CA SAM Troubleshooting the LDAP/AD Connector
Article ID: 129991
Updated On:
Products
CA IT Asset Manager
CA Software Asset Manager (CA SAM)
ASSET PORTFOLIO MGMT- SERVER
CA Service Management - Asset Portfolio Management
CA Service Management - Service Desk Manager
Issue/Introduction
When the LDAP PHP module passes the credentials from the AD Connector system parameters to the LDAP server, the connection is unsuccessful. Several observations are made in the connection binding failure, including a possible reversal of the credentials. One might see in the network trace:
Name: (value of “ldap_connect_param_set_AD_bind_search_password”)
UserName: (value of “ldap_connect_param_set_AD_bind_search_dn”)
Name: (value of “ldap_connect_param_set_AD_bind_search_password”)
UserName: (value of “ldap_connect_param_set_AD_bind_search_dn”)
Environment
CA SAM 4.x, Active Directory with additional security requirements.
Resolution
Depending on system requirements, if the AD has security in place, SSL (ldaps) and TLS configurations are mutually exclusive LDAP configurations and are separate functionalities. This article assumes you have SSL (ldaps) in place.
* If there is a load balancer in play, try using a specific LDAP Server instead of a load balancer
* Under the Admin -> Configuration -> Browse Configuration:
- ldap_connect_param_set_XXXX_hostname should have a value set to "ldaps://LDAPSERVER" or "ldaps://LDAPSERVER.domain.com"
- ldap_connect_param_set_XXXX_port should be set to 636
- ldap_connect_param_set_XXXX_tls should be set to 0 intead of 1
- ldap_connect_param_set_XXXX_search_dn should be set to use the full CN path. "cn=USERID,ou=XXXX,ou=XXXX,dc=XXXX,dc=domain,dc=com" (no quotes)
If any of the above changes are made in the CA SAM Configuration, we recommend recycling IIS.
* The certificate setting for "ldap.conf" needs to be specified under system environment variable LDAPPRC. The full path (without quotes) is usually "X:\Program Files (x86)\ca\sam\env\LDAP\ldap.conf". If LDAPPRC environment variable is changed, one should recycle the whole server.
* The certificate that is in play should optimally be in a pfx or cer format.
* The content of ldap.conf should read as
TLS_CACERT X:\Program Files (x86)\ca\sam\env\LDAP\CA.cer
* Alternatively, one can also modify the ldap.conf file to contain this line only:
TLS_REQCERT never
If the ldap.conf file is modified, one will need to recycle IIS.
* If there is a load balancer in play, try using a specific LDAP Server instead of a load balancer
* Under the Admin -> Configuration -> Browse Configuration:
- ldap_connect_param_set_XXXX_hostname should have a value set to "ldaps://LDAPSERVER" or "ldaps://LDAPSERVER.domain.com"
- ldap_connect_param_set_XXXX_port should be set to 636
- ldap_connect_param_set_XXXX_tls should be set to 0 intead of 1
- ldap_connect_param_set_XXXX_search_dn should be set to use the full CN path. "cn=USERID,ou=XXXX,ou=XXXX,dc=XXXX,dc=domain,dc=com" (no quotes)
If any of the above changes are made in the CA SAM Configuration, we recommend recycling IIS.
* The certificate setting for "ldap.conf" needs to be specified under system environment variable LDAPPRC. The full path (without quotes) is usually "X:\Program Files (x86)\ca\sam\env\LDAP\ldap.conf". If LDAPPRC environment variable is changed, one should recycle the whole server.
* The certificate that is in play should optimally be in a pfx or cer format.
* The content of ldap.conf should read as
TLS_CACERT X:\Program Files (x86)\ca\sam\env\LDAP\CA.cer
* Alternatively, one can also modify the ldap.conf file to contain this line only:
TLS_REQCERT never
If the ldap.conf file is modified, one will need to recycle IIS.
Feedback
Yes
No
Powered by
