search cancel

AD LDAP Connected - Not showing users

book

Article ID: 255084

calendar_today

Updated On:

Products

CA Workload Automation DE

Issue/Introduction

After connecting Workload Automation DE to our Active Directory LDAP server, it shows in Topology -> Authentication Systems -> Status as "Connected". However, when going to Security it does not list the users. Why? 

 

Environment

Release : 12.3

 

Cause

WADE is searching for users and unable to find any with the given filter. This is evident by the following message that appears in the tracelog file: 

[ldap] [INFO] JAC.LDAP users cache updater-Daemon: [<yyy-mm-dd_hh:mm:ss.nnn>] Total users retrieved: 0.

 

Resolution

Verify "User Account Location" settings: 

  • Via the Desktop Client, open the Admin perspective. 
  • Open Topology
  • Right click on "Authentication Systems" and select "Configure Shared Authentication System".
  • Verify that the "user account location" property setting is correct. 

 

Validate "LDAP_GETUSERS_FILTER" settings: 

  • Open the WADE server's conf/server.properties file.
  • Search for the property named: LDAP_GETUSERS_FILTER (described here: Retrieve and Authenticate Users of an LDAP Group)
  • By default, custom LDAP_GETUSERS_FILTER properties are not enabled.
    • If you have a custom LDAP_GETUSERS_FILTER, comment it out.
    • Restart the DE Server service.
    • Validate if users are being found.
    • If yes, adjust the filter accordingly to a filter that works. You can use other tools test the filter such as Apache Directory Studio, JXplorer, ldapsearch, etc..

 

Additional Information

The ldapsearch command is one of many tools you can use to test the filter. It is not a Broadcom/CA tool and is made available for many distributions of Linux. Example of ldapsearch command to test your filter:

ldapsearch \
-H <LDAP Server Url> \
-D "CN=<distinguished>,CN=<name>,DC=<for>,DC=<test>,DC=<user>" \
-b "CN=<base>,DC=<of>,DC=<search>,DC=<path>" \
-s sub "(|(|(|(objectClass=person)(objectClass=organizationalPerson))(objectClass=inetOrgPerson))(objectClass=user))" \
-W

 

 

Notes:

  • The filter specified by the -s sub <filter> above will return all users found in the -b container. 
  • The -H should be the same value specified in your Server URL field. Alternatively, instead of using a -H <URL> you can specify:
    • The -h should be the same host specified in the hostname section of your "Server URL" field - defined for the LDAP connection (minus the ldap(s):// and port)
    • The -p should be the same port specified in the port section of your "Server URL" field - defined for the LDAP connection (minus the ldap(s):// and hostname)
  • The -D should be the same value as the "User identifier used to connect to the LDAP Server" field - defined for the LDAP connection. 
    Note: ldapsearch does not support UPN (short usernames). You will need the DN (distinguished name) of the user to bind to ldap with ldapsearch.
  • The -W will prompt for the user's password (specified by -D). It can be replaced with -w if you do not mind specifying the users password in clear text while running the command.