

Article ID: 118621

calendar_today

Updated On: 08-19-2024

Products

CA Application Test Service Virtualization

Issue/Introduction

Getting LDAP error in server.log after configuring LDAPS in DevTest Identity Access Manager.

2018-10-25 10:35:58,159 INFO [org.keycloak.services] (default task-117) KC-SERVICES0087: Syncing data for mapper 'group mapper' of type 'group-ldap-mapper'. Direction: fedToKeycloak 2018-10-25 10:35:58,181 ERROR [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (default task-117) Could not query server using DN [OU=NAO,OU=global,OU=gmacfs,OU=com] and filter [(&(objectclass=group))]: javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'OU=NAO,OU=global,OU=gmacfs,OU=com'

Environment

All supported DevTest releases.

Cause

Needed to import Certificates to the IAM truststore since using secured LDAPS. 

Used Jxplorer to view the LDAP server to determine the values to be set. This is a very good tool for troubleshooting LDAP. 

Logged into IAM with admin/admin. 

Needed to make some changes on the User Federation Settings and Groups Settings.

Resolution

Needed to import Certificates to the IAM truststore since using secured LDAPS. 

Used Jxplorer to view the LDAP server to determine the values to be set. This is a very good tool for troubleshooting LDAP. 

Logged into IAM with admin/admin. 

Needed to make some changes on the User Federation Settings and Groups Settings: 

Settings: 

Username LDAP Attribute needed to be set to sAMAccountName. 
RDN LDAP Attribute needed to be set to sAMAccountName. 
Default Role set to Runtime User. 
Needed to tweek the User DN value. 

Group Settings: 

Needed to tweek the LDAP Groups DN value. 
Group Name LDAP Attribute needed to be set to sAMAccountName. 
Membership User LDAP Attribute needed to be set to sAMAccountName. 

Was then able to Sync LDAP Groups to Identity and Access Manager. 

Was then able to go to Group(s) to Role Mapper and view the imported LDAP groups. 

Logged out of IAM. 

Logged in with  user1 LDAP credentials and got error that he did not have permissions (valid error). 

Logged back in to IAM with admin/admin. 

Choose Users. 

Choose View All Users. 

Could see user1 Username. 

Edit user1 Username. 

Choose Role Mappings. 

Add Available Roles of Super User, IAM Administrator and Virtual Service Catalog Administrator. 

Logged out of IAM. 

user1 logged back into IAM with LDAP credentials and was successful. 

user2 was also able to login. 

Started all DevTest components and was able to log into Portal with LDAP credentials.