LDAP/AD Group Integration Fails

book

Article ID: 224658

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

I created three groups in AD and Spectrum:

SpectrumNCM

SpectrumRW

SpectrumRO

 

I copied the ldap file ldap-grps-mappings-config.xml to  $SPECROOT/custom/ldap/config and added the following:

<root>
  <LDAPGroups authEnabled="true">

    <Group searchTag="memberOf" searchString="CN=SpectrumNCM,OU=Groups,OU=Support,DC=AB,DC=CD,DC=ACME,DC=NET"/>
    <Group searchTag="memberOf" searchString="CN=SpectrumRO,OU=Groups,OU=Support,DC=AB,DC=CD,DC=ACME,DC=NET"/>
    <Group searchTag="memberOf" searchString="CN=SpectrumRW,OU=Groups,OU=Support,DC=AB,DC=CD,DC=ACME,DC=NET"/>

  </LDAPGroups>
</root>

 

But when a new user who is a member of one of the  AD groups tries and login they can't.

 

In the client log I see this:

Sep 22, 2021 11:08:56 AM - SPC-OCA-10598: User john.doe attempted to logon to DX NetOps Spectrum OneClick Console from host somewhere.ab.cd.acme.net but authorization failed with error: SPC-OCA-10475: The user name does not exist in DX NetOps Spectrum.


The user john.doe is in the AD group SpectrumRO.

 

Cause


The group definition in the ldap-grps-mappings-config.xml did not contain the same case as the group returned from ldap causing the group match to not be found.


-------- john.doe --------
Sep 17, 2021 09:51:02.860 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - IN getUserRoles for john.doe
Sep 17, 2021 09:51:02.860 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - Getting user model for john.doe
Sep 17, 2021 09:51:02.860 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - Getting user model by filter from admin domain spectromls
Sep 17, 2021 09:51:02.862 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - Getting user model by filter from admin domain spectrols1
Sep 17, 2021 09:51:02.864 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - Getting user model by filter from admin domain spectrols2
Sep 17, 2021 09:51:02.868 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - LDAP custom group authentication is enabled
Sep 17, 2021 09:51:02.868 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - Trying to authenticate logged in user with LDAP server using the credentials provided
Sep 17, 2021 09:51:02.868 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) -   Getting user by search: sAMAccountName=john.doe
Sep 17, 2021 09:51:03.711 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) -   Entry found for john.doe with dn CN=Doe\, John,OU=Support Admin,OU=Restricted Access,OU=Restricted Administrators,OU=Users,OU=America,DC=AB,DC=CD,DC=acme,DC=net
Sep 17, 2021 09:51:03.711 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) -   Binding as CN=Doe\, John,OU=Support Admin,OU=Restricted Access,OU=Restricted Administrators,OU=Users,OU=America,DC=AB,DC=CD,DC=acme,DC=net
Sep 17, 2021 09:51:03.727 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) -   Authentication Success
Sep 17, 2021 09:51:03.735 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - LDAP user search returned results
Sep 17, 2021 09:51:03.735 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - Trying to find the match LDAP Server user group name for the configuration group :  searchTag: memberOf searchString: CN=SpectrumRO,OU=Groups,OU=Support,DC=AB,DC=CD,DC=ACME,DC=NET
Sep 17, 2021 09:51:03.736 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - LDAP Server - Group Name : CN=SpectrumRO,OU=Groups,OU=Support,DC=ab,DC=cd,DC=acme,DC=net

Sep 17, 2021 09:51:03.736 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - Trying to find the match LDAP Server user group name for the configuration group :  searchTag: memberOf searchString: CN=NG SpectrumRO,OU=Groups,OU=Enterprise,DC=AB,DC=CD,DC=ACME,DC=NET
Sep 17, 2021 09:51:03.736 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - LDAP Server - Group Name : CN=SpectrumRW,OU=Groups,OU=Support,DC=ab,DC=cd,DC=acme,DC=net

Sep 17, 2021 09:51:03.737 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - Trying to find the match LDAP Server user group name for the configuration group :  searchTag: memberOf searchString: CN=SpectrumRW,OU=Groups,OU=Support,DC=AB,DC=CD,DC=ACME,DC=NET
Sep 17, 2021 09:51:03.737 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - LDAP Server - Group Name : CN=SpectrumRW,OU=Groups,OU=Support,DC=ab,DC=cd,DC=acme,DC=net

Sep 17, 2021 09:51:03.737 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - No matching LDAP user group name found
Sep 17, 2021 09:51:03.737 (https-openssl-nio-132.142.0.113-443-exec-6) (SecuritySP) - No user model found - stopping

Environment

Release : 21.2

Component :

Resolution


The comparison of the entry within ldap-grps-mappings-config.xml to the group
  returned by ldap is case sensitive.


The ldap-grps-mappings-config.xml file needs to be updated changing

<Group searchTag="memberOf" searchString="CN=SpectrumRO,OU=Groups,OU=Support,DC=AB,DC=CD,DC=ACME,DC=NET"/>

-To-

<Group searchTag="memberOf" searchString="CN=SpectrumRO,OU=Groups,OU=Support,DC=ab,DC=cd,DC=acme,DC=net"/>