Config OnDemand to integrate LDAP with different tree of bind user and Base DN

[teeraw]

I found problem about OnDemand integrate Microsoft AD. My scenario is describe below.

 - ARS_LDAP_BIND_DN is CN=cmod,OU=Service Accounts,OU=Admins,DC=mycompany,DC=com
 - ARS_LDAP_BASE_DN is DC=mycompany,DC=com
 - My users in OU=Users,OU=IT,OU=mydepartment,DC=mycompany,DC=com


when I add user "user01" to OnDemand, this user is locate on "CN=user01,OU=Users,OU=IT,OU=mydepartment,DC=mycompany,DC=com"
This user will can not authenticate with AD. (I cannot logon both local OnDemand's password and AD's password)

But if I add user cmod (same user to bind LDAP) to OnDemand, I will can authen AD.
What I think is OnDemand cannot be access user01 across different sub-tree that bind user (User: cmod) is located.

How can I setup for this scenario to able authen both base "OU=Users,OU=IT,OU=mydepartment,DC=mycompany,DC=com" and "OU=Service Accounts,OU=Admins,DC=mycompany,DC=com"? 

[demaya]

Hi,

what version of OD do you use?

I just activated LDAP on a few instances and everything (except an open apar with german umlauts in password) works fine. And we look up through the global catalog approx. 6 domains. So different trees should'nt be a problem (if I understand your definition of a tree right ;-)).

Here's what my config looks like:
ARS_LDAP_SERVER=server.int
ARS_LDAP_PORT=3268
ARS_LDAP_BASE_DN=DC=domain,DC=com
ARS_LDAP_BIND_DN=CN=binduser,OU=ServiceAccounts,OU=User,OU=abc,DC=domain,DC=com
ARS_LDAP_BIND_ATTRIBUTE=CN
ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName
ARS_LDAP_ALLOW_ANONYMOUS=FALSE
ARS_LDAP_OD_AUTHORITY_FALLBACK=TRUE
ARS_LDAP_BIND_DN_PWD=xxx

Did you try to trace the LDAP process? http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg21330810

Other links:
http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg21410647
http://www-01.ibm.com/support/docview.wss?uid=swg21418480
https://www-304.ibm.com/support/docview.wss?uid=swg21366645


Cheers!

[teeraw]

Hi mayach,

As I seen, your different config from me is
ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName
ARS_LDAP_OD_AUTHORITY_FALLBACK=TRUE => Does it should enable in my environment?
I will try this in my environment.

Would you give me example for your user's CN that you add in OnDemand? I need to compare with my scenario.
(e.g. CN=user01,OU=Users,OU=accounting,OU=abc,DC=domain,DC=com)

Thank you for your support 

[demaya]

Hi,

just for example, 2 users from different domains (second is sub domain of the first):
CN=user,OU=UserGroup,OU=CompanyGroup,OU=User,OU=Administration,DC=Domain,DC=Com

CN=user,OU=Team,OU=SubDepartment,OU=Department,OU=UserType,OU=User,OU=Administration,DC=DomainSub,DC=Domain,DC=Com

ARS_LDAP_OD_AUTHORITY_FALLBACK=TRUE is if OD can't find any user in AD it authenticate user with the local OD password

ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName you may try this. My Windows colleague filled this out for me But it seems (I'm looking on the AD with the ADExplorer (http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx)) that you can set cn and samAccountName different. So you may try sAMAccountName out.

I recommend you to trace your LDAP login process, since I made some good expierence facing out the problem.

If you need further information for tracing. Let me know.

Cheers!

[teeraw]

Hi mayach,

I'm wondering that on OD8.4, I can authen ldap properly. But on OD8.5 at Customer Site, It still error with same configuration with My OD8.4.

Trace file has this message:
....
5272:4632 07/23/2012 15:19:05:913062 INFO .\arsldap.c(828)ArcLDAPP_Connect:LDAP initialization successful
5272:4632 07/23/2012 15:19:05:913062 FLOW .\arsldap.c(885)ArcLDAPP_Connect:Return arccs return code=0,ARCCS_OKAY
5272:4632 07/23/2012 15:19:05:913062 FLOW .\arsldap.c(914)ArcLDAPP_Bind:Enter
5272:4632 07/23/2012 15:19:05:913062 INFO .\arsldap.c(939)ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=1
5272:4632 07/23/2012 15:19:05:913062 INFO .\arsldap.c(1047)ArcLDAPP_Bind:ldap_parse_result ldap_rc=0 extra_rc=49
5272:4632 07/23/2012 15:19:05:913062 ERROR .\arsldap.c(1071)ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=49 ldap_ext=0 ldap_errno=0 extra_rc=0 ldap_str=Invalid credentials extended_str=(null) errno_str=Success err_msg=80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
5272:4632 07/23/2012 15:19:05:913062 FLOW .\arsldap.c(1147)ArcLDAPP_Bind:Return arccs return code=13,ARCCS_PERMISSIONS
5272:4632 07/23/2012 15:19:05:913062 INFO .\arsldap.c(1472)ArcLDAP_Authenticate:ldap_unbind ldap_rc=0 extra_rc=0
5272:4632 07/23/2012 15:19:05:913062 FLOW .\arsldap.c(1478)ArcLDAP_Authenticate:Return arccs return code=13,ARCCS_PERMISSIONS

Full trace in attachment.

Thank you.

[demaya]

Mhhhhm same trace like here (but I'm on AIX).

You may try to type the wrong password for a user that normally works, then type it right. And then try to do the same with a user that doesn't work in common.

Then you should be able to compare these files (I recommend http://winmerge.org/).

Do you know if the user that doesn't work has an umlaut (like german umlauts ...) or some special characters in it? I have an open PMR for problems with german umlauts.

Cheers

[teeraw]

I have already open PMR with IBM Support.
It seem problem about OD version, because same config is work on 8.4.1.5 but not work on 8.5.0.5.

If have solution will update you all. Thanks.

[demaya]

Interesting, I just started using LDAP auth with 8.5 so I can't say anything about LDAP with 8.4 and the migration to 8.5.

Keep us updated! Good luck!

Cheers