SRM - LDAP Authentication/AD

With SRM v3 you currently have to add each AD user as a local user via the GUI. A password is not necessary. Then you must assign a profile adding the OU, DC string into the “External Members” tab.

Engineering are working on a bulk import tool to make the import of many AD users easier, but at this time it is not available.

Simon Thompson

Snr Delivery Specialist, Global Professional Services Delivery

EMC Computer Systems (UK) Limited,

Business Address: EMC Tower, Great West Road, Brentford, TW8 9AN

Firstly many thanks for your help on this issue.

I've just tried what you advised me but it's not working yet.

I've created a profile named "AD Profiles" and I've added the OU,DC string into the "External Members" tab (as shown on the screenshot bellow) and I've assigned this profile to the user with which I'm trying to log in (the user exists in the OU,DC defined).

Is this configuration mapping with my "server.xml" file? I may have missed something.

Do you have any idea of the availability of the bulk import tool?

Thanks again for your help!

I can't authenticate with my user, but when I do a request on my AD using dsget command:

dsget user "CN=MyUser,OU=OrganizationUser01,DC=mycompany,DC=com"

I get the informations on my user, so I guess the AD string is ok. Or maybe it's a syntax error and SRM is expecting for another syntax?

The user created in SRM should be named as the CN or as the samid?

Thanks for the information on the bulk import utility!

What error do you get?

If the user cannot authenticate then the AD OU string may be incorrect

If the user can authenticate, but gets a blank dashboard then AD authentication is working but the user is not authorized properly in SRM.

There is currently no estimate for when the bulk import utility will be available. It is being tested in engineering.

Simon Thompson

Snr Delivery Specialist, Global Professional Services Delivery

EMC Computer Systems (UK) Limited,

Business Address: EMC Tower, Great West Road, Brentford, TW8 9AN

When you added the local user into SRM, did you define a password? If so, remove it and retry. If you can’t authenticate into SRM then the AD string you put into SRM is not working.

Simon Thompson

Snr Delivery Specialist, Global Professional Services Delivery

EMC Computer Systems (UK) Limited,

Business Address: EMC Tower, Great West Road, Brentford, TW8 9AN

No I did not define a password.

So it might be the wrong AD string. I will investigate on this side and keep you updated.

Many thanks for your help.

This may be a simple question , but does the ID that you are logging into SRM with match the value in the sAMAccountName parameter in AD for that user?  Since the 'userSearch' parameter is configured to search values in sAMAccountName, the user created in SRM should be named the same as the sAMAccountName parameter value for that AD user.

A nice tool for troubleshooting these types of issues is MS Active Directory Explorer.  It's free and you can download it from:  http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx

I have found AD Explorer to helpful in testing/troubleshooting bind user credentials, SRM user credentials, and to explore the AD store itself.

I've just checked and the ID that I'm logging into SRM with matches the value in the sAMAccontName parameter in AD for my user and the user created in SRM is named the same as the sAMAccountName parameter value for my AD user.

I'll continue to investigate using the MS Active Directory Explorer, to check if I haven't missed something. Thanks for the link of the tool. I will keep you update if I find any solution to my issue.

I've checked again with the MS tool and nothing seems wrong, I don't get it and logs are not very helpful!

Is there any log that can help me to solve this issue?

Actually, the logs are only showing that my user can't connect to SRM but nothing else (and particularly not why it fails to authenticate!)

Is there any parameter to set in config files to enhance the logs level?

Hi,

Do you have access to the AD server ?  we can run ldp and verify the details of the service account.  Another option if cant access AD server is to use Jexplorer or ADExplorer.  We can try to connect to the catalogue using the service account on the port used.  This would show all the necessary settings and what needs to be entered in LDAP configuration.  If there is any SR open for this, we can quickly webex and troubleshoot.

- Brijesh

You can check in the APG\Modules\Wed Servers\Tomcat\Default\logs folder for the audit. files, which may help.

I have had nothing but trouble configuring this and often have to reach out to support for an AD savvy person to assist, as there are a variety of combinations you can code in the server.xml file.

Simon Thompson

Snr Implementation Delivery Specialist, TS Implementations L&SE

EMC Computer Systems (UK) Limited,

Business Address: EMC Tower, Great West Road, Brentford, TW8 9AN

Annnnnddddd we have a winner !

You were right!

In my "server.xml" file, local authentification REALM wasn't commented and that's why it didn't work!

The section which has to be commented in the server.xml file if you want to use LDAP authentication (just after the ldap REALM authentification part, at the end of the file):

I've tried after commenting it and the LDAP authentification works pretty fine!

I guess everyone who has tried to help me may have thought I've seen it, but I didn't!

Many thanks to everyone anyway and especially to gawanb, now I know how to use AD tools and how to implement LDAP authentication in SRM.

Great, glad we could help.  Also note that if you want to use both local and LDAP authentication, you can use a combined REALM.  This is how you do it in server.xml file.

                 Local Authentication -->

             connectionURL="ldap://ldapserver:389"

             connectionName="CN=serviceaccount,CN=Users,DC=prospherelab,DC=pri"

             connectionPassword="password"

             userSearch="(sAMAccountName={0})"

             userBase="DC=prospherelab,DC=pri"

             referrals="follow"

             derefAliases="always"

             userSubtree="true"

      />

- Brijesh

Haha. Thanks.  Glad it worked.  Good luck