CA APM - LDAP authentication working using "cn" as "usernameAttribute" but not when using "sAMAccountName"

Document ID : KB000116700
Last Modified Date : 02/10/2018
Show Technical Document Details
Issue:
With the CA APM Enterprise Manager realms.xml file having property "usernameAttribute" set to use "cn" login testing using Active Directory "cn" names is successful.
However, after switching the realms.xml file to have "usernameAttribute" set to "sAMAccountName" similar testing using Active Directory "sAMAccountName" names returns an error and unable to login.

For successful use of  "cn" the DEBUG em.log shows:
[DEBUG] [main] [Manager.UserManagementService] groupMemberQuery=(&(objectClass=group)(member={0})) 
[DEBUG] [main] [Manager.UserManagementService] bindAuthentication=simple 
[DEBUG] [main] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0})) 
[DEBUG] [main] [Manager.UserManagementService] groupObjectQuery=(&(objectClass=group)(cn={0})) 
[DEBUG] [main] [Manager.UserManagementService] groupNameAttribute=cn 
[DEBUG] [main] [Manager.UserManagementService] disallowEmptyPassword=true 
[DEBUG] [main] [Manager.UserManagementService] usernameAttribute=cn ... 
[DEBUG] [main] [Manager.RegistryService] Added registry entry at: /service/com.wily.introscope.spec.server.beans.usermgmt.IUserManagementService 
... 
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0})) 
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] Found user firstname lastname 
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] javaNamingReferral=follow 
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0})) 
[VERBOSE] [PO:main Mailman 7] [Manager.UserManagementService] Attempting to authenticate user by binding to the LDAP server using "CN=firstname lastname,OU=...,OU=...,DC=...,DC=...,DC=..." 
... 
[DEBUG] [PO:main Mailman 7] [Manager.UserManagementService] User 'firstname lastname' is reported by ACA to be a member of groups [groupname] 


For unsuccessful use of "sAMAccountName" the DEBUG em.log shows:
[DEBUG] [main] [Manager.UserManagementService] groupMemberQuery=(&(objectClass=group)(member={0})) 
[DEBUG] [main] [Manager.UserManagementService] bindAuthentication=simple 
[DEBUG] [main] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0})) 
[DEBUG] [main] [Manager.UserManagementService] groupObjectQuery=(&(objectClass=group)(cn={0})) 
[DEBUG] [main] [Manager.UserManagementService] groupNameAttribute=cn 
[DEBUG] [main] [Manager.UserManagementService] disallowEmptyPassword=true 
[DEBUG] [main] [Manager.UserManagementService] usernameAttribute=sAMAccountName ... 
[DEBUG] [main] [Manager.RegistryService] Added registry entry at: /service/com.wily.introscope.spec.server.beans.usermgmt.IUserManagementService 
... 
[DEBUG] [PO:main Mailman 4] [Manager.UserManagementService] javaNamingReferral=follow 
[DEBUG] [PO:main Mailman 4] [Manager.UserManagementService] userObjectQuery=(&(objectClass=organizationalPerson)(cn={0})) 
[INFO] [PO:main Mailman 4] [Manager.UserManagementService] "firstname.lastname" Failed to login from host "Node=Workstation_0, Address=..., Type=socket"
Environment:
CA APM 9.x, 10.x
Cause:
Incorrect CA APM Enterprise Manager realms.xml configuration
Resolution:
In the realms.xml file: 
1. The "usernameAttribute" property was correctly set to use "sAMAccountName" i.e. 
<property name="usernameAttribute"> 
<value>sAMAccountName</value> 
</property> 


2. However "userObjectQuery" was still set to use "cn" and needed to be changed to "sAMAccountName" i.e. 
FROM: 
<property name="userObjectQuery"> 
<value>(&amp;(objectClass=organizationalPerson)(cn={0}))</value> 
</property> 

TO: 
<property name="userObjectQuery"> 
<value>(&amp;(objectClass=organizationalPerson)(sAMAccountName={0}))</value> 
</property>