I have an update on this. It looks like I have this working. Carl's suggestion of how to do the bind user format is probably one of the keys to unlocking my struggles. Ben's suggestion about using samAccountName in the User Search Filter was also another key. Some other things I've learned.
- I have to restart the AR service whenever I make a change to the configuration. - Spaces in the Bind User field have to be escaped with a backslash. - In order to accommodate the different OUs that the user accounts may live in, I have to create multiple configurations with each one having the appropriate OU in the User Base field. I get to play with this again tomorrow. If someone is aware of how to make it work with a single configuration to cover all the OUs, I'd like to see it. It doesn't take me all that long to create a new one. I'll probably break the process again as I go along. I now need to make AREA use a service account instead of my own so that I don't have to worry about updating the password monthly. After that, I'll have to make it use LDAPS for increased security. Thank you to all who provided input. --Dustin Fawver HelpDesk Technician East Tennessee State University ________________________________ From: Action Request System discussion list(ARSList) <arslist@ARSLIST.ORG> on behalf of Carl Wilson <carlbwil...@gmail.com> Sent: Tuesday, November 8, 2016 4:56 PM To: arslist@ARSLIST.ORG Subject: Re: AREA failures ** Hi, The simple bind user needs to be in the format of the fully qualified distinguishedName including CN, OU and DC values not Domain/User. ---------------------------------------------- Kind Regards, Carl Wilson From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Fawver, Dustin Sent: 08 November 2016 20:36 To: arslist@ARSLIST.ORG Subject: Re: AREA failures ** Ok. The arjavaplugin.log file has these two lines that appear for each attempt that I try. <PLUGINSVR> <TNAME: pool-4-thread-4 > <ERROR> <ARPluginContext > < ARPluginContext.java:176 > /* Tue Nov 08 2016 03:31:53.944 */ <ARSYS.AREA.ATRIUMSSO>Login Failed as Atrium SSO Server Location is null <PLUGINSVR> <TNAME: pool-4-thread-4 > <ERROR> <ARPluginContext > < ARPluginContext.java:176 > /* Tue Nov 08 2016 03:31:54.973 */ <AREA.LDAP>Ldap Authentication failed!javax.naming.CommunicationException: ldap.etsu.edu:389 [Root exception is java.net.ConnectException: Connection refused: connect] I'm not trying to use the Atrium SSO feature. As far as the second line goes, what I'm not sure of is whether that message is because the credentials I gave in the configuration form are failing, or if the credentials I'm giving on the login page are failing, or if the LDAP server is simply refusing the AR server's attempt to connect. --Dustin ________________________________ From: Action Request System discussion list(ARSList) <arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG>> on behalf of andres tamayo <cycom...@gmail.com<mailto:cycom...@gmail.com>> Sent: Tuesday, November 8, 2016 3:21 PM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: AREA failures ** as recommendation i always use ldp.exe tool to validate my setup first and be sure every setting is ok before to go to configuration on AR. to configure plugin logs check this document https://docs.bmc.com/docs/display/public/ars81/Troubleshooting+AREA+LDAP+plug-in+issues 2016-11-08 15:11 GMT-05:00 Fawver, Dustin <faw...@mail.etsu.edu<mailto:faw...@mail.etsu.edu>>: ** I just tried that and authentication is still failing. Since I failed to mention it the last time, we have an Active Directory environment. I have also tried turning on the plug-in and API logs, but the authentication attempts don't seem to be logged there. Thanks! --Dustin ________________________________ From: Action Request System discussion list(ARSList) <arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG>> on behalf of andres tamayo <cycom...@gmail.com<mailto:cycom...@gmail.com>> Sent: Tuesday, November 8, 2016 3:06 PM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Re: AREA failures ** hi there in User search filter field try uid=$\USER$ 2016-11-08 14:59 GMT-05:00 Fawver, Dustin <faw...@mail.etsu.edu<mailto:faw...@mail.etsu.edu>>: ** Greetings! This is probably an easy one for the vets, but my Googlefu is weak. On an ARS 9.1 (no ITSM) system, I have been attempting to set up AREA to authenticate via LDAP. Authentication is failing. I was trying to use LDAPS, but I have reverted back to just LDAP so that I can eliminate any issues regarding SSL for now. The user account that I'm using as my test is present in the User form with a blank password. Since I don't know if the listserv allows for screenshots, here are the settings that I have. EA tab in Server Information ---- RPC Program Number: 390695 RPC timeout: 30 Need To Sync: 300 Authenticate Unregistered Users: not checked Cross Reference Blank Password: checked Authentication Chaining Mode: AREA - ARS Group Mapping: blank Ignore Excess Groups: checked AREA LDAP Configuration ---- Host Name: ldap.etsu.edu<http://ldap.etsu.edu> Port Number: 389 Bind User: domain\username Bind Password: (supplied) User Secure Socket Layer: No Failover Timeout: 5 Chase Referral: No User Base: ou=FacStaff,dc=etsu,dc=edu User Search Filter: cn=$\USER$ Group Membership: None Nothing else is filled in on the AREA configuration form. With the User Base, an issue I'm going to run into with that is that user accounts are placed in different OUs based on their status with the university. I had tried a User Base of just "dc=etsu,dc=edu", but I don't know if that will work. I would appreciate any assistance with this. Thanks! --Dustin Fawver HelpDesk Technician East Tennessee State University _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
