How to get users from the configured LDAP Authentication

In the System Management Hub we have configured authentication via an LDAP connection. When we test with the Validate button, we pass the 4 tests succesfully.

Then we want to add Users in Centrasite, and associate them with users from the LDAP, with the button Associate… However when in the Associate User screen, using the Search button, we don’t find any. All the time, whatever we type in the Search textbox, we get the message “There are no results matching your search criteria”.

How do I find the LDAP users?

We are using Centrasite Community Edition 8.2 SP1.

Hi Dirk,

the first user associated with an external LDAP users needs to be added by hand by typing the correct DOMAIN\User information in the lower left corner of the Associate user dialog. Make this user a CentraSite Administrator. As soon as you are logged in with this LDAP user, you can search LDAP, depending on your LDAP permissions of course.

Regards,
Gerald

Hi Gerald, thanks for your suggestions. I tried to do so: I created a user MYDOMAIN\test (it exists in the LDAP, and with that user I pass the tests in the SMH) in the lower left corner (‘Type Domain User:’) of the Associate user dialog. I can see the new user in the Users list (with the UserID in capitals for some reason?).

Then I tried to make this user a CentraSite Administrator. I guess you mean to do that in the System Management Hub, don’t you? (I can also assign a role CentraSite Administrator to the new user…)

When I try Add Administrator in the SMH with the checkbox ‘Check SIN Authentication’ active, and I enter the new user, I get the warning “User ‘MYDOMAIN\test’ can’t authenticate.”

So I try with the checkbox inactive. Then the new user turns up in the list of CentraSite Administrators (with a forward slash: MYDOMAIN/test?).

Then I hope to log on with the new user, but I get “INMBAE0001: Log on failed. Make sure your user name and password are correct.”. I have tried to log on with ‘test’, ‘TEST’, ‘MYDOMAIN\test’, ‘MYDOMAIN/test’, ‘MYDOMAIN\TEST’, ‘MYDOMAIN/TEST’, all of them fail to log on.

More ideas?

Hi Dirk,

sorry for being unclear, in the first part, when you define a user in CentraSite, I actually meant “assign a role CentraSite Administrator to the new user”. I am not sure why the UserID is changed to upper case by CentraSite login is case sensitive so the correct user in your case to log in with is MYDOMAIN\TEST, as shown also under the “User ID” tab in the user list. When you try with that user again, please have a look in the log wrapper.log in the directory /profiles/CTP/logs, is an error shown and does it give us any clue. One last try could be to restart the CentraSite database and if that also fails, I need to tell you how to switch on security logging.

Regards,
Gerald

In the wrapper.log (attached) there is a lot of:

javax.security.auth.login.LoginException: SSX Error: User login failed (-16)

I also gave my test user the role CentraSite Administrator. Doesn’t make a difference.

On start-up there have been errors like:

Pre-initialize of database connection failed. Will be retried on next findTargetId invocation. Cause: java.io.IOException: Server returned HTTP response code: 502 for URL: http://:53305/CentraSite_authenticated/CentraSite/ino:dav/ino:dav/passman/defaultPassStore.dat

And occasionally the following messages:

WARN (com.centrasite.federation.server.FederationSOAPBindingImpl:62) - Federation Administrator is not defined.
WARN : Remove plug-in ‘com.centrasite.control’ from registry without removal of depending plug-ins
ERROR: Plug-in com.centrasite.federation.ui: required plug-in ‘com.centrasite.control’ not found
WARN : Remove plug-in ‘com.centrasite.federation.ui’ from registry without removal of depending plug-ins
ERROR: Plug-in com.softwareag.centrasite.policy: required plug-in ‘com.centrasite.control’ not found
WARN : Remove plug-in ‘com.softwareag.centrasite.policy’ from registry without removal of depending plug-ins
ERROR: Plug-in soalink.plugin: required plug-in ‘com.centrasite.control’ not found
WARN : Remove plug-in ‘soalink.plugin’ from registry without removal of depending plug-ins
WARN : Remove plug-in ‘com.softwareag.systemmanagementhub’ from registry without removal of depending plug-ins

Does that give a clue?
wrapper.20130218.log (268 KB)

Hi Dirk,

please find the jaas.config file in your installation, normally in the folder /profiles/CTP/config, copy it to a safe location and modify the PluggableUI login context by adding the following lines:

nativeLogLevel=“6”
nativeLogFile="/tmp/jaas_ssx.log"
useLog=“TRUE”
logLevel=“DEBUG”
logFile="/tmp/jaas_sin.log"

if you use Windows, please adopt the path names accordingly. Make sure the five lines are added before the first line ending with a “;”

Then have a look at the two generated log files, does this give a further clue?

Regards,
Gerald

P.S.: Could you please restart the CentraSite DB in SMH before your next try?

OK we did so:

The jaas.config (attached) now has the following lines:

PluggableUI {
com.softwareag.security.jaas.login.ssx.SSXLoginModule optional
options_url = “http://:53305/CentraSite/CentraSite/ino:noauth:GetSinConfiguration=”
CreateGroups = “false”
rmiServerAddress = “”
rmiServerPort = “53313”
UseDomainForOptionsURL = “true”
rmiEnabled = “true”
nativeLogLevel=“6”
nativeLogFile=“D:\SoftwareAG\profiles\CTP\logs\jaas_ssx.log”
useLog=“true”
logLevel=“DEBUG”
logFile=“D:\SoftwareAG\profiles\CTP\logs\jaas_sin.log”
template_section = “”;

Then in the jaas_sin.log (attached) maybe this is interesting:

ERROR, Message: TEMPLATE_SECTION must not be null or empty.

While in the jaas.config there is: template_section = “LDAP”

And

ERROR, Message: E 10:31:18 (00000fd8AuthUser_W: login of user ‘TEST’ (host:, port:389) failed.

Why is the host IP-address missing? Is it checking at the LDAP server at all?

There was no file jaas_ssx.log…
jaas_sin.log.txt (516 KB)
jaas.config.txt (3.92 KB)

Hi Dirk,

I think you are right, the empty template section is odd. Cuuld you please replace the two lines

logFile=“D:\SoftwareAG\profiles\CTP\logs\jaas_sin.log”
template_section = “”;

with

logFile=“D:\SoftwareAG\profiles\CTP\logs\jaas_sin.log”;

and try again. Please denote the “;” at the end in order to signal that one subsection is finished.

Regards,
Gerald

Hi Gerald, yes that worked! Now I can log on using the LDAP user. That’s great. Next step is to retrieve some other users from the LDAP. That doesn’t work yet, maybe because of my LDAP autorisations. I will check on that and get back here.

Thanks! Dirk

Now I have a LDAP user that should have read access to the LDAP. I can log in to CentraSite with that user. Now I want to add more users from the LDAP. So I click Associate… in the Add User screen. I get the window Associate User. In this window unfortunately the Search doesn’t work: I cannot even enter the attribute to search for, there is only an empty droplist. See attached picture.

Do I have to complain at my LDAP Manager that my permissions are not yet appropriate? Or is there something else? Which logfile should point this out?

Above message was mine :slight_smile:

Hi Dirk,

the question is what kind of field did you specify on the second page of the LDAP configuration in SMH, or did you use the command line tool? The fields defined there determine the available search field and should match your LDAP settings which you usually get from the LDAP administrator. I attached a simple example where the left side refers to the possible values that CentraSite can handle and the right side defined the corresponding attribute name(s) in your LDAP repository.

Regards,
Gerald

I see… I had all those fields blank. Now I filled in the mapping for a few attributes, and indeed those attributes appear in the droplist. Now I can also add other individual users from the LDAP.

When searching with wildcard *, or otherwise wih a large resultset, it looks like the Centrasite database crashes…

But that is something else, I will have to look in the logfiles for this.

I think for now this topic is solved.

Thanks a lot Gerald!