The community will be in read-only from Monday 11:59pm (PT) to Wednesday 7:30am (PT)
The community will be in read-only from Monday 11:59pm (PT) to Wednesday 7:30am (PT)
UCMDB and UD Practitioners Forum (Previously CMS)
cancel
Showing results for 
Search instead for 
Did you mean: 

uCMDB LDAP Integration

Highlighted
Jason Leshchysh
Occasional Visitor

uCMDB LDAP Integration

Hello,

I am trying to integrate HP uCMDB 9.03 with Active Directory and I've run into a road block.

I have finally got the app to log in and verified the connection using the jmx console.

The problem is there are no groups showing up.

 

Here's my settings:

LDAP Server URL ldap://dc.test.com:389/OU=Users,OU=Users and Computers,DC=test,DC=com??sub

LDAP Vendor Type: MS Active Directory

Users Filter : (&(sAMAccountName=*)(objectclass=user)) 

Groups Base DN: DC=test, DC=com

Groups Search Filter: (|(objectclass=group)(objectclass=groupOfNames)(objectclass=groupOfUrls)(objectclass=accessGroup)(objectclass=accessRole)) 

Root Groups Base DN: OU=APPS,OU=Security Groups,OU=Users,OU=Users and Computers,DC=test,DC=com

Root Groups Filter: (|(objectclass=group)(objectclass=groupOfNames)(objectclass=groupOfUrls)(objectclass=accessGroup)(objectclass=accessRole)) 

Root Groups Scope: sub

Scope for Groups Search: sub

Group Class Object: group

Groups Member Attribute: member

Users Object Class: user

UUID attribute: sAMAccountName

 

Anyone integrated with AD can tell me what I did wrong?

 

 

P.S. This thread has been moved from Application Perf Mgmt (BAC / BSM) Support and News Forum to CMS and Discovery Support and News Forum. - Hp Forum Moderator

"I think so, Brain, but 'instant karma' always gets so lumpy." - Pinky, Animaniacs
4 REPLIES
Mohamed_Farid
Super Collector

Re: uCMDB LDAP Integration

Hi Jason,

 

Use the below filter instead, then check the ldap mapping section (can take long time until it syncs the groups since the filter is set to *) :

Group Base Filter  (&(objectClass=*)(name=*))

Root Group Filter   (&(objectClass=*)(name=*))

 

 

 

if These filters worked, adjust the filter to  only pass your groups (assuming your groups called "MyUCMBDGroup" :


Group Base Filter  (&(objectClass=*)(name=*MyUCMDBGroup*))

Root Group Filter   (&(objectClass=*)(name=*MyUCMDBGroup*))

User Filter  (&sAMAccountName=*)(objectClass=user))

 

 

let me know if that worked.

 

Regards

Jason Leshchysh
Occasional Visitor

Re: uCMDB LDAP Integration

Same problem.

I noticed something that is probably the cause of my grief. 

In using the verifyLDAPCredentials in the jmx console, the account I use says "does not pass LDAP authentication".

The problem is none of the accounts I use seem to pass, from read only accounts to domain admin.

I know they do work because I have used ADExplorer (from sysinternals) to validate them.

So what would cause them to fail in uCMDB but work in another app?

 

"I think so, Brain, but 'instant karma' always gets so lumpy." - Pinky, Animaniacs
Hexpert
Regular Collector

Re: uCMDB LDAP Integration

Jason,

 

I just noticed that your ldap URL contains OU's, if your domain is test.com can you try the below ldap URL instead

 

ldap://dc.test.com:389/DC=test,DC=com??sub

 

also change the group base DN to :

 

Group Base DN          :   DC=test,DC=com

Root Group Base DN :   DC=test,DC=com

 

Group Base Filter  (&(objectClass=*)(name=*))

Root Group Filter   (&(objectClass=*)(name=*))

 

You can get the DN for search entitled user from ADExplorer or using dsquery, anyhow the default DN for out of the box AD should be something like :

CN=Administrator,CN=Users,DC=test,DC=com

 

 

everything else should remain the same.

 

Regards


Jason Leshchysh
Occasional Visitor

Re: uCMDB LDAP Integration

Ok, so I relented and installed WireShark on my server.  It's interesting results.

I can see the LDAP binding of the service account to be successful, in fact in the results afterwards I can see all of my groups.

However one of the last set of queries has this filter.

(&(objectClass=group)(&(objectClass=group)(cn=LDAP Repository)))

 

Am I supposed to have a group called LDAP Repository in my AD?  Can this be changed?

"I think so, Brain, but 'instant karma' always gets so lumpy." - Pinky, Animaniacs
//Add this to "OnDomLoad" event