Cant get LDAP to work in 10.0

LDAP authentication not working in MWS 10.0 even though it has the same setup as MWS 9.7 which is working.
In 10.0 MWS I can go to users and select the directory services ldap connection and it returns the correct list of users. This tells me LDAP works, however I cant login with the id/password setup in LDAP.
All this works fine in 9.7 MWS. Is there some new setup I am missing?

Snip-it from full.log:

2017-09-05 15:25:50 CDT (Framework:INFO) [qtp1925079304-254] [RID:63] - Trying to authenticate user: g556083:q:
2017-09-05 15:25:50 CDT (directory:DEBUG) [qtp1925079304-254] [RID:63] - Cannot retrieved user [g556083:q:] from cache com.webMethods.portal.portlet.wm_xt_ldapdirsvc.service.LdapDirCache:m_cacheEnabled = [true];m_authenticateCacheEnabled = [true];m_dnCacheEnabled = [true];m_queryCacheEnabled = [true];m_uriCacheEnabled = [true];m_timeout = [3600000];m_authenticateTimeout = [120000];m_capacity = [1000];m_authenticateCapacity = [1000];
2017-09-05 15:25:50 CDT (directory:DEBUG) [qtp1925079304-254] [RID:63] - directory search:
query: (&(&(objectclass=person)(memberof=cn=ecommerce infrastructure,ou=other groups,ou=is security groups,ou=information systems,dc=genmills,dc=com))(samaccountname=g556083:q:))
scope: SCOPE_SUB
timeout: 0s
baseDN: ou=sites,dc=genmills,dc=com
maxSize: 0
attributes: ‘’ , ‘mail’ , ‘sAMAccountName’ , ‘givenName’ , ‘name’ , ‘cn’ , ‘sn’ , ‘objectclass’
2017-09-05 15:25:50 CDT (directory:DEBUG) [qtp1925079304-254] [RID:63] - directory search results:
time: 5ms
2017-09-05 15:25:50 CDT (directory:DEBUG) [qtp1925079304-254] [RID:63] - searchResults count: 0
2017-09-05 15:25:50 CDT (directory:DEBUG) [qtp1925079304-254] [RID:63] - LdapPagingCookie: start: 1 end: 21474836 total: 0 pageSize: 21474900 pageIndex: 0 pageCount: 0 sort: cn order: ascending resourceID: /meta/default/wm_xt_ldapdirsvc/0000010698 view: null userID: /meta/default/user/0000000001 query: null
2017-09-05 15:25:50 CDT (directory:DEBUG) [qtp1925079304-254] [RID:63] - Cannot retrieved user [g556083:q:] from cache com.webMethods.portal.portlet.wm_xt_sysdirsvc.service.SystemDirCache:m_cacheEnabled = [true];m_authenticateCacheEnabled = [true];m_dnCacheEnabled = [true];m_queryCacheEnabled = [false];m_uriCacheEnabled = [true];m_timeout = [2147483646];m_authenticateTimeout = [120000];m_capacity = [1000];m_authenticateCapacity = [1000];
2017-09-05 15:25:50 CDT (Framework:WARN) [qtp1925079304-254] [RID:63] - Authentication failed for user g556083:q:
2017-09-05 15:25:50 CDT (Framework:INFO) [qtp1925079304-254] [RID:63] - Validate::handle() - failed to login
2017-09-05 15:25:56 CDT (Framework:INFO) [qtp1925079304-255] [RID:64] - Request [rrv2od491f9unottko6hlt1x:SysAdmin] http://xmedid1.genmills.com:8687/ (POST)
2017-09-05 15:25:58 CDT (Framework:INFO) [qtp1925079304-256] [RID:65] - Request [1gna1skegqikalddzrc5vkkym:Guest] http://xmedid1:8687/user.current.start.page (POST)
2017-09-05 15:25:58 CDT (Framework:INFO) [qtp1925079304-256] [RID:65] - Trying to authenticate user: g556083
2017-09-05 15:25:58 CDT (directory:DEBUG) [qtp1925079304-256] [RID:65] - Cannot retrieved user [g556083] from cache com.webMethods.portal.portlet.wm_xt_ldapdirsvc.service.LdapDirCache:m_cacheEnabled = [true];m_authenticateCacheEnabled = [true];m_dnCacheEnabled = [true];m_queryCacheEnabled = [true];m_uriCacheEnabled = [true];m_timeout = [3600000];m_authenticateTimeout = [120000];m_capacity = [1000];m_authenticateCapacity = [1000];
2017-09-05 15:25:58 CDT (Framework:WARN) [qtp1925079304-256] [RID:65] - retrun null since DN [cn=doug dunn,ou=users,ou=mgo,ou=sites,dc=genmills,dc=com] doesn’t match baseDN [ou=other groups,ou=is security groups,ou=information systems,dc=genmills,dc=com]

Hi,

What do you get if you run the exact same query using a tool like http://www.ldapadmin.org/ ?

Your query:

(&(&(objectclass=person)(memberof=cn=ecommerce infrastructure,ou=other groups,ou=is security groups,ou=information systems,dc=genmills,dc=com))(samaccountname=g556083:q))

Remember to set it using the same credentials and certificates as your server.

Best Regards,

Gerardo,

I should have been more clear in my post. What is happening is LDAP works great in 9.7.
The exact same setup in 10.0 doesn’t allow us to login with LDAP password. The odd part is the user tab in MWS when you select the LDAP Directory Service pulls in the right list of users. This means that it is connecting to LDAP to get this list of users. I have attached screen shot. The error i posted earlier makes it look like some sort of cache issue but i don’t know what that is yet.

Doug

LDAP_Users.png1457×514 44 KB

Hi Doug,

looks like some mismatch in the ldap query.

Due to this line from original post:
2017-09-05 15:25:58 CDT (Framework:WARN) [qtp1925079304-256] [RID:65] - retrun null since DN [cn=doug dunn,ou=users,ou=mgo,ou=sites,dc=genmills,dc=com] doesn’t match baseDN [ou=other groups,ou=is security groups,ou=information systems,dc=genmills,dc=com]

Did shutdown and restart MWS to reset the cache and try again?

Regards,
Holger

Sadly the restart didnt help. What is odd is the ldap setup works fine in 9.7 just not in 10.
in 10.0 MWS the ldap query returns the user list but not sure why it says there is a mismatch after the query comes back.
This doesnt happen in 9.7.

Hi,

That message comes from the mismatch in the Directory Service entry you created.

Verify that with the allowed login query (which does not follow ldap query rules).

Best Regards,