Print Page - Unable to contact LDAP server through arslsync

Title: Unable to contact LDAP server through arslsync
Post by: Andreas Baaserud Hauge on October 14, 2021, 08:47:49 PM

I am configuring OnDemand to synchronise users / groups from Windows AD to OnDemand, through LDAP, non SSL. I am having trouble getting the synchronisation to connect to the LDAP server.

What has been done so far:

configured /opt/IBM/ondemand/config/ars.cfg, configuration parameters can be seen further down
restarted ondemand
made sure I can reach LDAP server on port 389
credentials for bind user is ok

Command:
/opt/IBM/ondemand/bin/arslsync -tv

Error received in OnDemand System Log:
LDAP Error: Can't contact LDAP server -- ldap_rc=81, -- extended_rc=0, -- ldap_errno=81, extra_rc=-1, File=arsldap.c, Line=1448

arc.cfg configuration:
###########################################
# LDAP Parameters (Library Server Only) #
###########################################
ARS_LDAP_SERVER=hostname
ARS_LDAP_PORT=389
ARS_LDAP_USE_SSL=FALSE
ARS_LDAP_BASE_DN=OU=Service Accounts
ARS_LDAP_BIND_DN=CN=bind-user,OU=Service Accounts
ARS_LDAP_BIND_DN_PWD=xxxxxx
ARS_LDAP_BIND_ATTRIBUTE=cn
ARS_LDAP_MAPPED_ATTRIBUTE=cn
ARS_LDAP_ALLOW_ANONYMOUS=TRUE

####################################################
# LDAP SYNC Parameters (requires CMOD v10.1.0.2+) #
####################################################
ARS_LDAP_SERVER_TYPE=AD
ARS_LDAP_USER_FILTER=(ObjectClass=USER)
ARS_LDAP_GROUP_FILTER=(ObjectClass=GROUP)
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn
ARS_LDAP_IGN_USERIDS=ADMIN
ARS_LDAP_IGN_GROUPS=ADMINS

System information:
Aix: v7200-05-02-2114
OnDemand: 10.1.0.5
DB2: 11.1.1.1

Thanks in advance :D

Title: Re: Unable to contact LDAP server through arslsync
Post by: rjrussel on October 14, 2021, 10:15:56 PM

See the following document:

https://www.ibm.com/docs/en/cmofm/10.1.0?topic=processes-sample-ldap-configurations

The bindDN and bindDN password need to be in the stash file.

And since you are using AD you should set ARS_LDAP_ALLOW_ANONYMOUS=false

AD doesn't support anonymous bind.

Thanks

RR

Title: Re: Unable to contact LDAP server through arslsync
Post by: Andreas Baaserud Hauge on October 18, 2021, 12:49:46 PM

Quote from: rjrussel on October 14, 2021, 10:15:56 PM
See the following document:

https://www.ibm.com/docs/en/cmofm/10.1.0?topic=processes-sample-ldap-configurations

The bindDN and bindDN password need to be in the stash file.

I removed bindDN and bindDN password from ars.cfg
ARS_LDAP_BIND_DN=CN=bind-user,OU=Service Accounts
ARS_LDAP_BIND_DN_PWD=xxxxxx

and added them to my stash with

Code Select

$ /opt/IBM/ondemand/V10.1/bin/arsstash -a 7 -c -s ars.stash -u "CN=svc-od-bind-t,OU=Service Accounts"

by adding ARS_LDAP_BIND_DN_PWD to the stash, I guess you simply input the password when prompted for during the "arsstash -a 7 ..." command

Verified the ldap user was added to my stash

Code Select

$ /opt/IBM/ondemand/V10.1/bin/arsstash -a 7 -s ars.stash
ARS1603I Userid >CN=svc-od-bind-t,OU=Service Accounts< is currently assigned to >LDAP<

ars.ini configuration contains aswell as other settings
SRVR_OD_CFG=/opt/IBM/ondemand/V10.1/config/ars.cfg
SRVR_DB_CFG=/opt/IBM/ondemand/V10.1/config/ars.dbfs
SRVR_SM_CFG=/opt/IBM/ondemand/V10.1/config/ars.cache
SRVR_OD_STASH=/opt/IBM/ondemand/V10.1/ars.stash

Quote from: rjrussel on October 14, 2021, 10:15:56 PM
And since you are using AD you should set ARS_LDAP_ALLOW_ANONYMOUS=false

AD doesn't support anonymous bind.

Changed ARS_LDAP_ALLOW_ANONYMOUS to "false" in ars.cfg

Still receiving same error as before.

Thanks for your reply
ABH

Title: Re: Unable to contact LDAP server through arslsync
Post by: rjrussel on October 18, 2021, 04:32:08 PM

Ok. So now that you have that sorted, I recommended using ldapsearch from your OnDemand server to truly verify connectivity. The syntax would be:

ldapsearch -h <hostname> -p 389 -w <password> -s sub -b OU=Service Accounts -D CN=CN=svc-od-bind-t,OU=Service Accounts "(objectClass=user)"

Simply change the hostname and password. I did notice after putting that together that your base DN looks odd. It looks to be missing something. While it might in fact be correct, I would double check that with your AD admin.

-RR

Title: Re: Unable to contact LDAP server through arslsync
Post by: Andreas Baaserud Hauge on October 19, 2021, 07:32:18 AM

Quote from: rjrussel on October 18, 2021, 04:32:08 PM
ldapsearch -h <hostname> -p 389 -w <password> -s sub -b OU=Service Accounts -D CN=CN=svc-od-bind-t,OU=Service Accounts "(objectClass=user)"

ldapsearch worked like a charm
Reason the base dn looks odd is because I stripped it down to simplify my example for this forum.

ABH

Title: Re: Unable to contact LDAP server through arslsync
Post by: rjrussel on October 19, 2021, 03:48:58 PM

Ok. Please open a support incident.

RR

Title: Re: Unable to contact LDAP server through arslsync
Post by: Andreas Baaserud Hauge on October 25, 2021, 10:58:12 PM

Thank you for your replies, @rjrussel!

Main issue here was that I "forgot" to tick on "Enable LDAP" in the Ondemand Administrator Client.
After that, including the changes you came up with in regards of the ars.cfg, things started happening with LDAP connectivity.

Now struggling with LDAP SSL, I'll create a new post for that

Again, thank you a ton, rjrussel

OnDemand Users Group

Support Forums => CMOD for Multiplatforms => Topic started by: Andreas Baaserud Hauge on October 14, 2021, 08:47:49 PM