Spectrum does not let new users from one AD group in, although LDAP test is passed.
search cancel

Spectrum does not let new users from one AD group in, although LDAP test is passed.

book

Article ID: 271346

calendar_today

Updated On:

Products

Network Observability

Issue/Introduction

A newly onboarded user was assigned to the "xxx" group that we know used to work properly. However, while they are able to log into Performance Management, they cannot log into Spectrum and receive "unknown user/password" error.

troubleshooting:

LDAP test tool within the OneClick and the SSoConfig from PM report no errors.

In the "Users" tab of Spectrum, there is no sign of that user.

AD Team confirms they have just a single entry in the AD database.

I created a test LDAP user to recreate the procedure, and the results are the same.

This was working in the past, as there are users added to that group, who can log into Spectrum.

Environment

Release : 21.2

Cause

$SPECROOT\custom\ldap\config\ldap-grps-mappings-config.xml did not have this group configured on one of the OneClick servers. 

Resolution

Add the missing group to $SPECROOT\custom\ldap\config\ldap-grps-mappings-config.xml and restart tomcat.

Additional Information

the following was seen in tomcat

Jul 26, 2023 06:12:07.699 - LDAP Connection problem in findUserGroup : javax.naming.CommunicationException: Connection reset [Root exception is javax.net.ssl.SSLException: Connection reset]; remaining name 'DC=xxx,DC=xxx'
    at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2030)
    at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1872)
    at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1797)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
    at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
    at com.aprisma.spectrum.app.web.servlet.container.SpectrumJNDIRealm.getUserBySearch(SpectrumJNDIRealm.java:1432)
    at com.aprisma.spectrum.app.web.servlet.container.SpectrumJNDIRealm.getUser(SpectrumJNDIRealm.java:1292)
    at com.aprisma.spectrum.app.web.servlet.container.SpectrumJNDIRealm.verifyUser(SpectrumJNDIRealm.java:1215)
    at com.aprisma.spectrum.app.web.servlet.container.SpectrumJNDIRealm.findUserGroup(SpectrumJNDIRealm.java:1647)
    at com.aprisma.spectrum.app.web.servlet.container.SecuritySpSSORB.initModelDomains(SecuritySpSSORB.java:1114)
    at com.aprisma.spectrum.app.web.servlet.container.SecuritySpSSORB.getUserRoles(SecuritySpSSORB.java:1508)
    at com.aprisma.tomcat.realm.SecurityRealm.authenticate(SecurityRealm.java:206)
    at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:190)
    at com.aprisma.tomcat.authenticator.SpectrumLockOutRealm.authenticate(SpectrumLockOutRealm.java:108)
    at com.aprisma.tomcat.authenticator.SpectrumAuthenticator.doFormAuthentication(SpectrumAuthenticator.java:304)
    at com.aprisma.tomcat.authenticator.SpectrumAuthenticator.doAuthenticate(SpectrumAuthenticator.java:71)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:625)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:750)
Caused by: javax.net.ssl.SSLException: Connection reset

Powered by Wolken Software