Not able to bind EEM to LDAP, userstore status shows up with Red (bind failed)
search cancel

Not able to bind EEM to LDAP, userstore status shows up with Red (bind failed)

book

Article ID: 215001

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

Configuring EEM servers with an external userstore (LDAP) using the same bind credentials that work on other EEM servers, does not seem to work.  Normally a Green Check mark (success) on the userstore status, but it shows up with Red X (bind failed)

Environment

Workload Automation AutoSys Embedded Entitlements Manager

Cause

  • Check EEM Server logs  (ldap.log/server.log), if there is a bind error and the ports are still open, that usually means that the LDAP admins are not allowing the connection
  • Enable trace on the EEM side  /opt/CA/SharedComponents/EmbeddedEntitlementsManager/config/logger/server.xml   (or  C:\Program Files\CA\SharedComponents\EmbeddedEntitlementsManager\config\logger\server.xml)

  • Find each of the four sections below and change the "level value" tag value to "trace" or "debug"

<logger name="eiam.server.ipoz" additivity="false">
<level value="trace"/>
<appender-ref ref="ipoz" />
</logger>

<logger name="eiam.server" additivity="false">
<level value="trace"/>
<appender-ref ref="server" />
</logger>

<logger name="eiam.server.ldap" additivity="false">
<level value="trace"/>
<appender-ref ref="ldap" />
</logger>

<logger name="eiam.server.performance" additivity="false">
<level value="trace"/>
<appender-ref ref="performance" />
</logger>

  • Also for each section adjust the value for the maxBackupIndex from 1 to 10. Example:

Before change:
<param name="maxFileSize" value="10000KB" />
<param name="maxBackupIndex" value="1" />
After change:
<param name="maxFileSize" value="10000KB" />
<param name="maxBackupIndex" value="10" />

  • Save the file. The tracing will activate automatically. No restart of EEM is necessary. No new log files are created. Tracing will start appearing in existing EEM logs.

  • Log files are located under /opt/CA/SharedComponents/EmbeddedEntitlementsManager/logs  or  C:\Program Files\CA\SharedComponents\EmbeddedEntitlementsManager\logs

NOTE - to restore normal logging after tracing is collected, change the "level value" tag value back to "info" in each of the sections mentioned above.

  • Once the above traces are enabled, go back to EEM User Store and try to save the LDAP store info there.  Upon error, review the  ldap.log / server.log in the above folders

  • ldap.log file had errors like this:

DEBUG 2021-05-12 11:17:49,116 [0x00002884] [eiam.server.ldap.ldaputil] LdapUtil::newConnection: failed to create ldap connection [name: AD, ldapurl: ldap://ldap.example.com:389, binddn: CN=AUTOSYS_LDAP_USER,OU=Service Accounts,OU=Services,OU=Managed Users,DC=example,DC=com]
DEBUG 2021-05-12 11:17:49,116 [0x00002884] [eiam.server.ldap.ldapconnector] LdapConnector::newConnection: failed to create ldap connection [name: AD, url: ldap://ldap.example.com:389]
DEBUG 2021-05-12 11:17:49,130 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newLdapConnection: new connection established [name: AD, ldap: 000000000D282BA0, ldapUrl: ldap://ldap.example.com:389]
DEBUG 2021-05-12 11:17:49,140 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newLdapConnection: bind failed [name: AD, ldapurl: ldap://ldap.example.com:389, rc: 49, error: Invalid credentials]
DEBUG 2021-05-12 11:17:49,140 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::closeConnection: closing ldap connection [ldap: 000000000D282BA0]
DEBUG 2021-05-12 11:17:49,140 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newConnection: failed to create ldap connection [name: AD, ldapurl: ldap://ldap.example.com:389, binddn: CN=AUTOSYS_LDAP_USER,OU=Service Accounts,OU=Services,OU=Managed Users,DC=example,DC=com]
DEBUG 2021-05-12 11:17:49,140 [0x00000cb8] [eiam.server.ldap.ldapconnector] LdapConnector::newConnection: failed to create ldap connection [name: AD, url: ldap://ldap.example.com:389]
DEBUG 2021-05-12 11:17:49,141 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newLdapConnection: new connection established [name: AD, ldap: 000000000D282510, ldapUrl: ldap://ldap.example.com:389]
DEBUG 2021-05-12 11:17:49,151 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newLdapConnection: bind failed [name: AD, ldapurl: ldap://ldap.example.com:389, rc: 49, error: Invalid credentials]
DEBUG 2021-05-12 11:17:49,151 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::closeConnection: closing ldap connection [ldap: 000000000D282510]
DEBUG 2021-05-12 11:17:49,152 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newConnection: failed to create ldap connection [name: AD, ldapurl: ldap://ldap.example.com:389, binddn: CN=AUTOSYS_LDAP_USER,OU=Service Accounts,OU=Services,OU=Managed Users,DC=example,DC=com]
DEBUG 2021-05-12 11:17:49,152 [0x00000cb8] [eiam.server.ldap.ldapconnector] LdapConnector::newConnection: failed to create ldap connection [name: AD, url: ldap://ldap.example.com:389]

 

  • If the above account is the same on another EEM server and that EEM server is working fine, it means LDAP admins are preventing connections from the new EEM server.

 

Resolution

Work with LDAP admins to make sure the bind account above is allowed to connect to LDAP server above and then resave the LDAP user store info in EEM.

 

This time it should be successful.

Additional Information

Once everything is done,  remove the enabled trace configuration in the server.xml 

Powered by Wolken Software