LDAP users cannot authenticate in the OneClick web page.


Logged as Spectrum install owner account and enabled the SSORB Security SP module in debug mode.

The following entries are recorded in the Tomcat log file (stdout.log):

Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - -------- first.lastname --------
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - IN getUserRoles for first.lastname
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - Getting user model for first.lastname
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - Getting user model by filter from admin domain SpectroSERVER
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - Got user model: 0x1000083
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - superUser: union com.aprisma.spectrum.core.idl.CsCAttribute.CsCValue {
boolean boolValue=false
}, allowNoUser: union com.aprisma.spectrum.core.idl.CsCAttribute.CsCValue {
boolean boolValue=false
}
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - User first.lastname is neither a super user nor an allowed user to login Spectrum
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - Authenticating user with external directory server: first.lastname
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - Opening directory context 
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     connectionName domain\spectrum
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     connectionURL ldap://ldapserver:389
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     protocol 
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     referrals follow
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     timeoutPeriod in milliseconds 45000
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     readTimeoutPeriod in milliseconds 90000
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -   Getting user by search: sAMAccountName=first.lastname
Apr 23, 2019 16:43:57.344 - Connection timed out: javax.naming.CommunicationException: javax.naming.CommunicationException: DomainDnsZones.domain.net:389 [Root exception is java.net.ConnectException: Connection timed out: connect]
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) - Closing directory context
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) - Opening directory context 
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     connectionName domain\spectrum
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     connectionURL ldap://ldapserver:389
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     protocol 
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     referrals follow
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     timeoutPeriod in milliseconds 45000
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     readTimeoutPeriod in milliseconds 90000
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -   Getting user by search: sAMAccountName=first.lastname
Apr 23, 2019 16:44:18.375 - Connection problem: javax.naming.CommunicationException: javax.naming.CommunicationException: DomainDnsZones.domain.net:389 [Root exception is java.net.ConnectException: Connection timed out: connect]
Apr 23, 2019 16:44:18.375 (http-nio-80-exec-3) (SecuritySP) - Closing directory context

Release: All Supported Releases

Component: SPCOCK - Spectrum OneClick

The LDAP server is providing a LDAP referrals on which the OneClick attempts to bind to the referral and the connection times out. 

Disable referrals by doing the following:

1. Make a backup of the $SPECROOT/tomcat/webapps/spectrum/META-INF/context.xml file

2. Edit the $SPECROOT/tomcat/webapps/spectrum/META-INF/context.xml file

3. Look for the entry that reads referrals="follow" and change it to referrals="ignore"

4. Save the change

5. Restart tomcat service on the OneClick server

You may need to go to the LDAP Configuration in the OneClick Administration page and re-enter the Connection Name and Connection Password fields.

A LDAP Referral provides a reference to an alternate location in which an LDAP Request may be processed. In some cases, the LDAP server is providing a referral request to the OneClick box and when OneClick tries to connect to this referral the connection times out and you receive these bind errors or timeout errors. The change we made just tells OneClick to ignore the referrals and it will not attempt to connect to the alternate location in the referral. Leaving the file the way it is should not cause any adverse effects.