LDAP Troubleshooting Basics and tracing
search cancel

LDAP Troubleshooting Basics and tracing

book

Article ID: 27836

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

This is basic information to LDAP troubleshooting.

The first and foremost consideration to keep in mind when troubleshooting LDAP servers is to recognize that seldom are any two LDAP implementations wholly identical.

The second consideration is with LDAP servers often requires significant changes and accommodations on both sides.

Environment

Release: 14.1 or higher
Component:  CA Service Desk Manager

Resolution

For most LDAP troubleshooting situations, it is useful to check as an initial step the following:

  1. Output of pdm_status should show ldap_virtdb process running.

  2. Output of slstat should show bopLDAP connected.

  3. All LDAP options should be installed (with the exception of ldap_enable_auto). These options are mandatory. The $NX_ROOT/NX.env from the server will show all defined option values, and also whether or not they've been installed. These will reside at the bottom of the file, and will be in the format of:

    @NX_LDAP_DN=qauser
    @NX_LDAP_ENABLE=Yes
    @NX_LDAP_ENABLE_AUTO=Yes
    @NX_LDAP_HOST=[EXAMPLE LDAP SERVER NAME]
    @NX_LDAP_PORT=389
    @NX_LDAP_PWD=OBUNQXo7CmgbThZlCiMKIwJlA3UXdVNAOjUpHjstfDt2LBIDPgwtWA==
    @NX_LDAP_SEARCH_BASE=dc=XXXX, dc=XXX, dc=XXX
    @NX_LDAP_SERVICE_TYPE=Active Directory
    @NX_LDAP_SYNC_ON_NULL=Yes
    @NX_LDAP_USER_OBJECT_CLASS=person

  4. Run pdm_ldap_test -a * which will attempt to connect to the LDAP server using installed options, and print out all attributes that it can find for returned objects. A successful connection to the LDAP server can be determined by whether or not this test successfully fetches information from the LDAP Directory. In some cases it may be necessary to specify additional parameters to this command as appropriate to properly fetch data.

    Note: On Unix systems, you must surround the asterisk character with quotation marks.

  5. If ldap_test output shows LDAP host type=windows, then SASL authentication will be used. If the LDAP server is not Active Directory or is not using SASL, add the following entry in the $NX_ROOT/NX.env file to force the host type to be unix:

    NX_LDAP_HOST_TYPE=unix

  6. Obtain from the LDAP administrator the authentication method and protocol version of the LDAP server.

  7. Obtain verbose stdlogs, including server startup messages, after searching for LDAP entries in the Administrative Client.
    Enable verbose logging with: pdm_logstat -f ldap_virtdb.c 1000

    stdlog messages===========

  8.  The first line to look for when analyzing stdlogs for LDAP messages is the startup of the ldap_virtdb process. Service Desk's LDAP awareness begins only when this process starts. Note that even if LDAP integration options are not installed or set up, this process will still run.

    06/03 17:00:18.27 [EXAMPLE SDM SERVER] bopLDAP 1964 SIGNIFICANT ldap_virtdb.c 680 STARTUP of LDAP_virtdb

    If any of the required LDAP options have not been defined, the stdlog will show that they are missing, as appropriate.

    06/03 17:00:18.72 [EXAMPLE SDM SERVER] bopLDAP 1964 SEVERE_ERROR ldap_virtdb.c 1023 LDAP Server port id missing
    06/03 17:00:18.78 [EXAMPLE SDM SERVER] bopLDAP 1964 SEVERE_ERROR ldap_virtdb.c 1023 LDAP Server distinguished name missing
    06/03 17:00:18.78 [EXAMPLE SDM SERVER] bopLDAP 1964 SEVERE_ERROR ldap_virtdb.c 1023 LDAP Server distinguished name password missing

    Otherwise, the stdlog will log entries to indicate that a connection has been successfully established with the LDAP server.

    06/05 12:35:10.41 [EXAMPLE SDM SERVER] bopLDAP 1912 SIGNIFICANT ldap_virtdb.c 958 LDAP_SRVR connecting to host(ldapserver.example.com) port(389)
    06/05 12:35:11.01 [EXAMPLE SDM SERVER] bopLDAP 1912 SIGNIFICANT ldap_virtdb.c 987 LDAP_SRVR version 3
    06/05 12:35:11.01 [EXAMPLE SDM SERVER] bopLDAP 1912 SIGNIFICANT ldap_virtdb.c 1002 LDAP_SRVR binding with username(testlogin)

    If a connection cannot be made to the LDAP server for any reason, "LDAP Entries", "Merge LDAP", or any other LDAP functionality will become disconnected and return no results. In such instances the stdlog will show messages similar to the following when accessing those operations:

    06/03 17:00:32.25 [EXAMPLE SDM SERVER] bopLDAP 1964 SIGNIFICANT ldap_virtdb.c 219 LDAP server not available; 'register_producer' not processed
    06/05 10:52:57.63 [EXAMPLE SDM SERVER] bopLDAP 1896 SIGNIFICANT ldap_virtdb.c 219 LDAP server not available; 'select_full' not processed
    06/05 10:52:57.66 [EXAMPLE SDM SERVER] web:local 1868 ERROR sel_data_cache. 611 Error in ldap Select_Cache method got_initial_count: LDAP server not available; 'select_full' not processed
    06/05 10:52:57.66 [EXAMPLE SDM SERVER] bopLDAP 1896 SIGNIFICANT ldap_virtdb.c 219 LDAP server not available; 'select_cancel' not processed

    Verbose logging for a successful search on the LDAP Entries screen for all LDAP Directory entries will be similar to the following sample. First CA Service Management fetches records from the LDAP Directory according to the search base and filter defined in Options Manager, mapping an id to the distinguishedName value returned for each entry.

    07/07 00:12:20.09 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 362 Start select full
    07/07 00:12:20.09 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1111 Starting search: filter=(&(objectClass=user)); attributes=(sAMAccountName,distinguishedName)
    07/07 00:12:20.15 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1244 Processing next LDAP page...
    07/07 00:12:20.17 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1296 Storing value 'CN=XXXX,CN=XXX,DC=XXXXX,DC=XXX' for attribute 'distinguishedName'
    07/07 00:12:20.17 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1320 Storing value 'Administrator' for attribute 'sAMAccountName'
    07/07 00:12:20.17 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1296 Storing value 'CN=XXXX,CN=XXX,DC=XXXXX,DC=XXX' for attribute 'distinguishedName'
    07/07 00:12:20.17 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1320 Storing value 'Guest' for attribute 'sAMAccountName'
    07/07 00:12:20.18 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1240 Next LDAP page empty...
    07/07 00:12:20.18 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 456 SELECT_OK: End select full

    Now, assuming that CA Service Management was able to map to the ldap object's id attribute successfully, the attributes as defined in $NX_ROOT/bopcfg/majic/ldap.maj are retrieved for each entry, or a message is logged indicating that an attribute has not been defined. A sample of this follows.

    07/07 00:12:21.07 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 322 Start select short
    07/07 00:12:21.07 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1111 Starting search: filter=(&(objectClass=user)(distinguishedName=CN=Administrator,CN=Users, DC=XXXX,DC=XXXX)); attributes=(modifyTimestamp,sn,givenName,initials, sAMAccountName,telephoneNumber,mobile,department,facsimileTelephoneNumber, pager,mail,streetAddress,l,st,postalCode,c,o)
    07/07 00:12:21.09 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1244 Processing next LDAP page...
    07/07 00:12:21.09 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1296 Storing value 'CN=XXXX,CN=XXX,DC=XXXXX,DC=XXX' for attribute 'distinguishedName'
    07/07 00:12:21.09 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1320 Storing value 'Administrator' for attribute 'sAMAccountName'
    07/07 00:12:21.09 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1320 Storing value '20030629160158.0Z' for attribute 'modifyTimeStamp'
    07/07 00:12:21.09 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'modifyTimestamp'
    07/07 00:12:21.10 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'sn'
    07/07 00:12:21.10 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'givenName'
    07/07 00:12:21.10 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'initials'
    07/07 00:12:21.10 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'telephoneNumber'
    07/07 00:12:21.10 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'mobile'
    07/07 00:12:21.12 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'department'
    07/07 00:12:21.12 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'facsimileTelephoneNumber'
    07/07 00:12:21.12 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'pager'
    07/07 00:12:21.12 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'mail'
    07/07 00:12:21.12 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'streetAddress'
    07/07 00:12:21.14 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'l'
    07/07 00:12:21.14 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'st'
    07/07 00:12:21.14 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'postalCode'
    07/07 00:12:21.14 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'c'
    07/07 00:12:21.15 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not available for 'o'
    07/07 00:12:21.15 [EXAMPLE SDM SERVER] bopLDAP 2364 TRACE ldap_virtdb.c 330 End select short

  9. Integrating With Non-Active Directory Implementations of LDAP:
  1. CA Service Management's LDAP mappings must be modified when the LDAP Directory schema differs from that of Active Directory.

    When Service Desk requests for a list of LDAP entries, such as when searching in the Administrative Client's "LDAP Entry List" screen, it first fetches the distinguished name and user id for each row explicitly as mapped in $NX_ROOT/bopcfg/majic/ldap.maj. However, some LDAP Directory implementations do not use a distinguished name attribute to uniquely identify each entry since it is not required by the LDAP RFCs, and so the search returns no data, although it returns the correct number of resulting entries. In such cases one may find the following sequence of verbose messages in the stdlog.

    06/28 16:55:52.81 [EXAMPLE SDM SERVER] bopLDAP 3276 TRACE ldap_virtdb.c 1356 Value not available for 'uid'
    06/28 16:55:52.83 [EXAMPLE SDM SERVER] bopLDAP 3276 TRACE ldap_virtdb.c 1260 Retrieving next entry...(0x00000000)

    To change CA Service Management 's LDAP mappings, first review the ldap object definition in $NX_ROOT/bopcfg/majic/ldap.maj and compare it with the output from ldap_test -a *. If ldap_test does not yet work with the LDAP implementation then obtain the schema and attribute definitions in use from the LDAP administrator. Then create a file in $NX_ROOT/site/mods/majic directory with a .mod extension to re-map Contact record attributes to LDAP attributes. For example: MODIFY ldap userid uid; This will map the "userid" field of the Contact table to the "uid" attribute from LDAP.

  2. Service Desk does not automatically detect the version protocol of the LDAP server.

    If there is a mismatch in the LDAP version returned by the ldap_get_option API function call as seen in ldap_test and the actual configured version of the LDAP server, you may see the following sequence of stdlog messages.

    06/13 15:29:47.14 [EXAMPLE SDM SERVER] domsrvr 2136 SIGNIFICANT bpobject.c 3168 Timed out trying to do version logon to bopLDAP
    06/13 15:29:47.15 [EXAMPLE SDM SERVER] domsrvr 2136 ERROR bpobject.c 1737 Unable to determine message version for process XXX.XXX.XXX.XXX | bopLDAP
    06/13 15:30:50.28 [EXAMPLE SDM SERVER] bopLDAP 2112 SIGNIFICANT ldap_virtdb.c 987 LDAP_SRVR version 3
    06/13 15:30:50.31 [EXAMPLE SDM SERVER] bopLDAP 2112 SEVERE_ERROR ldap_virtdb.c 1023 LDAP_SRVR ldap_bind error(Server Down); username()
    06/13 15:30:50.33 [EXAMPLE SDM SERVER] domsrvr 2136 ERROR sql_prod.c 417 Restored connection to virtdb bopLDAP
    06/13 15:30:50.39 [EXAMPLE SDM SERVER] bopLDAP 2112 SIGNIFICANT ldap_virtdb.c 219 LDAP server not available; 'register_producer' not processed
    06/13 15:42:20.22 [EXAMPLE SDM SERVER] bopLDAP 2112 SIGNIFICANT ldap_virtdb.c 219 LDAP server not available; 'select_full' not processed

  3. CA Service Management servers on Windows 2000 or later servers by default use Active Directory style SASL authentication to bind to the LDAP Directory server regardless of the type of authentication for which it is configured.

    If, when binding to the LDAP Directory server with the ldap_bind_s API function call, Service Desk requests an authentication method not supported by the Directory server, the following error message will be logged in the stdlog.

    06/21 17:36:32.63 [EXAMPLE SDM SERVER] bopLDAP 2184 SEVERE_ERROR ldap_virtdb.c 1023 LDAP_SRVR ldap_bind error(Authentication Method Not Supported); username(dirmanager)

     Likewise, running ldap_test will show the following output. ldap_bind_s() (Authentication method not supported):

    Note that if the host type is windows, it will always pass SASL, because Active Directory always uses SASL. If the LDAP server is not Active Directory or is not using SASL, add the following entry in the $NX_ROOT/NX.env file to force the host type to be unix in order to bind successfully.

    NX_LDAP_HOST_TYPE=unix
Powered by Wolken Software