Unable to login to APM CE (CEM) with LDAP authentication

Document ID : KB000019036
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Problem:

APM CE was just switched to LDAP authentication.

Part of the configuration includes setting up some groups in LDAP.

The appropriate users exist in these new groups.

The names of the groups we created are:

  • ABC_CEM_ANALYSTS
  • ABC_CEM_CONADMINS
  • ABC_CEM_INCIDENTS
  • ABC_CEM_SYSADMINS

but users are unable to successfully authenticate.

Solution:

Documentation on APM CE and LDAP includes the following important information:

for CA CEM, you must create users and all four default security groups on the LDAP server. For example, on the LDAP server you create the cemadmin user as well as the CEM System Administrator security group. Then you assign cemadmin as a member of the CEM System Administrator security group, thus providing cemadmin with CEM System Administrator security group permissions.

The four default security groups you must create in LDAP are:

  • CEM System Administrator
  • CEM Configuration Administrator
  • CEM Analyst
  • CEM Incident Analyst

The user group names you use for CEM in LDAP must exactly match the four default security groups provided for CEM. These four default groups are hard-coded in CEM. The current design does not allow use of ad-hoc security groups in LDAP.

For complete information on using LDAP to secure APM CE (CEM), refer to the CA APM Security Guide.