search cancel

The server cannot be reached Access denied with LDAP User in UVMS

book

Article ID: 226350

calendar_today

Updated On:

Products

CA Automic Dollar Universe

Issue/Introduction

We cannot connect with our LDAP user in only one of the six UVMS Subordinates, the rest work fine.

The error displayed in UVC is:

The server cannot be reached: Access denied

On the other hand, when using an Internal Login, we can connect correctly to this UVMS Subordinate, so it only affects LDAP accounts.

 

We checked the ldap.xml and it's the same used everywhere, and firewall is opened against the LDAP server.

The unicheckldap command works fine and we are able to use our LDAP username and password with it.

Nevertheless, when using UVC and using the same username and password it does not work.

Example of the unicheckldap output (see the INTERNAL value displayed instead of LDAP) :

hostname:/apps/uvms/app/bin # ./unicheckldap -login afr -password XXXX
UVMS configured with INTERNAL authentication.

Loading ldap.xml
********************
ldap.xml loaded. 1 configuration(s) found(s)
********************

Checking configuration: [LDAP Repository]:
Host: ldapserver.domain.com Port: 389  SSL: false

---------------------------------------------
supported SASL mechanisms:
  + GSSAPI
  + GSS-SPNEGO
  + EXTERNAL
  + DIGEST-MD5
DIGEST-MD5 mechanism supported.
---------------------------------------------
SUCCESS Host: ldapserver.domain.com configuration is OK
        User search filter: sAMAccountName=!login!
        User list search filter: (&(objectClass=person)(sAMAccountName=*))
        Group list search filter: (&(objectClass=group)(cn=*))
        Nested group: false
        Referral: false
SUCCESS Login: afr found on the LDAP server
SUCCESS Login: afr authentication successful
********************

Cause

The UVMS was not set in LDAP Authentication Mode (L or S), but in Internal Mode, hence no communication between the UVMS and the LDAP server was being done as the ldap.xml was not being read by UVMS, only by the unicheckldap tool.

This could be checked in the UVMS Node Settings - Advanced Settings

User Authentication Type must be set to  LDAP or Synchronization

Wrong configuration could be seen here:

 

Good configuration can be seen here:

 

The same can be checked looking at the values.xml variable AUTHENTICATION_MODE or using the command line 

unigetvar AUTHENTICATION_MODE

In this case, it returned the value I which explains why the LDAP server was not used to authenticate the LDAP UVC Logins.

Environment

Release : 6.x

Component : Univiewer Management Server (UVMS)

Specifics: Integration with LDAP Server to authenticate UVC Logins

Resolution

In order to authenticate users using the LDAP server defined in ldap.xml file, the variable AUTHENTICATION_MODE must be set to S or L

For example, in order to enable the LDAP Synchronization mode (S), launch the following command from app/bin folder of the UVMS:

unisetvar AUTHENTICATION_MODE S

After that, restart the UVMS to take into account the changes and allow the LDAP Logins to be authorized to connect.

 

Additional Information

Please note that ldap.xml NEEDS to be configured on ALL Subordinate UVMS, not just on the Master UVMS, else you will get this kind of errors when trying to connect to a Subordinate UVMS with a LDAP user:

|ERROR| request-worker-x | com.orsyp.central.ldap.LDAPManagerImpl | Authenticate: Cannot authenticate login: [LDAP_USERNAME], coming from [X.X.X.X] because the LDAP server cannot be reached. Unreachable server: localhost:389.  
javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException: Connection refused (Connection refused)]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:243)

|ERROR| request-worker-9 | com.orsyp.central.server.AuthentificationStdImpl | LDAP Authentication error for user [LDAP_USERNAME], coming from [X.X.X.X] 

Attachments