Unable to contact LDAP server through arslsync

[Andreas Baaserud Hauge]

I am configuring OnDemand to synchronise users / groups from Windows AD to OnDemand, through LDAP, non SSL. I am having trouble getting the synchronisation to connect to the LDAP server.

What has been done so far:

• configured /opt/IBM/ondemand/config/ars.cfg, configuration parameters can be seen further down
• restarted ondemand
• made sure I can reach LDAP server on port 389
• credentials for bind user is ok

Command:
/opt/IBM/ondemand/bin/arslsync -tv

Error received in OnDemand System Log:
LDAP Error: Can't contact LDAP server -- ldap_rc=81, -- extended_rc=0, -- ldap_errno=81, extra_rc=-1, File=arsldap.c, Line=1448

arc.cfg configuration:
###########################################
# LDAP Parameters (Library Server Only)   #
###########################################
ARS_LDAP_SERVER=hostname
ARS_LDAP_PORT=389
ARS_LDAP_USE_SSL=FALSE
ARS_LDAP_BASE_DN=OU=Service Accounts
ARS_LDAP_BIND_DN=CN=bind-user,OU=Service Accounts
ARS_LDAP_BIND_DN_PWD=xxxxxx
ARS_LDAP_BIND_ATTRIBUTE=cn
ARS_LDAP_MAPPED_ATTRIBUTE=cn
ARS_LDAP_ALLOW_ANONYMOUS=TRUE

####################################################
# LDAP SYNC Parameters (requires CMOD v10.1.0.2+)  #
####################################################
ARS_LDAP_SERVER_TYPE=AD
ARS_LDAP_USER_FILTER=(ObjectClass=USER)
ARS_LDAP_GROUP_FILTER=(ObjectClass=GROUP)
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn
ARS_LDAP_IGN_USERIDS=ADMIN
ARS_LDAP_IGN_GROUPS=ADMINS

System information:
Aix: v7200-05-02-2114
OnDemand: 10.1.0.5
DB2: 11.1.1.1

Thanks in advance 

[rjrussel]

See the following document:

https://www.ibm.com/docs/en/cmofm/10.1.0?topic=processes-sample-ldap-configurations

The bindDN and bindDN password need to be in the stash file.

And since you are using AD you should set ARS_LDAP_ALLOW_ANONYMOUS=false

AD doesn't support anonymous bind.

Thanks

RR

[Andreas Baaserud Hauge]

See the following document:

https://www.ibm.com/docs/en/cmofm/10.1.0?topic=processes-sample-ldap-configurations

The bindDN and bindDN password need to be in the stash file.

I removed bindDN and bindDN password from ars.cfg
ARS_LDAP_BIND_DN=CN=bind-user,OU=Service Accounts
ARS_LDAP_BIND_DN_PWD=xxxxxx

and added them to my stash with

Code: [Select]

$ /opt/IBM/ondemand/V10.1/bin/arsstash -a 7 -c -s ars.stash -u "CN=svc-od-bind-t,OU=Service Accounts"
by adding ARS_LDAP_BIND_DN_PWD to the stash, I guess you simply input the password when prompted for during the "arsstash -a 7 ..." command

Verified the ldap user was added to my stash

Code: [Select]

$ /opt/IBM/ondemand/V10.1/bin/arsstash -a 7 -s ars.stash
ARS1603I Userid >CN=svc-od-bind-t,OU=Service Accounts< is currently assigned to >LDAP<
ars.ini configuration contains aswell as other settings
SRVR_OD_CFG=/opt/IBM/ondemand/V10.1/config/ars.cfg
SRVR_DB_CFG=/opt/IBM/ondemand/V10.1/config/ars.dbfs
SRVR_SM_CFG=/opt/IBM/ondemand/V10.1/config/ars.cache
SRVR_OD_STASH=/opt/IBM/ondemand/V10.1/ars.stash

And since you are using AD you should set ARS_LDAP_ALLOW_ANONYMOUS=false

AD doesn't support anonymous bind.

Changed ARS_LDAP_ALLOW_ANONYMOUS to "false" in ars.cfg


Still receiving same error as before.

Thanks for your reply
ABH

[rjrussel]

Ok. So now that you have that sorted, I recommended using ldapsearch from your OnDemand server to truly verify connectivity. The syntax would be:

ldapsearch -h <hostname> -p 389 -w <password> -s sub -b OU=Service Accounts -D CN=CN=svc-od-bind-t,OU=Service Accounts "(objectClass=user)"

Simply change the hostname and password. I did notice after putting that together that your base DN looks odd. It looks to be missing something. While it might in fact be correct, I would double check that with your AD admin.

-RR

[Andreas Baaserud Hauge]

ldapsearch -h <hostname> -p 389 -w <password> -s sub -b OU=Service Accounts -D CN=CN=svc-od-bind-t,OU=Service Accounts "(objectClass=user)"

ldapsearch worked like a charm
Reason the base dn looks odd is because I stripped it down to simplify my example for this forum.

ABH

[rjrussel]

Ok. Please open a support incident.

RR

[Andreas Baaserud Hauge]

Thank you for your replies, @rjrussel!

Main issue here was that I "forgot" to tick on "Enable LDAP" in the Ondemand Administrator Client.
After that, including the changes you came up with in regards of the ars.cfg, things started happening with LDAP connectivity.

Now struggling with LDAP SSL, I'll create a new post for that

Again, thank you a ton, rjrussel