Unable to contact LDAP server through arslsync

Previous topic - Next topic

Andreas Baaserud Hauge

I am configuring OnDemand to synchronise users / groups from Windows AD to OnDemand, through LDAP, non SSL. I am having trouble getting the synchronisation to connect to the LDAP server.

What has been done so far:

  • configured /opt/IBM/ondemand/config/ars.cfg, configuration parameters can be seen further down
  • restarted ondemand
  • made sure I can reach LDAP server on port 389
  • credentials for bind user is ok

Command:
/opt/IBM/ondemand/bin/arslsync -tv

Error received in OnDemand System Log:
LDAP Error: Can't contact LDAP server -- ldap_rc=81, -- extended_rc=0, -- ldap_errno=81, extra_rc=-1, File=arsldap.c, Line=1448



arc.cfg configuration:
###########################################
# LDAP Parameters (Library Server Only)   #
###########################################
ARS_LDAP_SERVER=hostname
ARS_LDAP_PORT=389
ARS_LDAP_USE_SSL=FALSE
ARS_LDAP_BASE_DN=OU=Service Accounts
ARS_LDAP_BIND_DN=CN=bind-user,OU=Service Accounts
ARS_LDAP_BIND_DN_PWD=xxxxxx
ARS_LDAP_BIND_ATTRIBUTE=cn
ARS_LDAP_MAPPED_ATTRIBUTE=cn
ARS_LDAP_ALLOW_ANONYMOUS=TRUE

####################################################
# LDAP SYNC Parameters (requires CMOD v10.1.0.2+)  #
####################################################
ARS_LDAP_SERVER_TYPE=AD
ARS_LDAP_USER_FILTER=(ObjectClass=USER)
ARS_LDAP_GROUP_FILTER=(ObjectClass=GROUP)
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn
ARS_LDAP_IGN_USERIDS=ADMIN
ARS_LDAP_IGN_GROUPS=ADMINS



System information:
Aix: v7200-05-02-2114
OnDemand: 10.1.0.5
DB2: 11.1.1.1

Thanks in advance  :D
ABH

rjrussel

See the following document:

https://www.ibm.com/docs/en/cmofm/10.1.0?topic=processes-sample-ldap-configurations

The bindDN and bindDN password need to be in the stash file.

And since you are using AD you should set ARS_LDAP_ALLOW_ANONYMOUS=false

AD doesn't support anonymous bind.

Thanks

RR

Andreas Baaserud Hauge

Quote from: rjrussel on October 14, 2021, 10:15:56 PM
See the following document:

https://www.ibm.com/docs/en/cmofm/10.1.0?topic=processes-sample-ldap-configurations

The bindDN and bindDN password need to be in the stash file.

I removed bindDN and bindDN password from ars.cfg
ARS_LDAP_BIND_DN=CN=bind-user,OU=Service Accounts
ARS_LDAP_BIND_DN_PWD=xxxxxx

and added them to my stash with
$ /opt/IBM/ondemand/V10.1/bin/arsstash -a 7 -c -s ars.stash -u "CN=svc-od-bind-t,OU=Service Accounts"

by adding ARS_LDAP_BIND_DN_PWD to the stash, I guess you simply input the password when prompted for during the "arsstash -a 7 ..." command

Verified the ldap user was added to my stash
$ /opt/IBM/ondemand/V10.1/bin/arsstash -a 7 -s ars.stash
ARS1603I Userid >CN=svc-od-bind-t,OU=Service Accounts< is currently assigned to >LDAP<


ars.ini configuration contains aswell as other settings
SRVR_OD_CFG=/opt/IBM/ondemand/V10.1/config/ars.cfg
SRVR_DB_CFG=/opt/IBM/ondemand/V10.1/config/ars.dbfs
SRVR_SM_CFG=/opt/IBM/ondemand/V10.1/config/ars.cache
SRVR_OD_STASH=/opt/IBM/ondemand/V10.1/ars.stash



Quote from: rjrussel on October 14, 2021, 10:15:56 PM
And since you are using AD you should set ARS_LDAP_ALLOW_ANONYMOUS=false

AD doesn't support anonymous bind.

Changed ARS_LDAP_ALLOW_ANONYMOUS to "false" in ars.cfg




Still receiving same error as before.

Thanks for your reply
ABH
ABH

rjrussel

Ok. So now that you have that sorted, I recommended using ldapsearch from your OnDemand server to truly verify connectivity. The syntax would be:

ldapsearch -h <hostname> -p 389 -w <password> -s sub -b OU=Service Accounts -D CN=CN=svc-od-bind-t,OU=Service Accounts "(objectClass=user)"

Simply change the hostname and password. I did notice after putting that together that your base DN looks odd. It looks to be missing something. While it might in fact be correct, I would double check that with your AD admin.

-RR


Andreas Baaserud Hauge

Quote from: rjrussel on October 18, 2021, 04:32:08 PM
ldapsearch -h <hostname> -p 389 -w <password> -s sub -b OU=Service Accounts -D CN=CN=svc-od-bind-t,OU=Service Accounts "(objectClass=user)"

ldapsearch worked like a charm
Reason the base dn looks odd is because I stripped it down to simplify my example for this forum.

ABH
ABH

rjrussel


Andreas Baaserud Hauge

Thank you for your replies, @rjrussel!

Main issue here was that I "forgot" to tick on "Enable LDAP" in the Ondemand Administrator Client.
After that, including the changes you came up with in regards of the ars.cfg, things started happening with LDAP connectivity.

Now struggling with LDAP SSL, I'll create a new post for that

Again, thank you a ton, rjrussel
ABH