When trying to login to a MOM that integrates with AD without using EEM, IntroscopeEnterpriseManager.log on a MOM shows below error:
[DEBUG] [PO:main Mailman 3] [Manager.UserManagementService] Unable to find user "user" because javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087)
:::::
Realms.xml is incorrectly configured.
All APM Environments using Active Directory-based LDAP.
First, ensure "plainTextPasswords" is set to True before the first restart of the EM on a MOM. When starting, EM finds this value as True and encrypts a value of "bindPassword" and sets it to False. This is a required action as documented at the APM Wiki (a link is provided below in Additional Information section).
Try setting "groupMemberQuery" to
<property name="groupMemberQuery">
<value>(&(objectClass=groupOfUniqueNames)(uniquemember=%u))</value>
</property>
if it is not already, set "baseDN" to 'DC=' values of "bindName" property and vice versa.
For example if "bindName" is already defined as following:
<property name="bindName">
<value>CN=user,cn=Users,DC=ad-dev-02,DC=com</value>
</property>
"baseDN" should look like:
<property name="baseDN">
<value>DC=ad-dev-02,DC=com</value>
</property>
https://docops.ca.com/ca-apm/10-5/en/administrating/apm-security/securing-introscope/securing-introscope-using-ldap/ -- Securing Introscope using LDAP.