Using EEM with LDAP, unable to login to CEM as an LDAP user that was added to the required APM CEM group in EEM.

Document ID : KB000030384
Last Modified Date : 14/02/2018
Show Technical Document Details

 Problem:

 Using EEM with LDAP, unable to login to CEM as an LDAP user that was added to the required APM CEM group in EEM.

  The Safex script registers the APM application in EEM to create the APM user groups/access policies. Also, LDAP users and groups is added to EEM to enable access.    However, for a LDAP user that was added to the required CEM group, the login to CEM fails and the MOM log shows following error:

 

 [Manager.com.timestock.tess.services.security.APMAuthenticationProvider] Authenticate -  ConnectionExceptioncom.wily.isengard.messageprimitives.ConnectionException:  com.wily.introscope.spec.server.beans.usermgmt.UserMgmtException: EEM failed to find global group "<domain>\<group>" 

 

 Environment:

 APM cluster using EEM authorization with LDAP authentication at the backend.

 

 Cause:

 The root cause of the problem is that Multiple Domains (Forest) option is enabled in EEM. This is a new feature in EEM 12.x. APM 9.7 still uses EEM SDK 8.4  and that new feature is not supported, so it must be disabled* to resolve this problem.

 

 Resolution:

 * How to disable Multiple Domains:

   - login to EEM UI selecting APM application from the drop-down list

   - go to Configure tab

   - click "User Store" on the left-hand menu

   - delete (if any) existing Domain Information

   - create a new Domain Information with a Configuration Type "Basic LDAP Directory"

 

 Additional Information:
 - Before disabling the Multiple Domains (Forest) option and to avoid losing users already assigned to the APM groups, export the application from the EEM UI or Safex    command line and import them back after the change.