This page provides information on how to reproduce LDAP issues at support for CED.
For more information, refer to:
Release | Yes/No |
|---|---|
| 8.2.x |  |
| 8.1.x | |
| 8.0.x | |
RDBMS | Yes/No |
|---|---|
| Oracle Server | |
| Microsoft SQL Server | |
| CSS2 | |
Perform the following steps to reproduce LDAP issues for CED:
- In order to proceed with the below steps, get the Relevant Input
you can use Apache Directory Studio tha's helps you to read customer configuration, you may refer to the following pages for more help:
- To install Apache Directory Studio: Health Dashboard - Information - LDAP connection - How to Install Apache Directory Studio for Windows
- To import/Eport customer configuration: Application Analytics Dashboard - AAD - Information - LDAP connection - How to Import or export a Directory in Apache Directory Studio
- Always use a CAST AIP setup installation. For reproducing issues, flat installation is not recommended because the analysis/snapshot may fail. This can be due to files that are missing in the flat installation.
- Since you cannot use the customer's LDAP setup for reproducing LDAP issues since it will not be accessible, a test LDAP system has been setup at support to allow you to verify and test LDAP features and functionality. Follow the steps below to do the testing for the issue on the CAST version that you are investigating to see if it can be reproduced on our test LDAP system. If it cannot, then you may have to have R&D assist you in investigating the issue on the customer's site. For CAST support, please see the following internal confluence page for more details on the setup for LDAP testing under CAST Support Machines>VMs Machine>Information on Internal CAST LDAP Setup and Vms for reproducing LDAP issues.
To start the internal CAST LDAP testing, you need to be part of an LDAP group at CAST that has the form <proxy_user>.<dashboard>.You can verify access to LDAP and this group membership with the adexplorer tool: LDAP Servers - ADexplorer Tool for troubleshooting LDAP problems
Once your user is properly setup in LDAP, you can use the existing 7.3.7 databases on our internal database server which has a triplet ldap_* setup (ldap_mngt, ldap_central, ldap_local) that currently has a setup for testing (see step 11 for more information on how to leverage the current LDAP setup if these databases do not work for your reproduction).
You then need to deploy a 7.3.7 war and configure it to the ldap_central database on the database server with the specific internal LDAP settings in your web.xml file. See internal confluence support page for more specific details for support configuration under CAST Support Machines>VMs Machine>Information on Internal CAST LDAP Setup and Vms for reproducing LDAP issues. For configuration for LDAP, please see the documentation: CAST-CED - Active Directory LDAP
- Restart the application in Tomcat to take the new settings into account.
- You can then login to the dashboard with the following credentials:
- Userid: <userid>@<domain>
- Password: <your domain password>
- To enable JAAS logging which can help with LDAP debugging, see the following documentation pages:
- For 8.0: CAST-CED - Configure the log
- For 7.3: Configure the CAST Engineering Dashboard log
A sample of the JAAS log section that you would see for the current example is below:
JAAS log sample[INFO]: [JAAS] LDAP authorization active[INFO]: [JAAS] Security principal :<name>@<domain>
[INFO]: [JAAS] LDAP OU search filter: OU=<OU info>
[INFO]: [JAAS] search LDAP for a proxy user to access ldap_central repository
[INFO]: [JAAS] Creating new LDAP context.
[INFO]: [JAAS] LDAP Search base: DC=<domain info>
[INFO]: [JAAS] LDAP Search initiated
[INFO]: [JAAS] LDAP Search completed
[INFO]: [JAAS] LDAP Search result processing.
[INFO]: [JAAS] LDAP proxy user found
[INFO]: [JAAS] LDAP group configuration search
[INFO]: [JAAS] LDAP group the user is member of : CN=<CN>,OU=<OU>,DC=<DC>
[INFO]: [JAAS] LDAP compatible group the user is member of : CN=<CN>l,OU=<OU>,DC=<DC>
[INFO]: [JAAS] LDAP proxy user : <name>
- If you need another specific dashboard or version for LDAP testing, then you can do the following to take advantage of the current LDAP configuration:
- import the central database for the version you want to investigate
- create and configure a proxy user for your access testing prior to turning on the LDAP functionality: CAST-CED - Managing users and roles
- it's usually best to test those that you can connect without LDAP and seeing what you expect prior to turning on LDAP to make sure of your non-LDAP configuration and settings before introducing LDAP
- rename the central database to ldap_central so that it will match the current LDAP group which is setup with the following sql for CSS: "alter schema <your imported central> rename to ldap_central;"
- Deploy the war file for your version.
- Turn on LDAP with web.xml settings as shown above in step 6 as well as with the web.xml connection settings for your imported central: configuring the CAST Engineering Dashboard
- Restart the application in Tomcat to have the new web.xml settings taken into effect.
- If you need to do testing on multiple domains with LDAP, another series of systems have been setup for this testing. See the internal confluence page for information on these systems as well under CAST Support Machines>VMs Machine>Information on Internal CAST LDAP Setup and Vms for reproducing LDAP issues.
LDAP Configuration information in regards to multiple domains
LDAP normally is configured on the single domain controller with naming.ldap.url of ldap://<LDAP Server>:<LDAP Port>.
The default port for LDAP is 389.
A Global Category Server (GCS) will have information on multiple domains, so using this value instead of the default LDAP server and port may resolve multiple domain issues. This is normally setup by default at the same time the LDAP service is and on the same machine, so that the naming.ldap.url is ldap://<Global Category Server>:<Global Category Port>.
The default port for GCS is 3268
INTERNAL TO CAST SUPPORT: See internal confluence page for more specific details on the configuration setup for support in the CAST environment by looking for the confluence page "Information on Internal CAST LDAP Setup and VMs for reproducing LDAP issues"
For configuration for LDAP, please see the documentation: CAST-CED - Active Directory LDAP
Sample JAAS logs with multiple domains
Log information will go to the Tomcat stdout log.
A sample of the JAAS log section that you would see for failure is:
JAAS log sample[INFO]: [JAAS] LDAP authorization active
[INFO]: [JAAS] Security principal :<user>@<domain>
[INFO]: [JAAS] LDAP OU search filter: CN=<CN>
[INFO]: [JAAS] search LDAP for a proxy user to access <central> repository
[INFO]: [JAAS] Creating new LDAP context.
[INFO]: [JAAS] LDAP Search base: DC=<domain>
[INFO]: [JAAS] LDAP Search initiated
[INFO]: [JAAS] LDAP Search completed
[INFO]: [JAAS] LDAP Search result processing.A sample of the JAAS log section that you would see for success is:
JAAS log sample[INFO]: [JAAS] LDAP authorization active
[INFO]: [JAAS] Security principal : <user>@<domain>
[INFO]: [JAAS] LDAP OU search filter: CN=<CN>
[INFO]: [JAAS] search LDAP for a proxy user to access <central> repository
[INFO]: [JAAS] Creating new LDAP context.
[INFO]: [JAAS] LDAP Search base: DC=<domain>
[INFO]: [JAAS] LDAP Search initiated
[INFO]: [JAAS] LDAP Search completed
[INFO]: [JAAS] LDAP Search result processing.
[INFO]: [JAAS] LDAP proxy user found
[INFO]: [JAAS] LDAP group configuration search
[INFO]: [JAAS] LDAP group the user is member of : CN=<proxy_user>.<central>,CN=<CN>,DC=<domain>
[INFO]: [JAAS] LDAP compatible group the user is member of : CN=<proxy_user>.<central>,CN=<CN>,DC=<domain>
[INFO]: [JAAS] LDAP proxy user : <user>
