MOM login unsuccessful when using Active Directory LDAP authentication.

Document ID : KB000005354
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When trying to login to a MOM that integrates with AD without using EEM, IntroscopeEnterpriseManager.log on a MOM shows below error: 

 

[DEBUG] [PO:main Mailman 3] [Manager.UserManagementService] Unable to find user "user" because javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1] 

 

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1] 

 

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) 

 

:::::

 

Environment:
All APM Environments using Active Directory-based LDAP.
Cause:

 Realms.xml is incorrectly configured. 

 

Resolution:

  First, ensure "plainTextPasswords" is set to True before the first restart of the EM on a MOM. When starting, EM finds this value as True and encrypts a value of "bindPassword" and sets it to False. This is a required action as documented at the APM Wiki (a link is provided below in Additional Information section). 

 

Try setting "groupMemberQuery" to 

 

<property name="groupMemberQuery"> 

 

     <value>(&amp;(objectClass=groupOfUniqueNames)(uniquemember=%u))</value> 

 

</property> 

 

 

 

 if it is not already, set "baseDN" to 'DC=' values of "bindName" property and vice versa.

 

For example if "bindName" is already defined as following:

 

<property name="bindName">

 

     <value>CN=user,cn=Users,DC=ad-dev-02,DC=com</value>

 

</property>

 

 

 

 "baseDN" should look like:

 

<property name="baseDN"> 

 

<value>DC=ad-dev-02,DC=com</value>

 

</property> 

 

Additional Information: