search cancel

Not able to bind EEM to LDAP, userstore status shows up with Red (bind failed)

book

Article ID: 215001

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

Customer is building new EEM servers and is trying to the same bind credentials that work in other EEM servers they have.  They are not see Green Check mark (success) on the userstore status, it shows up with Red (bind failed)

They have ensured that the LDAP ports being used there are open.

Cause

Check EEM Server logs  (ldap.log/server.log), if there is a bind error and the ports are still open, that usually means that the LDAP admins are not allowing the connection.

 

You can enable some trace on the EEM side  /opt/CA/SharedComponents/EmbeddedEntitlementsManager/config/logger/server.xml   (or  C:\Program Files\CA\SharedComponents\EmbeddedEntitlementsManager\config\logger\server.xml)


Find each of the four sections below and change the "level value" tag value to "trace"...

<logger name="eiam.server.ipoz" additivity="false">
<level value="trace"/>
<appender-ref ref="ipoz" />
</logger>

<logger name="eiam.server" additivity="false">
<level value="trace"/>
<appender-ref ref="server" />
</logger>

<logger name="eiam.server.ldap" additivity="false">
<level value="trace"/>
<appender-ref ref="ldap" />
</logger>

<logger name="eiam.server.performance" additivity="false">
<level value="trace"/>
<appender-ref ref="performance" />
</logger>


Also for each section adjust the value for the maxBackupIndex from 1 to 10.
Example:
Before:
<param name="maxFileSize" value="10000KB" />
<param name="maxBackupIndex" value="1" />
After:
<param name="maxFileSize" value="10000KB" />
<param name="maxBackupIndex" value="10" />

Save the file. The tracing will activate automatically. No restart of EEM is necessary. No new log files are created. Tracing will start appearing in existing EEM logs.


Log files are located under /opt/CA/SharedComponents/EmbeddedEntitlementsManager/logs  or  C:\Program Files\CA\SharedComponents\EmbeddedEntitlementsManager\logs


NOTE - to restore normal logging after tracing is collected, change the "level value" tag value back to "info" in each of the sections mentioned above.

 

 

Once you enable the trace above, go back to EEM User Store and try to save the LDAP store info there.  Upon error, review the  ldap.log / server.log in the above folders

 

Environment

Workload Automation AE, Embedded Entitlements Manager

Resolution

ldap.log file had errors like this:

 

DEBUG 2021-05-12 11:17:49,116 [0x00002884] [eiam.server.ldap.ldaputil] LdapUtil::newConnection: failed to create ldap connection [name: AD, ldapurl: ldap://ldap.company.com:389, binddn: CN=AUTOSYS_LDAP_USER,OU=Service Accounts,OU=Services,OU=Managed Users,DC=Company,DC=com]
DEBUG 2021-05-12 11:17:49,116 [0x00002884] [eiam.server.ldap.ldapconnector] LdapConnector::newConnection: failed to create ldap connection [name: AD, url: ldap://ldap.company.com:389]
DEBUG 2021-05-12 11:17:49,130 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newLdapConnection: new connection established [name: AD, ldap: 000000000D282BA0, ldapUrl: ldap://ldap.company.com:389]
DEBUG 2021-05-12 11:17:49,140 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newLdapConnection: bind failed [name: AD, ldapurl: ldap://ldap.company.com:389, rc: 49, error: Invalid credentials]
DEBUG 2021-05-12 11:17:49,140 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::closeConnection: closing ldap connection [ldap: 000000000D282BA0]
DEBUG 2021-05-12 11:17:49,140 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newConnection: failed to create ldap connection [name: AD, ldapurl: ldap://ldap.company.com:389, binddn: CN=AUTOSYS_LDAP_USER,OU=Service Accounts,OU=Services,OU=Managed Users,DC=Company,DC=com]
DEBUG 2021-05-12 11:17:49,140 [0x00000cb8] [eiam.server.ldap.ldapconnector] LdapConnector::newConnection: failed to create ldap connection [name: AD, url: ldap://ldap.company.com:389]
DEBUG 2021-05-12 11:17:49,141 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newLdapConnection: new connection established [name: AD, ldap: 000000000D282510, ldapUrl: ldap://ldap.company.com:389]
DEBUG 2021-05-12 11:17:49,151 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newLdapConnection: bind failed [name: AD, ldapurl: ldap://ldap.company.com:389, rc: 49, error: Invalid credentials]
DEBUG 2021-05-12 11:17:49,151 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::closeConnection: closing ldap connection [ldap: 000000000D282510]
DEBUG 2021-05-12 11:17:49,152 [0x00000cb8] [eiam.server.ldap.ldaputil] LdapUtil::newConnection: failed to create ldap connection [name: AD, ldapurl: ldap://ldap.company.com:389, binddn: CN=AUTOSYS_LDAP_USER,OU=Service Accounts,OU=Services,OU=Managed Users,DC=Company,DC=com]
DEBUG 2021-05-12 11:17:49,152 [0x00000cb8] [eiam.server.ldap.ldapconnector] LdapConnector::newConnection: failed to create ldap connection [name: AD, url: ldap://ldap.company.com:389]

 

If the above account is the same on another EEM server and that EEM server is working fine, it means LDAP admins are preventing connections from the new EEM server.

 

Work with LDAP admins to make sure the bind account above is allowed to connect to LDAP server above and then resave the LDAP user store info in EEM.

 

This time it should be successful.

Additional Information

Once everything is done,  remove the enabled trace configuration in the server.xml