Author Topic: LDAP setup? (Read 7560 times)

Shannan · « **on:** April 08, 2013, 11:32:23 AM »

I saw an old thread on setting up LDAP with OnDemand, but it only had 2 entries without much resolution. Can anyone help with LDAP setup for Windows 2008 OD 8.5. I have very little LDAP experience so if someone could help explain to this level, I'd appreciate it.

Ed_Arnold · « **Reply #1 on:** April 08, 2013, 02:09:02 PM »

Shannon - I have never set up LDAP myself.

Your question made me was curious to see what the doc said:

http://pic.dhe.ibm.com/infocenter/cmod/v8r5m0/index.jsp?topic=%2Fcom.ibm.ondemand.installingmp.doc%2Fars1i071646.htm

Searching on "ldap ondemand configurator" through google points to a nice technote.

If the LDAP server is on another box, then hopefully the platform you're running on has a ping type of program like the one for z/OS so you can ensure that at least the two boxes can talk to each other.

http://www.odusergroup.org/forums/index.php?topic=966.0

Ed

Shannan · « **Reply #2 on:** April 08, 2013, 06:53:10 PM »

Thanks Ed. I have reviewed this and think it's a good explanation of how it works. I think my problem is that there is a format/syntax that needs to be followed when the values are set, but I don't think I'm getting that all correct. I have asked the hosting support people and they gave me some values that they think are answering the questions/parms that I've asked about, but I don't think it's right - like for instance on the id to use to authenticate with - I don't think it's as simple as typing in the id - I expect it has to be in format that ldap likes - I just don't know what that should look like. I am hoping to find some examples of these values so I can go back to the ldap support people and say I need the equivalent of these values for our environment. Continuing to look, but would appreciate any insights/experience anyone else may have. Thanks!

pankaj.puranik · « **Reply #3 on:** April 09, 2013, 01:17:32 AM »

Hi Shannan

Let us know if you find a way, we are also trying to set this up on our server.
Will let you know if it works for us.

Thanks
Pankaj.

Greg Ira · « **Reply #4 on:** April 09, 2013, 10:03:12 AM »

Shannan,
I recently did a POC with LDAP on our z/OS server. It took a while to get the parms correct but for Non-SSL we have something like this:

ARS_LDAP_SERVER=111.11.11.111
ARS_LDAP_PORT=389
ARS_LDAP_BASE_DN=dc=yyy,dc=zzznet
ARS_LDAP_BIND_DN=cn=bsmith,ou=Company1,ou=Division1,ou=ITDEPT,dc=yyy,dc=zzznet
ARS_LDAP_BIND_DN_PWD=password
ARS_LDAP_BIND_ATTRIBUTE=userPrincipalName
ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName
ARS_LDAP_ALLOW_ANONYMOUS=FALSE
ARS_LDAP_OD_AUTHORITY_FALLBACK=FALSE
ARS_LDAP_REFERRALS=FALSE

This configuration would require a user to enter in a userid in the form of userid@yyy.zzznet. The initial BIND DN is bsmith which would have been a service account name and password provided to you by your LDAP/AD administrators. Upon successful logon verification of userid@yyy.zzznet LDAP would return that user?s sAMAccountName which would be just userid and look for that same userid in CMOD.

demaya · « **Reply #5 on:** April 12, 2013, 12:00:38 AM »

You should have a look in this post too:
http://www.odusergroup.org/forums/index.php?topic=829.msg2601

Cheers

Paul · « **Reply #6 on:** April 12, 2013, 11:02:24 AM »

You need to make sure that the OU information is exact. Turn on trace and see what it records. That can be a great help to see exactly where you have incorrect settings.

Shannan · « **Reply #7 on:** April 16, 2013, 12:29:50 PM »

Thank you for the tips/advice. I think I'm getting a little closer, but still haven't gotten it - getting the following in my trace - not sure if it doesn't like the password, or something else?

Windows 64-6.1.7601 Service Pack 1-ARSSOCKD-8.5.0.5-04/16/2013 14:23:17
1708:7888 04/16/2013 14:23:44:42114 FLOW .\arsldap.c(1174)ArcLDAP_Authenticate:Enter
1708:7888 04/16/2013 14:23:44:42114 FLOW .\arsldap.c(797)ArcLDAPP_Connect:Enter
1708:7888 04/16/2013 14:23:44:42114 INFO .\arsldap.c(828)ArcLDAPP_Connect:LDAP initialization successful
1708:7888 04/16/2013 14:23:44:42114 FLOW .\arsldap.c(885)ArcLDAPP_Connect:Return arccs return code=0,ARCCS_OKAY
1708:7888 04/16/2013 14:23:44:42114 FLOW .\arsldap.c(914)ArcLDAPP_Bind:Enter
1708:7888 04/16/2013 14:23:44:42114 INFO .\arsldap.c(939)ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=1
1708:7888 04/16/2013 14:23:44:57740 INFO .\arsldap.c(1047)ArcLDAPP_Bind:ldap_parse_result ldap_rc=0 extra_rc=49
1708:7888 04/16/2013 14:23:44:57740 ERROR .\arsldap.c(1071)ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=49 ldap_ext=0 ldap_errno=0 extra_rc=0 ldap_str=Invalid credentials extended_str=(null) errno_str=Success err_msg=80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 531, v1772
1708:7888 04/16/2013 14:23:44:213995 FLOW .\arsldap.c(1147)ArcLDAPP_Bind:Return arccs return code=6,ARCCS_FAILED
1708:7888 04/16/2013 14:23:44:213995 INFO .\arsldap.c(1472)ArcLDAP_Authenticate:ldap_unbind ldap_rc=0 extra_rc=0
1708:7888 04/16/2013 14:23:44:213995 FLOW .\arsldap.c(1478)ArcLDAP_Authenticate:Return arccs return code=6,ARCCS_FAILED

here are my ars.cfg - from regedit:
"ARS_LDAP_SERVER"="192.168.100.33"
"ARS_LDAP_PORT"=""
"ARS_LDAP_BASE_DN"="DC=aric,DC=com"
"ARS_LDAP_BIND_DN"="CN=SHX8642,OU=GAS,OU=CIS,OU=ARI_Users,DC=aric,DC=com"
"ARS_LDAP_BIND_DN_PWD"="Test8642"
"ARS_LDAP_BIND_ATTRIBUTE"="CN"
"ARS_LDAP_MAPPED_ATTRIBUTE"="sAMAccountName"
"ARS_LDAP_BIND_MESSAGES_FILE"=""
"ARS_LDAP_ALLOW_ANONYMOUS"=""

Paul · « **Reply #8 on:** April 18, 2013, 03:51:40 PM »

"ARS_LDAP_SERVER"="192.168.100.33"
"ARS_LDAP_PORT"=""
"ARS_LDAP_BASE_DN"="DC=aric,DC=com"
"ARS_LDAP_BIND_DN"="CN=SHX8642,OU=GAS,OU=CIS,OU=ARI_Users,DC=aric,DC=com"
"ARS_LDAP_BIND_DN_PWD"="Test8642"
"ARS_LDAP_BIND_ATTRIBUTE"="CN"
"ARS_LDAP_MAPPED_ATTRIBUTE"="sAMAccountName"
"ARS_LDAP_BIND_MESSAGES_FILE"=""
"ARS_LDAP_ALLOW_ANONYMOUS"=""

I set the ARS_LDAP_BIND_ATTRIBUTE and ARS_LDAP_MAPPED_ATTRIBUTE as "sAMAccountName"
I take it that all the quotes are for display purposes in this discussion and not in your config file.
Maybe the OU needs to be in the BASE_DN and not the BIND_DN?
Regarding LDAP_SERVER, do you have an actual domain name you can use?
I set the "ARS_LDAP_ALLOW_ANONYMOUS=False"

hopefully this has been helpful.

Shannan · « **Reply #9 on:** June 25, 2013, 10:58:50 AM »

Can anyone tell me what type authority the binding id should have in ldap to successfully bind? I am not an ldap expert by any means and it would be helpful to tell my hosting people what authority is needed as the ids I've been given so far are still failing on authority I believe. Thanks in advance.

Alessandro Perucchi · « **Reply #10 on:** July 03, 2013, 04:28:27 AM »

Hello Shannan,

Well from what I've seen this is a simple user. Should not have a special authority.

you have here a nice description on how LDAP works with CMOD, with all cases:

http://www-01.ibm.com/support/docview.wss?uid=swg21446517

You can try for the port 389 (which is the standard one) or 3268. I've found with a customer, the 389 was not working as expected and with 3268, everything was working as expected... This has something to do on how ldap will search for the users and the topology of the AD environment of your company.

From my experience you can use:

"ARS_LDAP_MAPPED_ATTRIBUTE"="sAMAccountName"

or

"ARS_LDAP_MAPPED_ATTRIBUTE"="CN"

equally in most of the cases.

What you need to check is if the password and the user that you are using (CN=SHX8642,OU=GAS,OU=CIS,OU=ARI_Users,DC=aric,DC=com with password Test8642) is really exactly in this manner written in your LDAP, in case you have some case sensitive/unsensitive settings.

Sincerely yours,
Alessandro

OnDemand User Group

News:

Author Topic: LDAP setup? (Read 7560 times)

Shannan

LDAP setup?

Ed_Arnold

Re: LDAP setup?

Shannan

Re: LDAP setup?

pankaj.puranik

Re: LDAP setup?

Greg Ira

Re: LDAP setup?

demaya

Re: LDAP setup?

Paul

Re: LDAP setup?

Shannan

Re: LDAP setup?

Paul

Re: LDAP setup?

Shannan

Re: LDAP setup?

Alessandro Perucchi

Re: LDAP setup?