LDAP users cannot authenticate in OneClick web page

book

Article ID: 131260

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

LDAP users cannot authenticate in OneClick web page.


Logged as Spectrum install owner account and enabled the SSORB Security SP module in debug mode.

The following entries are recorded in the Tomcat log file (stdout.log):

Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - -------- first.lastname --------
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - IN getUserRoles for first.lastname
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - Getting user model for first.lastname
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - Getting user model by filter from admin domain SpectroSERVER
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - Got user model: 0x1000083
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - superUser: union com.aprisma.spectrum.core.idl.CsCAttribute.CsCValue {
boolean boolValue=false
}, allowNoUser: union com.aprisma.spectrum.core.idl.CsCAttribute.CsCValue {
boolean boolValue=false
}
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - User first.lastname is neither a super user nor an allowed user to login Spectrum
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - Authenticating user with external directory server: first.lastname
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) - Opening directory context 
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     connectionName domain\spectrum
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     connectionURL ldap://ldapserver:389
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     protocol 
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     referrals follow
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     timeoutPeriod in milliseconds 45000
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -     readTimeoutPeriod in milliseconds 90000
Apr 23, 2019 16:43:36.312 (http-nio-80-exec-3) (SecuritySP) -   Getting user by search: sAMAccountName=first.lastname
Apr 23, 2019 16:43:57.344 - Connection timed out: javax.naming.CommunicationException: javax.naming.CommunicationException: DomainDnsZones.domain.net:389 [Root exception is java.net.ConnectException: Connection timed out: connect]
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) - Closing directory context
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) - Opening directory context 
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     connectionName domain\spectrum
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     connectionURL ldap://ldapserver:389
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     protocol 
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     referrals follow
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     timeoutPeriod in milliseconds 45000
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -     readTimeoutPeriod in milliseconds 90000
Apr 23, 2019 16:43:57.344 (http-nio-80-exec-3) (SecuritySP) -   Getting user by search: sAMAccountName=first.lastname
Apr 23, 2019 16:44:18.375 - Connection problem: javax.naming.CommunicationException: javax.naming.CommunicationException: DomainDnsZones.domain.net:389 [Root exception is java.net.ConnectException: Connection timed out: connect]
Apr 23, 2019 16:44:18.375 (http-nio-80-exec-3) (SecuritySP) - Closing directory context

Cause

The LDAP server is providing a LDAP referral on which the OneClick attempts to bind to the referral and the connection times out. 

Environment

Any Spectrum version

Resolution

Disable referrals by doing the following:

1. Make a backup of the $SPECROOT/tomcat/webapps/spectrum/META-INF/context.xml file

2. Edit the $SPECROOT/tomcat/webapps/spectrum/META-INF/context.xml file

3. Look for the entry that reads referrals="follow" and change it to referrals="ignore"

4. Save the change

5. Restart tomcat on the OneClick server