search cancel

LDAP group permission in CA Service Catalog not working When Having multiple LDAP servers in EEM

book

Article ID: 243450

calendar_today

Updated On:

Products

CA Service Catalog CA Service Management - Service Desk Manager

Issue/Introduction

In Catalog when setting up permissions for a specific service offering, whenever I select  LDAP group, members of this given group are still unable to see the offering.

 

Environment

Release : 17.3

Component : Catalog - EEM

Resolution

The EEM principal name needs to match with the userid from ca_contact (Catalog/SDM) to be able to see the LDAP groups in the Catalog's user profile and allow permissions to work properly. When having 2 LDAP's, the principal name will be <domain>\<userid> but the userid will be just <userid>. 

If you configure Basic LDAP Configuration (1 LDAP) you will be able to see that this issue does not occur. This is because the Basic configuration does not have a domain so the principal name matches with the userid from ca_contact.

We have a couple of options:

1. Configure with Basic configuration (1 LDAP) if it's possible

2. Change the userid to <domain>\<userid> to match with EEM principal name

3. Configure User Defined Groups in EEM and configure the user permissions with these groups, not with the global groups from LDA Server. Link: https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/administering/configuring-ca-service-catalog/manage-users-with-ca-eem/step-2-optional-create-user-defined-groups.html