NetOps Portal LDAP users work regardless of password used
search cancel

NetOps Portal LDAP users work regardless of password used

book

Article ID: 98911

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Verifying LDAP authentication

How to Test LDAP Authentication

What is required for LDAP configuration when utilizing a Service Account for the Connection User?

Why are LDAP authorized users permitted access to the Netops Portal web UI whether they use the wrong, or correct, password to log in?

LDAP users in DX NetOps Portal gain access when wrong password is used.

After configuring LDAP users are able to log in using any password against their LDAP based username. They gain access whether they use the correct, or an incorrect password.

Environment

All supported DX NetOps Performance Management releases

Cause

Using a Service Account user for Connection User combined with User Bind being set to Disabled.

When User Bind is set to Disabled the integration will not validate the authenticity or validity of the user password. It won't be checked allowing users to log in without the correct password specified.

The LDAP configuration for the User Bind *must* be set to Enabled if using LDAP for SSO with a Service Account configured as the Connection User.

Resolution

Run the SsoConfig tool and update the LDAP User Bind value from Disabled to Enabled.

To verify and test the LDAP integration configuration after making the recommended change utilize the Test LDAP option from the SsoConfig tool.

Additional Information

See the DX NetOps Performance Management Single Sign-On documentation topic for additional LDAP Configuration details.

Sample LDAP Test run:

SSO Configuration/CA Performance Center/Test LDAP 
Enter username > usersname
Enter password > 
We will now attempt to bind to the supplied LDAP server using the LdapConnectionUser and LdapConnectionPassword supplied in the SSO Config utility. 
ldapSearchDomain = ldap://ldap.ABC.com:389/ 
ldapTimeout = 10000 
DirContext.SECURITY_AUTHENTICATION = simple 
DirContext.SECURITY_PRINCIPAL = CN=ABCDEF,OU=ABCDEF,OU=ABCDEF Users,OU=ABCD User,DC=APCD,DC=com 
DirContext.SECURITY_CREDENTIALS set 
directoryContext initialized 
searchScope = SearchControls.SUBTREE_SCOPE 
ldapRoot = DC=APCD,DC=com 

Begin directoryContext.search 
Search String: (SamAccountname=usersname) 
End directoryContext.search 

Search returned at least one result. 
Finding the user to clone as well as the username to use in Netops Portal. 
accountUser = usersname
accountUserClone = {sAMAccountName} 

ldapGroups = 

The user bind completed successfully. 
Account User = usersname
Account User Clone = {sAMAccountName} 
Begin cloneUser 
cloneUserId = 43 
End cloneUser 

Clone SUCCESS 

Verifying Sso configuration 
SSO Configuration/CA Performance Center/LDAP Authentication: 
Connection User: CN=ABCDEF,OU=ABCDEF,OU=ABCDEF Users,OU=ABCD User,DC=APCD,DC=com 
Connection Password: ************************ 
Search Domain: ldap://ldap.ABC.com:389/DC=APCD,DC=com 
Search String: (SamAccountname={0}) 
Search Scope: subtree 
User Bind: Disabled 
Encryption: 
Account User: {sAMAccountName} 
Account User Default Clone: {sAMAccountName} 
Group: 
Krb5Confi1

Powered by Wolken Software