ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

The server cannot be reached Access denied with LDAP User in UVMS

book

Article ID: 226350

calendar_today

Updated On:

Products

CA Automic Dollar Universe

Issue/Introduction

We cannot connect with our LDAP user in only one of the six UVMS Subordinates, the rest work fine.

The error displayed in UVC is:

The server cannot be reached: Access denied

On the other hand, when using an Internal Login, we can connect correctly to this UVMS Subordinate, so it only affects LDAP accounts.

 

We checked the ldap.xml and it's the same used everywhere, and firewall is opened against the LDAP server.

The unicheckldap command works fine and we are able to use our LDAP username and password with it.

Nevertheless, when using UVC and using the same username and password it does not work.

Example of the unicheckldap output (see the INTERNAL value displayed instead of LDAP) :

hostname:/apps/uvms/app/bin # ./unicheckldap -login afr -password XXXX
UVMS configured with INTERNAL authentication.

Loading ldap.xml
********************
ldap.xml loaded. 1 configuration(s) found(s)
********************

Checking configuration: [LDAP Repository]:
Host: ldapserver.domain.com Port: 389  SSL: false

---------------------------------------------
supported SASL mechanisms:
  + GSSAPI
  + GSS-SPNEGO
  + EXTERNAL
  + DIGEST-MD5
DIGEST-MD5 mechanism supported.
---------------------------------------------
SUCCESS Host: ldapserver.domain.com configuration is OK
        User search filter: sAMAccountName=!login!
        User list search filter: (&(objectClass=person)(sAMAccountName=*))
        Group list search filter: (&(objectClass=group)(cn=*))
        Nested group: false
        Referral: false
SUCCESS Login: afr found on the LDAP server
SUCCESS Login: afr authentication successful
********************

Cause

The UVMS was not set in LDAP Authentication Mode (L or S), but in Internal Mode, hence no communication between the UVMS and the LDAP server was being done as the ldap.xml was not being read by UVMS, only by the unicheckldap tool.

This could be checked in the UVMS Node Settings - Advanced Settings

User Authentication Type must be set to  LDAP or Synchronization

Wrong configuration could be seen here:

 

Good configuration can be seen here:

 

The same can be checked looking at the values.xml variable AUTHENTICATION_MODE or using the command line 

unigetvar AUTHENTICATION_MODE

In this case, it returned the value I which explains why the LDAP server was not used to authenticate the LDAP UVC Logins.

Environment

Release : 6.x

Component : Univiewer Management Server (UVMS)

Specifics: Integration with LDAP Server to authenticate UVC Logins

Resolution

In order to authenticate users using the LDAP server defined in ldap.xml file, the variable AUTHENTICATION_MODE must be set to S or L

For example, in order to enable the LDAP Synchronization mode (S), launch the following command from app/bin folder of the UVMS:

unisetvar AUTHENTICATION_MODE S

After that, restart the UVMS to take into account the changes and allow the LDAP Logins to be authorized to connect.

Attachments