vRNI Troubleshooting LDAP configuration

Products

VMware Aria Operations for Networks

Issue/Introduction

Symptoms:

Unable to configure LDAP sources.

When attempting to submit the configuration, one of the following messages appears in red :
- LDAP authentication failed
- YourDomain:389 or YourDomain:636
- user jdoe is not a member of authorized groups
In the /logs/restapilayer/restapilayer.STIYD-YYYY-MM-DD-hh.mm.ss.log.error file, you see entries similar to:

ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17199 - POST /auth/ldapConfiguration] - exception validating ldap registration checks
ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.AuthResource:[?:?:?] - [dw-17199 - POST /auth/ldapConfiguration] - Unable to validate LDAP connection

ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17243 - POST /auth/ldapConfiguration] - group authorization failed
ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.AuthResource:[?:?:?] - [dw-17243 - POST /auth/ldapConfiguration] - Unable to validate LDAP connection

ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.ArkinJndiLdapRealm:[?:?:?] - [dw-17212 - POST /auth/ldapConfiguration] - user jdoe is not a member of authorized groups
ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17212 - POST /auth/ldapConfiguration] - group authorization failed
ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.AuthResource:[?:?:?] - [dw-17212 - POST /auth/ldapConfiguration] - Unable to validate LDAP connection

ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.ArkinJndiLdapRealm:[?:?:?] - [dw-17283 - POST /auth/ldapConfiguration] - could not find user jdoe under baseDN dc=mydomain,dc=com
ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17283 - POST /auth/ldapConfiguration] - group authorization failed
ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.AuthResource:[?:?:?] - [dw-17283 - POST /auth/ldapConfiguration] - Unable to validate LDAP connection

Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware vRealize Network Insight 2.x
VMware vRealize Network Insight 3.x

Resolution

The LDAP authentication can be configured after the deployment of your Platform and Proxy VMs, under Profile > Settings > LDAP in the UI

When working within the platform VM, validate these configurations:

Note: Nested User and groups are not supported.

LDAP Configuration:

Domain: The domain name is defined

LDAP Host URL: ldap://IP Address, FQDN of Domain Controller:<Port 389 or Port 636

LDAP Credentials:

Username:
Password:

Additionally, if you are restricting Access using groups, validate this information:

Group DN: Distinguished Name of Group

To find the Group DN tools such as ADSI Editor/dsquery can be used to find the value:

BaseDN: dc=example,dc=com

Note: Base DN must be inclusive enough to where the search can view any and all groups regardless of location within AD. If the Base DN is too narrow in scope the search query will be unable to search the directory to find desired groups.

Log files and locations:

Location	Description
/logs/restapilayer/restapilayer.STDOUT-yyyy-mm-dd-hh.mm.ss.log	Logs generated by vRNI UI
/logs/restapilayer/restapilayer.STDOUT-yyyy-mm-dd-hh.mm.ss.log.error	Logs of vRNI UI errors

Troubleshooting :

Known errors in /logs/restapilayer/restapilayer.STDOUT-yyyy-mm-dd-hh.mm.ss.log	Resolution
ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17199 - POST /auth/ldapConfiguration] - exception validating ldap registration checks javax.naming.CommunicationException: ldap_ip_fqdn:port at com.sun.jndi.ldap.Connection.<init>(Connection.java:216) at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)	Check if the AD/LDAP endpoint is reachable from vRNI Platform In the scenario where the fqdn is specified as the server endpoint, verify that vRNI Platform is able to resolve the ldap server name Ping tests from vRNI Platform to LDAP server and LDAP server to vRNI Platform to verify the communication between the 2 components
ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17199 - POST /auth/ldapConfiguration] - exception validating ldap registration checks javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3136) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) ...	Check if the user's credentials exist in the ldap database. Ensure that the login and password used do exist and are correct
ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.ArkinJndiLdapRealm:[?:?:?] - [dw-17212 - POST /auth/ldapConfiguration] - user jdoe is not a member of authorized groups ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17212 - POST /auth/ldapConfiguration] - group authorization failed org.apache.shiro.authc.AuthenticationException: user ktrinh is not a member of authorized groups at com.vnera.restapilayer.ArkinJndiLdapRealm.authorizeViaGroups(ArkinJndiLdapRealm.java:95) at com.vnera.restapilayer.AuthRealmManager.testLdapRealm(AuthRealmManager.java:568)	Check if the group DN is correct: Ensure that the group you specified does exist, and the user is correctly member of that group It has to follow ldap syntax. eg:</u>cn=my_vrni_group,cn=myusers,dc=mydomain,dc=com Example to test the connectivity to the ldap endpoint and capability to retrieves data: From a linux machine: ldapsearch \ -x -hldap_ip_or_fqdn\ -D <username_allowed_to_query_ldap>@<yourdomain.com> \ -w <username_allowed_password> \ -b dc=<yourdomain>,dc=<com> \ -s sub '(cn=<user_cn_that_you_look_for>)' dn cn email sAMAccountName From a Windows machine command line: dsquery group -name your_groupname For example: dsquery group -name *
ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17243 - POST /auth/ldapConfiguration] - group authorization failed javax.naming.CommunicationException: mydomain.com:port at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96) at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:150)	Check if the base DN is correct: The base DN is usually made of Domain components that compose your LDAP root. For example: dc=mydomain,dc=com
ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.ArkinJndiLdapRealm:[?:?:?] - [dw-17283 - POST /auth/ldapConfiguration] - could not find user jdoe under baseDN dc=mydomain,dc=com ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17283 - POST /auth/ldapConfiguration] - group authorization failed org.apache.shiro.authc.AuthenticationException: could not find user jdoe under baseDN dc=mydomain,dc=com at com.vnera.restapilayer.ArkinJndiLdapRealm.authorizeViaGroups(ArkinJndiLdapRealm.java:74) at com.vnera.restapilayer.AuthRealmManager.testLdapRealm(AuthRealmManager.java:568)	Check if the user search attribute is correct: Use sAMAccountName if you want to log in with users' usernames.

Example of a working LDAP configuration

Domain	vcloud.local
LDAP Host URL	ldap://192.168.1.2
Group DNs	cn=vrni_auth,cn=users.dc=vcloud,dc=local
Base DN	dc=vcloud,dc=local
User Search Attribute	sAMAccountName

Additional Information

To find out your user and group base DN, you can run a query from any Domain Controller server on your Windows domain.

To find the User Base DN:

Open a Windows command prompt.
Run this command:

dsquery user -name known username

For example: If you want to search for all users named John, enter the username as John* to get a list of all users who's name is John.

You see Output similar to:

"CN=John.Smith,CN=Users,DC=MyDomain,DC=com"
In vRNI LDAP/Directory settings, when asked for a User Base DN, enter: CN=Users,DC=MyDomain,DC=com.

To find the Group Base DN:

Open a Windows command prompt.
Run this command:

dsquery group -name known group name

For example: If you want to search for a group called Users, enter the group name as Users* to get a list of all groups who's name contains "Users".

You see output similar to:

"CN=Users,CN=Builtin,DC=MyDomain,DC=com"
In vRNI LDAP/Directory settings, when asked for a User Base DN, enter:

CN=Users,CN=Builtin,DC=MyDomain,DC=com