Users not being created from LDAP groups upon logging into OneClick
search cancel

Users not being created from LDAP groups upon logging into OneClick

book

Article ID: 375889

calendar_today

Updated On:

Products

DX NetOps CA Spectrum

Issue/Introduction

The LDAP groups have be added to the $SPECROOT/custom/ldap/config/ldap-grps-mappings-config.xml per the LDAP User Group Authentication documentation, however users in the groups are not created when logging in to OneClick.

When enabling SSORB Security SP tracing, we can see the LDAP group is matched but the result is "No user model found - stopping" in the $SPECROOT/tomcat/logs/catalina.out (Linux) or %SPECROOT%\tomcat\logs\tomcat.out (Windows).


MMM DD, YYYY HH:MM:SS.### (https-jsse-nio-8443-exec-21) (SecuritySP) - Found match for LDAP Server user group name for the configuration user group : <Distinguished Name of LDAP group>
MMM DD, YYYY HH:MM:SS.### (https-jsse-nio-8443-exec-21) (SecuritySP) - Got LDAP user group name: <CN of LDAP Group> for user name: <name>
MMM DD, YYYY HH:MM:SS.### (https-jsse-nio-8443-exec-21) (SecuritySP) - No Spectrum user group found with name : <CN of LDAP Group>
MMM DD, YYYY HH:MM:SS.### (https-jsse-nio-8443-exec-21) (SecuritySP) - No Spectrum user group found with name : <CN of LDAP Group>
MMM DD, YYYY HH:MM:SS.### (https-jsse-nio-8443-exec-21) (SecuritySP) - No Spectrum user group found with name : <CN of LDAP Group>
MMM DD, YYYY HH:MM:SS.### (https-jsse-nio-8443-exec-21) (SecuritySP) - Getting user model by filter from admin domain <name>
MMM DD, YYYY HH:MM:SS.### (https-jsse-nio-8443-exec-21) (SecuritySP) - Getting user model by filter from admin domain <name>
MMM DD, YYYY HH:MM:SS.### (https-jsse-nio-8443-exec-21) (SecuritySP) - Getting user model by filter from admin domain <name>
MMM DD, YYYY HH:MM:SS.### (https-jsse-nio-8443-exec-21) (SecuritySP) - No user model found - stopping 

The <CN of LDAP Group> matches an entry in the $SPECROOT/custom/ldap/config/ldap-grps-mappings-config.xml file and the user name: <name> is a member of the LDAP group.

Environment

Spectrum, all supported versions

Cause

Per the LDAP User Group Authentication documentation, groups matching the name of the LDAP groups are required:

"In Spectrum, the administrator must manually create a user group in all the landscapes with the same group name and required privileges as present in LDAP."

Resolution

Create the groups in spectrum per the documentation.

For example, using LDAP Group:

<Group searchTag="memberOf" searchString="CN=group_name,CN=Users,DC=company,DC=local"/>

The Spectrum group would be "group_name".

Powered by Wolken Software