We cannot connect with our LDAP user in only one of the six UVMS Subordinates, the rest work fine.
The error displayed in UVC is:
The server cannot be reached: Access denied
On the other hand, when using an Internal Login, we can connect correctly to this UVMS Subordinate, so it only affects LDAP accounts.
We checked the ldap.xml and it's the same used everywhere, and firewall is opened against the LDAP server.
The unicheckldap command works fine and we are able to use our LDAP username and password with it.
Nevertheless, when using UVC and using the same username and password it does not work.
Example of the unicheckldap output (see the INTERNAL value displayed instead of LDAP) :
hostname:/apps/uvms/app/bin # ./unicheckldap -login afr -password XXXX
UVMS configured with INTERNAL authentication.
ldap.xml loaded. 1 configuration(s) found(s)
Checking configuration: [LDAP Repository]:
Host: ldapserver.domain.com Port: 389 SSL: false
supported SASL mechanisms:
DIGEST-MD5 mechanism supported.
SUCCESS Host: ldapserver.domain.com configuration is OK
User search filter: sAMAccountName=!login!
User list search filter: (&(objectClass=person)(sAMAccountName=*))
Group list search filter: (&(objectClass=group)(cn=*))
Nested group: false
SUCCESS Login: afr found on the LDAP server
SUCCESS Login: afr authentication successful
Release : 6.x
Component : Univiewer Management Server (UVMS)
Specifics: Integration with LDAP Server to authenticate UVC Logins
The UVMS was not set in LDAP Authentication Mode (L or S), but in Internal Mode, hence no communication between the UVMS and the LDAP server was being done as the ldap.xml was not being read by UVMS, only by the unicheckldap tool.
This could be checked in the UVMS Node Settings - Advanced Settings
User Authentication Type must be set to LDAP or Synchronization
Wrong configuration could be seen here:
Good configuration can be seen here:
The same can be checked looking at the values.xml variable AUTHENTICATION_MODE or using the command line
In this case, it returned the value I which explains why the LDAP server was not used to authenticate the LDAP UVC Logins.
In order to authenticate users using the LDAP server defined in ldap.xml file, the variable AUTHENTICATION_MODE must be set to S or L
For example, in order to enable the LDAP Synchronization mode (S), launch the following command from app/bin folder of the UVMS:
unisetvar AUTHENTICATION_MODE S
After that, restart the UVMS to take into account the changes and allow the LDAP Logins to be authorized to connect.
Please note that ldap.xml NEEDS to be configured on ALL Subordinate UVMS, not just on the Master UVMS, else you will get this kind of errors when trying to connect to a Subordinate UVMS with a LDAP user:
|ERROR| request-worker-x | com.orsyp.central.ldap.LDAPManagerImpl | Authenticate: Cannot authenticate login: [LDAP_USERNAME], coming from [X.X.X.X] because the LDAP server cannot be reached. Unreachable server: localhost:389.
javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
|ERROR| request-worker-9 | com.orsyp.central.server.AuthentificationStdImpl | LDAP Authentication error for user [LDAP_USERNAME], coming from [X.X.X.X]