Re: How does Non-Unicode AR Server handle AREA LDAP authentication having unicode characters in CN ?
If you are able to get onto the 9.1 platform, you can open a defect with BMC regarding it and they will fix I would recommend checking it against 9.1.04 if possible because that's the latest currently available... On Mon, Mar 5, 2018 at 12:45 AM, Narayanan, Radhika < radhika.naraya...@cgi.com> wrote: > Hi, > > > > Thank you. I’m trying to reproduce this error on non-unicode ARS 9.1.03. > If it gives the same error there due to AREA Plugin defect, perhaps it will > be fixed on 9.1.03 ? > > > > *Thanks,* > > *Radhika Narayanan* > > > > *From:* ARSList [mailto:arslist-boun...@arslist.org] *On Behalf Of *LJ > LongWing > *Sent:* Sunday, March 04, 2018 9:51 PM > *To:* ARSList > *Subject:* Re: How does Non-Unicode AR Server handle AREA LDAP > authentication having unicode characters in CN ? > > > > Radhika, > > Ultimately the only thing that matters is the login name, so the CN in AD > shouldn't matter, but apparently, everyone else is working but the unicode > ones aren't?...if that's the case you may be dealing with a defect in the > AREA pluginunfortunately for you, the version that you are on is no > longer supported from a 'code fix' perspectiveso I'm not sure you are > going to be able to get this working without doing either data cleanup to > remove all of the unicode characters, or potentially converting to unicode > yourselfunfortunately, if the problem is in the area plugin in relation > to unicode, converting to unicode for Remedy might not help you out... > > > > On Thu, Feb 22, 2018 at 7:34 AM, Narayanan, Radhika < > radhika.naraya...@cgi.com> wrote: > > Hi, > > > > We’ve a non-unicode AR Server. Remedy Login Ids are in English only both > on AD and AR Server. > > Where the Active Directory had First or Last Name with Unicode character > such as Vytautas Morkūnas, the corresponding name will be held in ITSM > CTM:People form as Vytautas Morknas (ARS can’t store the Unicode character > ū as it is currently installed as non-unicode). When this user logs in with > correct AD password, he/she gets Authentication failed. > > > > In AREA Configuration, User Search Filter = sAMAccountName=$\USER$. In the > AREA Plugin Log, we see that bind is successful for login id = abc1234 and > AD returns the following : *CN=Morkūnas\, Vytautas > (abc1234),OU=Users,OU=xx,OU=yy,OU=zz,DC=xyz. * > > Even though bind is successful, AR still throws authentication failed > error. Is it because AREA Plugin or ARS is unable to read the Unicode > character in CN ?*CN=Morkūnas\, Vytautas (abc1234). *Please suggest how > to get authenticated successfully. > > > > Environment: ARS & ITSM 8.1.02 > > Non-Unicode Setup. > > > > *Thanks,* > > *Radhika Narayanan* > > > -- > ARSList mailing list > ARSList@arslist.org > https://mailman.rrr.se/cgi/listinfo/arslist > <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.rrr.se_cgi_listinfo_arslist=DwMFaQ=H50I6Bh8SW87d_bXfZP_8g=blQKSsGpUV3vEddB0ufOi2izy5lUOikNQGO3le4xQkw=VqG7Dzwd_ygboR3qGti7ARgXbQvyjENLC0PLBiR7ugI=HEir2-e0ByIuGYxRvcOWntYIIKtQHzdff1DVDUjBlVY=> > > > > -- > ARSList mailing list > ARSList@arslist.org > https://mailman.rrr.se/cgi/listinfo/arslist > > -- ARSList mailing list ARSList@arslist.org https://mailman.rrr.se/cgi/listinfo/arslist
RE: How does Non-Unicode AR Server handle AREA LDAP authentication having unicode characters in CN ?
Hi, Thank you. I’m trying to reproduce this error on non-unicode ARS 9.1.03. If it gives the same error there due to AREA Plugin defect, perhaps it will be fixed on 9.1.03 ? Thanks, Radhika Narayanan From: ARSList [mailto:arslist-boun...@arslist.org] On Behalf Of LJ LongWing Sent: Sunday, March 04, 2018 9:51 PM To: ARSList Subject: Re: How does Non-Unicode AR Server handle AREA LDAP authentication having unicode characters in CN ? Radhika, Ultimately the only thing that matters is the login name, so the CN in AD shouldn't matter, but apparently, everyone else is working but the unicode ones aren't?...if that's the case you may be dealing with a defect in the AREA pluginunfortunately for you, the version that you are on is no longer supported from a 'code fix' perspectiveso I'm not sure you are going to be able to get this working without doing either data cleanup to remove all of the unicode characters, or potentially converting to unicode yourselfunfortunately, if the problem is in the area plugin in relation to unicode, converting to unicode for Remedy might not help you out... On Thu, Feb 22, 2018 at 7:34 AM, Narayanan, Radhika <radhika.naraya...@cgi.com<mailto:radhika.naraya...@cgi.com>> wrote: Hi, We’ve a non-unicode AR Server. Remedy Login Ids are in English only both on AD and AR Server. Where the Active Directory had First or Last Name with Unicode character such as Vytautas Morkūnas, the corresponding name will be held in ITSM CTM:People form as Vytautas Morknas (ARS can’t store the Unicode character ū as it is currently installed as non-unicode). When this user logs in with correct AD password, he/she gets Authentication failed. In AREA Configuration, User Search Filter = sAMAccountName=$\USER$. In the AREA Plugin Log, we see that bind is successful for login id = abc1234 and AD returns the following : CN=Morkūnas\, Vytautas (abc1234),OU=Users,OU=xx,OU=yy,OU=zz,DC=xyz. Even though bind is successful, AR still throws authentication failed error. Is it because AREA Plugin or ARS is unable to read the Unicode character in CN ?CN=Morkūnas\, Vytautas (abc1234). Please suggest how to get authenticated successfully. Environment: ARS & ITSM 8.1.02 Non-Unicode Setup. Thanks, Radhika Narayanan -- ARSList mailing list ARSList@arslist.org<mailto:ARSList@arslist.org> https://mailman.rrr.se/cgi/listinfo/arslist<https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.rrr.se_cgi_listinfo_arslist=DwMFaQ=H50I6Bh8SW87d_bXfZP_8g=blQKSsGpUV3vEddB0ufOi2izy5lUOikNQGO3le4xQkw=VqG7Dzwd_ygboR3qGti7ARgXbQvyjENLC0PLBiR7ugI=HEir2-e0ByIuGYxRvcOWntYIIKtQHzdff1DVDUjBlVY=> -- ARSList mailing list ARSList@arslist.org https://mailman.rrr.se/cgi/listinfo/arslist
Re: How does Non-Unicode AR Server handle AREA LDAP authentication having unicode characters in CN ?
Radhika, Ultimately the only thing that matters is the login name, so the CN in AD shouldn't matter, but apparently, everyone else is working but the unicode ones aren't?...if that's the case you may be dealing with a defect in the AREA pluginunfortunately for you, the version that you are on is no longer supported from a 'code fix' perspectiveso I'm not sure you are going to be able to get this working without doing either data cleanup to remove all of the unicode characters, or potentially converting to unicode yourselfunfortunately, if the problem is in the area plugin in relation to unicode, converting to unicode for Remedy might not help you out... On Thu, Feb 22, 2018 at 7:34 AM, Narayanan, Radhika < radhika.naraya...@cgi.com> wrote: > Hi, > > > > We’ve a non-unicode AR Server. Remedy Login Ids are in English only both > on AD and AR Server. > > Where the Active Directory had First or Last Name with Unicode character > such as Vytautas Morkūnas, the corresponding name will be held in ITSM > CTM:People form as Vytautas Morknas (ARS can’t store the Unicode character > ū as it is currently installed as non-unicode). When this user logs in with > correct AD password, he/she gets Authentication failed. > > > > In AREA Configuration, User Search Filter = sAMAccountName=$\USER$. In the > AREA Plugin Log, we see that bind is successful for login id = abc1234 and > AD returns the following : *CN=Morkūnas\, Vytautas > (abc1234),OU=Users,OU=xx,OU=yy,OU=zz,DC=xyz. * > > Even though bind is successful, AR still throws authentication failed > error. Is it because AREA Plugin or ARS is unable to read the Unicode > character in CN ?*CN=Morkūnas\, Vytautas (abc1234). *Please suggest how > to get authenticated successfully. > > > > Environment: ARS & ITSM 8.1.02 > > Non-Unicode Setup. > > > > *Thanks,* > > *Radhika Narayanan* > > -- > ARSList mailing list > ARSList@arslist.org > https://mailman.rrr.se/cgi/listinfo/arslist > > -- ARSList mailing list ARSList@arslist.org https://mailman.rrr.se/cgi/listinfo/arslist
How does Non-Unicode AR Server handle AREA LDAP authentication having unicode characters in CN ?
Hi, We’ve a non-unicode AR Server. Remedy Login Ids are in English only both on AD and AR Server. Where the Active Directory had First or Last Name with Unicode character such as Vytautas Morkūnas, the corresponding name will be held in ITSM CTM:People form as Vytautas Morknas (ARS can’t store the Unicode character ū as it is currently installed as non-unicode). When this user logs in with correct AD password, he/she gets Authentication failed. In AREA Configuration, User Search Filter = sAMAccountName=$\USER$. In the AREA Plugin Log, we see that bind is successful for login id = abc1234 and AD returns the following : CN=Morkūnas\, Vytautas (abc1234),OU=Users,OU=xx,OU=yy,OU=zz,DC=xyz. Even though bind is successful, AR still throws authentication failed error. Is it because AREA Plugin or ARS is unable to read the Unicode character in CN ?CN=Morkūnas\, Vytautas (abc1234). Please suggest how to get authenticated successfully. Environment: ARS & ITSM 8.1.02 Non-Unicode Setup. Thanks, Radhika Narayanan -- ARSList mailing list ARSList@arslist.org https://mailman.rrr.se/cgi/listinfo/arslist
Re: AREA LDAP password in 9x
It's in the DB now, AR_System_Configuration_Settin is the name of the view/table. In arschema as, AR System Configuration Setting. On Thu, Aug 4, 2016 at 12:52 PM, William Rentfrow < wrentf...@stratacominc.com> wrote: > ** > > So you update the password in the centralized config - which is > finebut where is it actually stored now? > > > > It's not in ar.conf or anywhere obvious... > > > > William Rentfrow > > wrentf...@stratacominc.com > > Office: 715-204-3061 or 701-232-5697x25 > > Cell: 715-498-5056 > > > _ARSlist: "Where the Answers Are" and have been for 20 years_ -- Brian Gillock ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
AREA LDAP password in 9x
So you update the password in the centralized config - which is finebut where is it actually stored now? It's not in ar.conf or anywhere obvious... William Rentfrow wrentf...@stratacominc.com Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Turn off AREA LDAP Polling?
Never mind. I found it. For those of you who are wondering - On the EA tab in the Server Information Configuration form, you'll see a box called "Need To Sync". If this is set to 0, Remedy won't periodically make AD checks. From: Sinclair, Keith Sent: Wednesday, March 16, 2016 8:58 AM To: arslist@ARSLIST.ORG Subject: Turn off AREA LDAP Polling? If I recall correctly, there is a way to tell Remedy to not make periodic AD checks every so often with a user's account that signed into Remedy using AREA LDAP but for the life of me, I cannot remember how or where it's done. Anyone know where the setting is at? Keith Sinclair Remedy Development ShopperTrak Chicago, USA O 312.676.8289 ksincl...@shoppertrak.com<mailto:ksincl...@shoppertrak.com> | shoppertrak.com Retail Profitability, Improved. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Turn off AREA LDAP Polling?
And if you are looking for the AR.CONF (ar.CFG for Windows) value it is External-Authentication-Sync-Timeout From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Sinclair, Keith Sent: Wednesday, March 16, 2016 9:05 AM To: arslist@ARSLIST.ORG Subject: Re: Turn off AREA LDAP Polling? ** Never mind. I found it. For those of you who are wondering - On the EA tab in the Server Information Configuration form, you'll see a box called "Need To Sync". If this is set to 0, Remedy won't periodically make AD checks. From: Sinclair, Keith Sent: Wednesday, March 16, 2016 8:58 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Turn off AREA LDAP Polling? If I recall correctly, there is a way to tell Remedy to not make periodic AD checks every so often with a user's account that signed into Remedy using AREA LDAP but for the life of me, I cannot remember how or where it's done. Anyone know where the setting is at? Keith Sinclair Remedy Development ShopperTrak Chicago, USA O 312.676.8289 ksincl...@shoppertrak.com<mailto:ksincl...@shoppertrak.com> | shoppertrak.com Retail Profitability, Improved. _ARSlist: "Where the Answers Are" and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Turn off AREA LDAP Polling?
I think its AR system Administration Console > General > Server info > EA Tab > Need to Sync. Set this to 0 -- Danny Kellett dkell...@javasystemsolutions.com On Wed, Mar 16, 2016, at 01:57 PM, Sinclair, Keith wrote: > ** > > If I recall correctly, there is a way to tell Remedy to not make > periodic AD checks every so often with a user’s account that signed > into Remedy using AREA LDAP but for the life of me, I cannot remember > how or where it’s done. > > Anyone know where the setting is at? > > *Keith Sinclair* > Remedy Development > ShopperTrak Chicago, USA > *O* 312.676.8289 > ksincl...@shoppertrak.com | shoppertrak.com > *Retail Profitability, Improved.* > > _ARSlist: "Where the Answers Are" and have been for 20 years_ > ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Turn off AREA LDAP Polling?
If I recall correctly, there is a way to tell Remedy to not make periodic AD checks every so often with a user's account that signed into Remedy using AREA LDAP but for the life of me, I cannot remember how or where it's done. Anyone know where the setting is at? Keith Sinclair Remedy Development ShopperTrak Chicago, USA O 312.676.8289 ksincl...@shoppertrak.com<mailto:ksincl...@shoppertrak.com> | shoppertrak.com Retail Profitability, Improved. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: AREA LDAP and SSL3.0/POODLE
Slightly OT, AREA LDAP on 8.1 it's now a Java plugin so for SSL you'll need a Java Keystore versus a Certificate Store. On Thu, Oct 23, 2014 at 12:57 PM, Sinclair, Keith ksincl...@shoppertrak.com wrote: ** Apologies if this has been answered and/or brought up before. Does ARS 8.1 AREA LDAP use SSL3.0 when making calls to Active Directory? I ask because the infrastructure guys are rolling out a series of POODLE fixes and I need to know if this will break anything. Thanks, *Keith Sinclair* *Remedy Development* *ShopperTrak Chicago USA* O: 312.676.8289 | M: 630.946.4744 *ksincl...@shoppertrak.com ksincl...@shoppertrak.com* | @shoppertrak www.shoppertrak.com _ARSlist: Where the Answers Are and have been for 20 years_ -- Brian Gillock Principal Consultant, BGBS, Inc brian.gill...@pbs-consulting.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AREA LDAP and SSL3.0/POODLE
Apologies if this has been answered and/or brought up before. Does ARS 8.1 AREA LDAP use SSL3.0 when making calls to Active Directory? I ask because the infrastructure guys are rolling out a series of POODLE fixes and I need to know if this will break anything. Thanks, Keith Sinclair Remedy Development ShopperTrak Chicago USA O: 312.676.8289 | M: 630.946.4744 ksincl...@shoppertrak.commailto:ksincl...@shoppertrak.com | @shoppertrak www.shoppertrak.comhttp://www.shoppertrak.com/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AREA LDAP SSL
We are running ARS 7.6.04 SP2 on a Windows 2008 Server. Our LDAP servers were changed to require SSL connections to LDAP yesterday, without any warning. Our remedy servers will no longer let users in. I need to enable SSL in LDAP but am having trouble finding out how to create the certificate database. We are running on a Secure system so I am unable to download any additional software to do this. Is there a way to create the cert7.db file using software from the windows 2008 server or remedy? Dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP SSL
Dan, check this link https://kb.bmc.com/infocenter/index?page=contentid=S%3AKA319087 - Karthik -- Forwarded message -- From: Daniel Pritchard daniel.b.pritch...@gmail.com Date: 10 February 2014 15:05 Subject: AREA LDAP SSL To: arslist@arslist.org We are running ARS 7.6.04 SP2 on a Windows 2008 Server. Our LDAP servers were changed to require SSL connections to LDAP yesterday, without any warning. Our remedy servers will no longer let users in. I need to enable SSL in LDAP but am having trouble finding out how to create the certificate database. We are running on a Secure system so I am unable to download any additional software to do this. Is there a way to create the cert7.db file using software from the windows 2008 server or remedy? Dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years -- - Karthik ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP SSL
Hello Dan, Please refer BMC 7.6.04 Integration document page 402, About certificate databases: AR System uses the Mozilla C-LDAP libraries to support LDAP plug-ins and remote authentication. These libraries enable LDAP plug-ins to use NSS to establish Secure Sockets Layer (SSL) connections with LDAP servers. To do this,NSS requires the LDAP server's certification authority (CA) certificate to be in a certificate database (cert8.db file). To perform the procedures in this appendix, use the command-line certutil utility, which is included in the Mozilla NSS security tools set (see http://www.mozilla.org/projects/security/pki/nss/tools/). So I don't think you have any option from Windows or Remedy to create the cert db file. Thanks. Regards Munesh On Mon, Feb 10, 2014 at 3:05 PM, Daniel Pritchard daniel.b.pritch...@gmail.com wrote: We are running ARS 7.6.04 SP2 on a Windows 2008 Server. Our LDAP servers were changed to require SSL connections to LDAP yesterday, without any warning. Our remedy servers will no longer let users in. I need to enable SSL in LDAP but am having trouble finding out how to create the certificate database. We are running on a Secure system so I am unable to download any additional software to do this. Is there a way to create the cert7.db file using software from the windows 2008 server or remedy? Dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP SSL
Thanks for the help. I finally got the Mozilla tools downloaded and installed and created the cert8.db file and it works ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP SSL
This may be of some help. The NSS Tools were installed as a Linux package, but since these are used only to create the .DB files (which you can move to the correct locations on your Windows systems), they may help. https://communities.bmc.com/community/bmcdn/bmc_it_service_support/blog/2013/03/13/remedy-8--digital-certificates Karl Miller | Principal Product Manager - Remedy Platform | BMC Software W 678-779-4998 | C 678-779-4998 The industry’s leading ITSM solution now available via Software as a Service (SaaS) -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Daniel Pritchard Sent: Monday, February 10, 2014 4:36 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP SSL We are running ARS 7.6.04 SP2 on a Windows 2008 Server. Our LDAP servers were changed to require SSL connections to LDAP yesterday, without any warning. Our remedy servers will no longer let users in. I need to enable SSL in LDAP but am having trouble finding out how to create the certificate database. We are running on a Secure system so I am unable to download any additional software to do this. Is there a way to create the cert7.db file using software from the windows 2008 server or remedy? Dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Copy AREA LDAP entries
Hello, Wondering if anyone has successfully copied AREA LDAP entries from one ARS to another. We have several entries so exporting would save time, but I was told this had to be done manually through AREA LDAP Configuration. I was able to export entries in arx format from Configuration ARDBC and import them but not sure if this is all that is needed. Any assistance would be welcomed. Thank You, Chad Wilhelm CareTech Solutions [cid:image001.gif@01CEF195.22D02310]http://www.caretech.com/ Helping extraordinary people do extraordinary things Best in KLAS Partial IT Outsourcing 2012 Extensive IT Outsourcing 2008, 2009, 2010 and 2011 Best in KLAS Awards: Software Services www.KLASresearch.comhttp://www.klasresearch.com/ [cid:image003.jpg@01CEF195.B55B8C60] ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years inline: image001.gifinline: image003.jpg
Re: Copy AREA LDAP entries
Chad, If by 'entries', you are referring to the configuration in the AREALDAP form, those values are stored in the ar.cfg file. I routinely copy/paste those entries from an existing environment to a new environment when building it outso I would say yes...it's possible, but not in the export/arx method you are describing. On Thu, Dec 5, 2013 at 6:40 AM, Chad Wilhelm chad.wilh...@caretech.comwrote: ** Hello, Wondering if anyone has successfully copied AREA LDAP entries from one ARS to another. We have several entries so exporting would save time, but I was told this had to be done manually through AREA LDAP Configuration. I was able to export entries in arx format from Configuration ARDBC and import them but not sure if this is all that is needed. Any assistance would be welcomed. Thank You, Chad Wilhelm CareTech Solutions [image: Description: cid:image001.gif@01CDCBC5.16E98150]http://www.caretech.com/ Helping extraordinary people do extraordinary things Best in KLAS Partial IT Outsourcing 2012 Extensive IT Outsourcing 2008, 2009, 2010 and 2011 Best in KLAS Awards: Software Services www.KLASresearch.com http://www.klasresearch.com/ * [image: Description: Description: KLAS_2013]* _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Copy AREA LDAP entries
I noticed when I imported the LDAP entries they created in ar.cfg automatically. I will give your method a try. Thanks LJ. Chad Wilhelm CareTech Solutions [cid:image001.gif@01CEF1A1.A35B4760]http://www.caretech.com/ Helping extraordinary people do extraordinary things Best in KLAS Partial IT Outsourcing 2012 Extensive IT Outsourcing 2008, 2009, 2010 and 2011 Best in KLAS Awards: Software Services www.KLASresearch.comhttp://www.klasresearch.com/ [cid:image002.jpg@01CEF1A1.A35B4760] From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of LJ LongWing Sent: Thursday, December 05, 2013 9:04 AM To: arslist@ARSLIST.ORG Subject: Re: Copy AREA LDAP entries ** Chad, If by 'entries', you are referring to the configuration in the AREALDAP form, those values are stored in the ar.cfg file. I routinely copy/paste those entries from an existing environment to a new environment when building it outso I would say yes...it's possible, but not in the export/arx method you are describing. On Thu, Dec 5, 2013 at 6:40 AM, Chad Wilhelm chad.wilh...@caretech.commailto:chad.wilh...@caretech.com wrote: ** Hello, Wondering if anyone has successfully copied AREA LDAP entries from one ARS to another. We have several entries so exporting would save time, but I was told this had to be done manually through AREA LDAP Configuration. I was able to export entries in arx format from Configuration ARDBC and import them but not sure if this is all that is needed. Any assistance would be welcomed. Thank You, Chad Wilhelm CareTech Solutions Helping extraordinary people do extraordinary thingshttp://www.caretech.com/ Best in KLAShttp://www.caretech.com/ Partial IT Outsourcing 2012http://www.caretech.com/ Extensive IT Outsourcing 2008, 2009, 2010 and 2011http://www.caretech.com/ Best in KLAS Awards: Software Serviceshttp://www.caretech.com/ www.KLASresearch.comhttp://www.caretech.com/ http://www.caretech.com/ http://www.caretech.com/ http://www.caretech.com/ _ARSlist: Where the Answers Are and have been for 20 years_ http://www.caretech.com/ http://www.caretech.com/ _ARSlist: Where the Answers Are and have been for 20 years_ http://www.caretech.com/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years inline: image001.gifinline: image002.jpg
Re: AREA LDAP 8.0 Configuration Issue
I had this problem... I had to set Authentication Chaining Mode to: AREA - ARS. Hope this is helpful. Larry On Thu, Mar 28, 2013 at 5:50 PM, Kapil Banwari kapil.banw...@gmail.comwrote: If you are using CRBP(Cross Ref Blank password)= True, and you have mainly AR groups (not specific AD groups) which you need to use, make sure in AREA LDAP configuration form, in the License Mask and in the Write license (under Defaults and Mapping attributes to user information), you don't have any value mentioned over there. If it is blank, it is going to pick the licenses from User form, and you should get token as per mentioned in user form. If there is no specific reason to use chaining mode, it can be set to off, as by default it is set to first go to ARS and then to AREA. If you are using any sso plugin, then in those cases chaining is usually helpful and enabled. By default, the way it works with chaining disabled is, first it go to user form, it will check if that user exists in user form, and if that user have blank password in user form (with CRBP=true) and then it will authenticate via the password of AD . Hope this helps. Regards Kapil B. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Abdullah Baytops Sent: Friday, March 29, 2013 2:28 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue We have the following: 1. No check box in the Allow Guest Users 2. No check box in the Authenticate Unregistered Users 3. Authentication has AREA - ARS V/R Abdul Baytops From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] on behalf of Andrew Belis [andrew.be...@lmco.com] Sent: Thursday, March 28, 2013 4:33 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue Under Configuration tab do you have Allow Guest Users enabled by chance? What are your settings for Authenticate Unregistered Users under EA tab as well as the Authentication Chaining Mode set to? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AREA LDAP 8.0 Configuration Issue
Could anyone provide any assistance with a problem that we are having in which we have successfully configured our AR users to login using their LDAP password but when they go into Remedy to work a ticket it tells them they have no right license. The users are in the right groups if I turn of LDAP they can access the groups with no problem but once I turn it back on they receive the error. Thanks in Advance V/R Abdul Baytops ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
Could it be case sensitivity? How are they logging in? What is the case they log in with vs. how they are configured? From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Abdullah Baytops Sent: Thursday, March 28, 2013 12:55 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP 8.0 Configuration Issue ** Could anyone provide any assistance with a problem that we are having in which we have successfully configured our AR users to login using their LDAP password but when they go into Remedy to work a ticket it tells them they have no right license. The users are in the right groups if I turn of LDAP they can access the groups with no problem but once I turn it back on they receive the error. Thanks in Advance V/R Abdul Baytops _ARSlist: Where the Answers Are and have been for 20 years_ This message (including any attachments) is confidential and intended for a specific individual and purpose. If you are not the intended recipient, please notify the sender immediately and delete this message. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
The case is all lowercase on both the AR System and LDAP server. I was wondering could it be the form that has the Write License area on the LDAP form? Are there specific values that should be included in that area. V/R Abdul Baytops From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] on behalf of Smerz, Christian [cesm...@eprod.com] Sent: Thursday, March 28, 2013 2:37 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue ** Could it be case sensitivity? How are they logging in? What is the case they log in with vs. how they are configured? From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Abdullah Baytops Sent: Thursday, March 28, 2013 12:55 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP 8.0 Configuration Issue ** Could anyone provide any assistance with a problem that we are having in which we have successfully configured our AR users to login using their LDAP password but when they go into Remedy to work a ticket it tells them they have no right license. The users are in the right groups if I turn of LDAP they can access the groups with no problem but once I turn it back on they receive the error. Thanks in Advance V/R Abdul Baytops _ARSlist: Where the Answers Are and have been for 20 years_ This message (including any attachments) is confidential and intended for a specific individual and purpose. If you are not the intended recipient, please notify the sender immediately and delete this message. _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
Under Configuration tab do you have Allow Guest Users enabled by chance? What are your settings for Authenticate Unregistered Users under EA tab as well as the Authentication Chaining Mode set to? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
We have the following: 1. No check box in the Allow Guest Users 2. No check box in the Authenticate Unregistered Users 3. Authentication has AREA - ARS V/R Abdul Baytops From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] on behalf of Andrew Belis [andrew.be...@lmco.com] Sent: Thursday, March 28, 2013 4:33 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue Under Configuration tab do you have Allow Guest Users enabled by chance? What are your settings for Authenticate Unregistered Users under EA tab as well as the Authentication Chaining Mode set to? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
If you are using CRBP(Cross Ref Blank password)= True, and you have mainly AR groups (not specific AD groups) which you need to use, make sure in AREA LDAP configuration form, in the License Mask and in the Write license (under Defaults and Mapping attributes to user information), you don't have any value mentioned over there. If it is blank, it is going to pick the licenses from User form, and you should get token as per mentioned in user form. If there is no specific reason to use chaining mode, it can be set to off, as by default it is set to first go to ARS and then to AREA. If you are using any sso plugin, then in those cases chaining is usually helpful and enabled. By default, the way it works with chaining disabled is, first it go to user form, it will check if that user exists in user form, and if that user have blank password in user form (with CRBP=true) and then it will authenticate via the password of AD . Hope this helps. Regards Kapil B. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Abdullah Baytops Sent: Friday, March 29, 2013 2:28 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue We have the following: 1. No check box in the Allow Guest Users 2. No check box in the Authenticate Unregistered Users 3. Authentication has AREA - ARS V/R Abdul Baytops From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] on behalf of Andrew Belis [andrew.be...@lmco.com] Sent: Thursday, March 28, 2013 4:33 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue Under Configuration tab do you have Allow Guest Users enabled by chance? What are your settings for Authenticate Unregistered Users under EA tab as well as the Authentication Chaining Mode set to? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AR System 8.1: Why is the BMC AREA LDAP plugin not working?
Hello When installing AR System 8.1, you may expect to be able to carry on using the BMC AREA LDAP plugin. It appears BMC have switched on the AtriumSSO AREA plugin by default, and would prefer you ran this product to achieve what the AREA LDAP plugin does without the overhead of extra hardware, load balancers, configuration nightmares, etc. If you're wondering why the BMC AREA LDAP or BMC AREA Hub plugins aren't working (ie why authentication events aren't going to the arplugin log file) search for this line in ar.cfg: Server-Plugin-Alias: AREA and comment it out, ie. #Server-Plugin-Alias: AREA This will send authentication events back to the C plugin server to which you're accustomed. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AR System 8.1: Why is the BMC AREA LDAP plugin not working?
Hi John, In 8.1 the default LDAP plugins are based on Java plugins but they are not the AtriumSSO ones. What you are basically doing here is disabling the newer Java plugin for AREA so that it falls back to the C plugin. The java plugin is actually arealdapplugin81_build001.jar which is supposed to be a like for like re-write of the C plugin and have nothing to do with the AtriumSSO ones (at least that I can see). Once you install/integrate in AtriumSSO this may change though but I don't have it installed so I can't confirm if installing/integration AtriumSSO actually changes anything about this specific plugin but doubt it as I assume it's no longer used since instead you configure everything in AtriumSSO which is a different story all together and I still like your plugin better :) See here for more info: https://docs.bmc.com/docs/display/public/ars81/Troubleshooting+AREA+LDAP+plug-in+issues Because this is now a Java plugin, you won't see anything in the arplugin log files, you need to check the javaplugin logs (and potentially enable the logging itself). Cheers, On Fri, Mar 15, 2013 at 9:59 AM, John Baker jba...@javasystemsolutions.comwrote: Hello When installing AR System 8.1, you may expect to be able to carry on using the BMC AREA LDAP plugin. It appears BMC have switched on the AtriumSSO AREA plugin by default, and would prefer you ran this product to achieve what the AREA LDAP plugin does without the overhead of extra hardware, load balancers, configuration nightmares, etc. If you're wondering why the BMC AREA LDAP or BMC AREA Hub plugins aren't working (ie why authentication events aren't going to the arplugin log file) search for this line in ar.cfg: Server-Plugin-Alias: AREA and comment it out, ie. #Server-Plugin-Alias: AREA This will send authentication events back to the C plugin server to which you're accustomed. John __**__** ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years -- :wq cuga ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AR System 8.1: Why is the BMC AREA LDAP plugin not working?
Curt Yes, it makes perfect sense to move everything over to Java plugins on the Java plugin server. But I guess if one has been staring at the arplugin log for a decade, and has become accustomed to the C plugin, it could be confusing to look elsewhere. I also agree that it's better to look in one place for plugin logging than two. Good of you to correct my understanding though :) John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: SSO / AREA LDAP question
Hello David, As it was explained to me and through reading the SSO integration white paper capturing the user ID should be all that is needed to get the user logged in at that point. I think there is some confusion here. For SSO to work in general with Midtier, there has to be some work done on 2 ends, the Midtier end and the ARServer end. AR Server (either form based or AREA LDAP based) needs username/password combination for authentication by default. You can have some chaining setups where some users will get authenticated against Form and other using LDAP which people typically do when they have AREA LDAP setup and they setup user password as BLANK in user form for users which need to be authenticated against LDAP. But AR Server, by default, will not authenticate a user unless password is supplied. BMC whitepaper says that once you have overridden DefaultAuthenticator on Miditer side, you can bypass login page and as you said, you are getting username somehow. Now this username and some TOKEN has to be passed back to AR Server and you need to write an custom AREA plug-in which will validate username/TOKEN combination, may be talking to some SSO server or in some way. Point is, unless you write a custom AREA plug-in SSO will not work. Also in your case, it sounds like, you are satisfied by just having extracted username from the browser (IE) and you want AR Server to authenticate the user just based on that. Regards, Yogesh From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Lotz, David Sent: Thursday, March 14, 2013 12:37 AM To: arslist@ARSLIST.ORG Subject: SSO / AREA LDAP question ** Hello list, Remedy 7.5 Oracle 10g Mid-Tier is patch 3 3 app servers 3 mid tier servers I am having a peculiar problem and thought I would ask the list if anyone had seen a similar issue. We are attempting to implement SSO with the BMC supplied plugin and appear to be successful but (yes there is probably always a but) users are randomly being locked out of the Domain when in the mid-tier. We have only implemented SSO for the mid-tier and I have a portion of a mid-tier log that I have specific question about. PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER Connecting via SSL(host=FQDN for our ldap server port=636, certPath=c:\ldap_certs) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout previously: -1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout used: 35000 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_simple_bind(cn=ldap user name, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST After the bind PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_search_ext(search path, 2, cn=me in this case) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.2110 */ARSYS.AREA.LDAP FINER ldap_simple_bind(CN=again my correctly formatted credentials, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP SEVERE Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINE Found user but password is bad PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINER LicenseMask=0 LicenseWrite=0 LicenseFTS=0 LicenseReserved1=0 Notification=3 Email=NULL LoginStatus=2 ModificationTime=0 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINER Groups=NULL I know that when LDAP is used for authentication a bind happens for the user defined in the AREA LDAP Configuration form, and when that is successful another bind is done for the actual user logging into the system. As you can see in the log excerpt it does this when using the SSO Plugin as well. We are only using SSO when logging in through the web. As it was explained to me and through reading the SSO integration white paper capturing the user ID should be all that is needed to get the user logged in at that point. We are pulling the user ID from
Re: SSO / AREA LDAP question
Yes, we have the plugin and we can get sso to function. The issue is that we get random lockouts for the users when they are coming in through the mid-tier. It doesn't happen to everyone at the same time. There have been times where it does not affect a given user for several days. Then they log in and they get locked out, like I said it seems pretty random. For instance, I log in and usually don't see the lockout issue whereas my co-developer logs in and almost instantly gets locked out. Then after resetting his domain id he is fine for several hours and then we both start getting locked out. We are troubleshooting with our AD team but it isn't looking promising. I was hoping that someone who is using the BMC supplied SSO code experienced this and was able to solve the issue. Thanks Dave From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Yogesh Ketkar Sent: Thursday, March 14, 2013 12:43 PM To: arslist@ARSLIST.ORG Subject: Re: SSO / AREA LDAP question ** Hello David, As it was explained to me and through reading the SSO integration white paper capturing the user ID should be all that is needed to get the user logged in at that point. I think there is some confusion here. For SSO to work in general with Midtier, there has to be some work done on 2 ends, the Midtier end and the ARServer end. AR Server (either form based or AREA LDAP based) needs username/password combination for authentication by default. You can have some chaining setups where some users will get authenticated against Form and other using LDAP which people typically do when they have AREA LDAP setup and they setup user password as BLANK in user form for users which need to be authenticated against LDAP. But AR Server, by default, will not authenticate a user unless password is supplied. BMC whitepaper says that once you have overridden DefaultAuthenticator on Miditer side, you can bypass login page and as you said, you are getting username somehow. Now this username and some TOKEN has to be passed back to AR Server and you need to write an custom AREA plug-in which will validate username/TOKEN combination, may be talking to some SSO server or in some way. Point is, unless you write a custom AREA plug-in SSO will not work. Also in your case, it sounds like, you are satisfied by just having extracted username from the browser (IE) and you want AR Server to authenticate the user just based on that. Regards, Yogesh From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Lotz, David Sent: Thursday, March 14, 2013 12:37 AM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: SSO / AREA LDAP question ** Hello list, Remedy 7.5 Oracle 10g Mid-Tier is patch 3 3 app servers 3 mid tier servers I am having a peculiar problem and thought I would ask the list if anyone had seen a similar issue. We are attempting to implement SSO with the BMC supplied plugin and appear to be successful but (yes there is probably always a but) users are randomly being locked out of the Domain when in the mid-tier. We have only implemented SSO for the mid-tier and I have a portion of a mid-tier log that I have specific question about. PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER Connecting via SSL(host=FQDN for our ldap server port=636, certPath=c:\ldap_certs) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout previously: -1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout used: 35000 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_simple_bind(cn=ldap user name, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST After the bind PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_search_ext(search path, 2, cn=me in this case) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.2110 */ARSYS.AREA.LDAP FINER ldap_simple_bind(CN=again my correctly formatted credentials, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP SEVERE Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC
Re: SSO / AREA LDAP question
The Bmc OOTB SSO Plugin is very easy to break since it only depends on http header authentication. It has nothing to do with LDAP or AD. the scenario changes if you use the basic SSO with site minder or an external authentication plugin with a hub. The best way you can start troubleshooting the issue is to turn ON debug logging on the plugin and turn ON your plugin logs on the server and identify the API calls when the account gets locked. We use JSS SSO plugin and cannot be happier with the support and the security features of the product. Regards, Roney Samuel Varghese. . Sent from my iPhone On Mar 14, 2013, at 12:32 PM, Lotz, David david.l...@53.com wrote: ** Yes, we have the plugin and we can get sso to function. The issue is that we get random lockouts for the users when they are coming in through the mid-tier. It doesn’t happen to everyone at the same time. There have been times where it does not affect a given user for several days. Then they log in and they get locked out, like I said it seems pretty random. For instance, I log in and usually don’t see the lockout issue whereas my co-developer logs in and almost instantly gets locked out. Then after resetting his domain id he is fine for several hours and then we both start getting locked out. We are troubleshooting with our AD team but it isn’t looking promising. I was hoping that someone who is using the BMC supplied SSO code experienced this and was able to solve the issue. Thanks Dave From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Yogesh Ketkar Sent: Thursday, March 14, 2013 12:43 PM To: arslist@ARSLIST.ORG Subject: Re: SSO / AREA LDAP question ** Hello David, As it was explained to me and through reading the SSO integration white paper capturing the user ID should be all that is needed to get the user logged in at that point. I think there is some confusion here. For SSO to work in general with Midtier, there has to be some work done on 2 ends, the Midtier end and the ARServer end. AR Server (either form based or AREA LDAP based) needs username/password combination for authentication by default. You can have some chaining setups where some users will get authenticated against Form and other using LDAP which people typically do when they have AREA LDAP setup and they setup user password as BLANK in user form for users which need to be authenticated against LDAP. But AR Server, by default, will not authenticate a user unless password is supplied. BMC whitepaper says that once you have overridden DefaultAuthenticator on Miditer side, you can bypass login page and as you said, you are getting username somehow. Now this username and some TOKEN has to be passed back to AR Server and you need to write an custom AREA plug-in which will validate username/TOKEN combination, may be talking to some SSO server or in some way. Point is, unless you write a custom AREA plug-in SSO will not work. Also in your case, it sounds like, you are satisfied by just having extracted username from the browser (IE) and you want AR Server to authenticate the user just based on that. Regards, Yogesh From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Lotz, David Sent: Thursday, March 14, 2013 12:37 AM To: arslist@ARSLIST.ORG Subject: SSO / AREA LDAP question ** Hello list, Remedy 7.5 Oracle 10g Mid-Tier is patch 3 3 app servers 3 mid tier servers I am having a peculiar problem and thought I would ask the list if anyone had seen a similar issue. We are attempting to implement SSO with the BMC supplied plugin and appear to be successful but (yes there is probably always a but) users are randomly being locked out of the Domain when in the mid-tier. We have only implemented SSO for the mid-tier and I have a portion of a mid-tier log that I have specific question about. PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER Connecting via SSL(host=FQDN for our ldap server port=636, certPath=c:\ldap_certs) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout previously: -1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout used: 35000 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_simple_bind(cn=ldap user name, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22
SSO / AREA LDAP question
Hello list, Remedy 7.5 Oracle 10g Mid-Tier is patch 3 3 app servers 3 mid tier servers I am having a peculiar problem and thought I would ask the list if anyone had seen a similar issue. We are attempting to implement SSO with the BMC supplied plugin and appear to be successful but (yes there is probably always a but) users are randomly being locked out of the Domain when in the mid-tier. We have only implemented SSO for the mid-tier and I have a portion of a mid-tier log that I have specific question about. PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER Connecting via SSL(host=FQDN for our ldap server port=636, certPath=c:\ldap_certs) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout previously: -1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout used: 35000 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_simple_bind(cn=ldap user name, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST After the bind PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_search_ext(search path, 2, cn=me in this case) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.2110 */ARSYS.AREA.LDAP FINER ldap_simple_bind(CN=again my correctly formatted credentials, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP SEVERE Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINE Found user but password is bad PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINER LicenseMask=0 LicenseWrite=0 LicenseFTS=0 LicenseReserved1=0 Notification=3 Email=NULL LoginStatus=2 ModificationTime=0 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINER Groups=NULL I know that when LDAP is used for authentication a bind happens for the user defined in the AREA LDAP Configuration form, and when that is successful another bind is done for the actual user logging into the system. As you can see in the log excerpt it does this when using the SSO Plugin as well. We are only using SSO when logging in through the web. As it was explained to me and through reading the SSO integration white paper capturing the user ID should be all that is needed to get the user logged in at that point. We are pulling the user ID from the header of the IE page and using it after removing the domain information. My question is if that is all true and we accept that if the user is logged into the network and able to access it through the web page why is AREA LDAP trying to do the bind with the user information instead of just a search and acknowledgement that the user exists on the network? Is there a way to turn off the second bind for Mid-Tier only? Also, has anyone run into a problem like this before? I can be logged into the tool for hours and not be locked out. Then one of my co-workers attempts to login and gets locked out repeatedly. Any help would be greatly appreciated. We use a load balancer before the mid-tier and then again before the application server. The problem doesn't appear to be linked to any server in the pool. I have repeatedly gone through the SSO setup for each server and they are identical and appear to be correct. I have used SSL and non SSL connections and there doesn't appear to be a problem with any of the certificates. David Lotz Fifth Third Bank Enterprise Solutions-Enterprise Applications Remedy Application Team email: david.l...@53.com blocked::mailto:david.l...@53.com P:513.534.3371 F:513.534.3421 MD:1090W2 This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing
AREA LDAP Configuration (Multiple AD Servers)
If we specify multiple AD Servers in AREA LDAP configuration how does authentication works? Does ARS try authenticating the user in the order they appear in the UI? Also is authentication tried out till at least one AD server authenticates the user successfully? ~Nathan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP Configuration (Multiple AD Servers)
Hi, you could take a look at this in-depth webinar: https://communities.bmc.com/communities/docs/DOC-10142 _ Kind Regards, Carl Wilson http://www.missingpiecessoftware.com/ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Nathan Brandt Sent: 05 March 2013 10:51 To: arslist@ARSLIST.ORG Subject: AREA LDAP Configuration (Multiple AD Servers) ** If we specify multiple AD Servers in AREA LDAP configuration how does authentication works? Does ARS try authenticating the user in the order they appear in the UI? Also is authentication tried out till at least one AD server authenticates the user successfully? ~Nathan _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AREA LDAP Configuration (Multiple AD Servers)
The standard deployment of multiple AREA LDAP plugins is fine if the LDAPs all sit within one organisation. It's not a secure solution for a multi-service provider who may configure an instance of AREA LDAP for multiple customers, because it means username/passwords for organisation X are being sent to organisation Y, and so on. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AREA LDAP
Well, it's ultimately stored in the ar.cfg file but you need to alter it through the AREA LDAP and ARDBC configuration forms, as the password is encrypted before it's written to the ar.cfg. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP
You just need to make changes in ldap config form and it will update ar.cfg/at.conf respectively. Regards/Vaibhav On Monday, January 28, 2013, rajkiran Alle wrote: Hi, I need to modify the existing Bind User and Bind password for LDAP authentication, Is it enough if i just modify user and password in AREA LDAP Plugin or else in addition to this do i need to modify some where else ? Thanks ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP configuration
Hi Guys, This is what i eventually did. Looking at the plugin logs I could see it is only searching using the first configuration and when the user is not found using that search it fails. I couldn't get a fix to make it do multiple searches so we rearanged the AD tree structure and raised the level of the BaseDN so both OUs were included in the single Search. Not ideal but it will fill the gap until Remedy is upgraded. Thanks Tony ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP configuration
if you have multiple LDAP configuration you have to change your plugin to areahub instead AREA, then it will check for all your entries in the ldap configuration form. 2012/10/30 SUBSCRIBE ARSLIST theReel tony.r...@bt.com: Hi Guys, This is what i eventually did. Looking at the plugin logs I could see it is only searching using the first configuration and when the user is not found using that search it fails. I couldn't get a fix to make it do multiple searches so we rearanged the AD tree structure and raised the level of the BaseDN so both OUs were included in the single Search. Not ideal but it will fill the gap until Remedy is upgraded. Thanks Tony ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
AREA LDAP configuration
Hi Guys, I have inherited support of a 7.0.01 install of Remedy (AR system ITSM on Windows) which has some LDAP configurations setup. I do not have much experience with the LDAP configuration, it seems pretty straightforward but it is not working and I think I am missing something simple. Currently there are 4 Configurations set in the AREA LDAP Configuration. 3 of these seem to be old and reference 3 OU structures in the same AD which no longer exist; I have left them there but decreased their order. 1 of the current configurations searches the correct OU and users successfully authenticate. I want to add a new configuration for a different OU group in the same AD, so I will have two groups of users in the same AD structure being used for authentication. I have copied the entire configuration Detail from the working example and changed only the ‘User Base’ field to the new OU group path. I restarted the AR services and I have looked in the ar.conf file and I can see the new settings. I then moved a user from the original OU to the new OU group but they cannot login. Questions I have: Do you have to restart services after you make changes to the AREA LDAP configurations? Can you authenticate to multiple OU groups in the same AD? Is it ok to have multiple Configurations using the same Port number, username, password etc? Do I need to configure Failover Timeout or Chase Referral. Any advice on what I am doing wrong or how I can troubleshoot this one would be greatly appreciated. Thanks Tony ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
AREA LDAP configuration
Tony, Do you have to restart services after you make changes to the AREA LDAP configurations? Yes, although you can kill the arplugin process and armonitor should restart the plugin server. Given some ITSM installations take 30 minutes to restart, this is the best choice if in doubt, Can you authenticate to multiple OU groups in the same AD? OU groups? Do you mean different sub-trees? I believe you can use a parent base DN and search down. Is it ok to have multiple Configurations using the same Port number, username, password etc? I don't see why not. Multiple configurations is the same plugin loaded X times on the BMC AREA Hub, I think. One of my colleagues wrote the following document that may be of use: http://www.javasystemsolutions.com/documentation/jss-configuring-BMC-AREA-LDAP.pdf John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP configuration
Thanks for the reply John, I have to wait until I am outside core hours before I can restart anything again but I will try restarting only the arplugin this time, thanks. By OU I mean Organizational Units so yes different sub-trees. Unfortunately I can’t use the parent as the base DN and search down as that would allow access to some groups that should be restricted. Example of what I mean below: Parent - old group - old restricted Users - old Remedy Users - new group - new restricted Users - new Remedy Users Currently we search 'Old Remedy Users' for authentication of the users. Over the next few weeks users are being moved from 'Old Remedy Users' to 'New Remedy Users' in stages. So i need Remedy to be able to authenticate both those groups without including the Restricted users. The document is very good but the only thing that I can see that I can use is to try setting a timeout and Chase refferal settings. I will have another go this evening. Thanks Tony ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
AREA LDAP Configuration
I am having an issue with AREA LDAP authentication on our development system. Everything is working great on production and their configuration looks identical to me. · When logging into dev with AD password authentication passes and the support user only has access to the minimum stuff (Just approval, Request Console, etc). · If the support person logs into dev with the password from the user form, they get everything properly (overview, Incident, etc). · If they log in with a bad password they get an authentication failed message. Like I said in prod using the AD password works and they get access to the objects they should. I have compare the Server Information settings and the AREA LDAP configuration and all looks the same. Any advice? It was all working at one time. I just can't figure out what is different. Thanks, Ken. ARS 7.5 ITSM 7.6 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Abhay Somani Sent: Wednesday, May 23, 2012 3:38 AM To: arslist@ARSLIST.ORG Subject: Re: I need a help in some scenario ** Verision is 7.6.03 On Wed, May 23, 2012 at 1:02 PM, Jose Huerta jose.hue...@sm2baleares.esmailto:jose.hue...@sm2baleares.es wrote: ** Version, S.O.? What diagnostic have you made? Jose M. Huerta Project Manager Movil: 661 665 088 Telf.: 971 75 03 24 Fax: 971 75 07 94 [cid:image001.jpg@01CDA886.5D79A670]http://www.sm2baleares.es/ SM2 Baleares S.A. C/Rita Levi Edificio SM2 Parc Bit 07121 Palma de Mallorca [cid:image002.jpg@01CDA886.5D79A670] http://es-es.facebook.com/pages/SM2-Baleares/158608627954 [cid:image003.jpg@01CDA886.5D79A670] http://twitter.com/#!/SM2Baleares [cid:image004.jpg@01CDA886.5D79A670] http://www.linkedin.com/company/sm2-baleares La información contenida en este mensaje de correo electrónico es confidencial. La misma, es enviada con la intención de que únicamente sea leída por la persona(s) a la(s) que va dirigida. El acceso a este mensaje por otras personas no está autorizado, por lo que en tal caso, le rogamos que nos lo comunique por la misma vía, se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. P Por favor, no imprima este mensaje ni sus documentos adjuntos si no es necesario. On Wed, May 23, 2012 at 8:00 AM, Abhay Somani remedy.ab...@gmail.commailto:remedy.ab...@gmail.com wrote: ** -- Forwarded message -- From: Abhay Somani remedy.ab...@gmail.commailto:remedy.ab...@gmail.com Date: Fri, May 18, 2012 at 8:55 PM Subject: I need a help in some scenario To: arslist@arslist.orgmailto:arslist@arslist.org Hello All, I need a help in some scenario (List below) ..I want to know that What should we take as 1st step to find the root case ?and What are major cause/reason for these issue in general . Please help me out !! Issue are follows 1) MIdtier is slow or performance issue 2) Remedy Performance Issue, and later users could not login 3)is getting an error as AR System Plug-In server : ARERR 8760 4) Emails were not processed. 5)Users could not login via SSO. Thanks in Advance Abhay Somani _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated** ** This email and any files transmitted with it are confidential and intended solely for the addressee. If you have received this email in error please notify the system manager. Subject to local law, communications (including traffic data) with Hubbell may be monitored by our systems [or a third party's systems on our behalf] for the purposes of security and the assessment of internal compliance with Hubbell policies. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Areinline: image001.jpginline: image002.jpginline: image003.jpginline: image004.jpg
Re: AREA LDAP logging question RESOLVED
Both LDAP servers (on two different, untrusted domains) are authenticating just fine now! So in addition to everything else, the *one* thing that I did not initially try, seemed to do the trick: -Save a backup copy of the ar.cfg file (just in case). -Remove all references to AREA from the ar.cfg file. -Restart the ARSystem service -or- kill the plugin server process to re-read the altered config -Re-add the known-good information to the AREA config *form* which will re-write the needed entries in the ar.cfg file. -Restart the ARSystem service -or- kill the plugin server process to re-read the altered config I think it is important to note (and this was the part the docs didn't clearly define and which confused me) that when allowed to add the values for the AREA-Hub-Plugin: line, the system added two identical lines like so: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\ arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\ arealdap.dll And not to overstate the obvious, but just so the info is out there... On the Server Information EA config tab, I have: -Set the EA RPC number to 390695 -Set Cross Reference Blank Password checked. -Set Authentication Chaining Mode to Off. On the AREA Config form, the items of note are: -The remote domain LDAP server is entered by IP Address (DNS on that domain is not available) -The bind user for both LDAP servers needed to be entered in the form of domain\username (MS Active Directory LDAP) -User Base is set to $\AUTHSTRING$ (the keyword for field ID 118 on the USER form) -User Search Filter is set to sAMAccountName=$\USER$ (the keyword for field ID 117 on the USER form) On the User form the items of note are: - Set the password to $NULL$ for the users to be externally authenticated. - Field id 101 is the regular login name field on the user form and is used to uniquely identify the user for the Remedy system, ie - how the user's name will appear in the Submitted by field on a record. I used the format of domain\username. - Added the special fields (field ID 117 and field id 118) (see BMC suport knowldedge article #KA288124) - Field id 117 is the network login name of the user that matches the sAMAccountName on the respective LDAP server. - Field id 118 is set to the parent LDAP container of the user. So, for example if my LDAP user's *full* DN is: cn=myUserName,OU=myDept,OU=myOrg,DC=MyDomain,DC=com Then the parent container would be: OU=myDept,OU=myOrg,DC=MyDomain,DC=com I think that about covers it! Thanks again and everyone have a happy, prosperous, peaceful New Year!! JDHood On Mon, Dec 26, 2011 at 9:48 AM, JD Hood hood...@gmail.com wrote: Actually, I think I have it figured out. I removed all references to the AREA plugin from AR.CFG, restarted the system and started from scratch. I added one LDAP server to the AREA config form, allowing the system to re-add the ar.cfg lines and restarted the services (just being overly cautious). Then I added the 2nd LDAP server and restarted the services. During hte 2nd restart, I noticed that the system added the AREA-Hub-Plugin to ar.cfg like so: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll And plugin logging showed that it started the AREA plugin twice, with each server listed with each plugin start-up in the order they were listed in the config form. Unfortunately at this point, the 2nd LDAP server isn't responding to pings, so I will have to wait until someone is on-site to slap it out of it's stupor. But the logged activity is looking promising and the 1st server is authenticating just fine. Thanks, JDHood On Sat, Dec 24, 2011 at 8:33 AM, JD Hood hood...@gmail.com wrote: My situation is with two different LDAP servers, in two different domains configured in the AREA Config form: Server-A.domain-A -- Remote untrusted Active Directory server defined in the form by I.P. B-Server.B-domain -- Local Active Directory server defined by hostname As regards area, the ar.cfg has the following lines for the plugins: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap_1.dll There are no trusts between the domains involved, but outside of Remedy, I can connect to either LDAP server and authenticate just fine. Connectivity and bind credentials are not an issue. Within Remedy, logging shows that the first server defined in the AREA LDAP config form is ever used. I have tried AREA -HUB-Plugin lines like the following, killing the plugin process after each change... A single line: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll This does not work Two
Re: AREA LDAP logging question
Actually, I think I have it figured out. I removed all references to the AREA plugin from AR.CFG, restarted the system and started from scratch. I added one LDAP server to the AREA config form, allowing the system to re-add the ar.cfg lines and restarted the services (just being overly cautious). Then I added the 2nd LDAP server and restarted the services. During hte 2nd restart, I noticed that the system added the AREA-Hub-Plugin to ar.cfg like so: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll And plugin logging showed that it started the AREA plugin twice, with each server listed with each plugin start-up in the order they were listed in the config form. Unfortunately at this point, the 2nd LDAP server isn't responding to pings, so I will have to wait until someone is on-site to slap it out of it's stupor. But the logged activity is looking promising and the 1st server is authenticating just fine. Thanks, JDHood On Sat, Dec 24, 2011 at 8:33 AM, JD Hood hood...@gmail.com wrote: My situation is with two different LDAP servers, in two different domains configured in the AREA Config form: Server-A.domain-A -- Remote untrusted Active Directory server defined in the form by I.P. B-Server.B-domain -- Local Active Directory server defined by hostname As regards area, the ar.cfg has the following lines for the plugins: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap_1.dll There are no trusts between the domains involved, but outside of Remedy, I can connect to either LDAP server and authenticate just fine. Connectivity and bind credentials are not an issue. Within Remedy, logging shows that the first server defined in the AREA LDAP config form is ever used. I have tried AREA -HUB-Plugin lines like the following, killing the plugin process after each change... A single line: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll This does not work Two Lines: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll This does not work Two Lines: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap_1.dll In this case, I copied arealdap.dll and renamed the copied file to arealdap_1.dll in it's own directory This does not work Here's logging showing that the plugin tries the same server twice, and doesn't progress to the second server. The user in this case *CAN* be authenticated on the second server. When I have reversed the order of the servers in the config form (so that this user's server is listed first), then this user authenticates just fine. */+VLAREAVerifyLoginCallback -- user jdhood */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback */ARSYS.AREA.LDAP FINER ldap_init(Server-A.domain-A, 389) */ARSYS.AREA.LDAP FINER connect timeout previously: -1 */ARSYS.AREA.LDAP FINER connect timeout used: 55000 */ARSYS.AREA.LDAP FINER ldap_set_option(Chase Referrals): ON (handled by plugin) */ARSYS.AREA.LDAP FINER ldap_simple_bind(MrBindUser, hidden) */ARSYS.AREA.LDAP FINEST After the bind */ARSYS.AREA.LDAP FINER ldap_search_ext(OU=Users,OU=fee,OU=fie,OU=foe,DC=fum,DC=com, 2, sAMAccountName=jdhood) */ARSYS.AREA.LDAP SEVERE Search: Can't connect to the LDAP server (LDAPERR Code 91) 202B: RefErr: DSID-031006E0, data 0, 1 access points ref 1: 'fum.com' */ARSYS.AREA.LDAP SEVERE Cannot find the user info in LDAP server */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback */ARSYS.AREA.LDAP FINER ldap_init(Server-A.domain-A, 389) */ARSYS.AREA.LDAP FINER connect timeout previously: -1 */ARSYS.AREA.LDAP FINER connect timeout used: 55000 */ARSYS.AREA.LDAP FINER ldap_set_option(Chase Referrals): ON (handled by plugin) */ARSYS.AREA.LDAP FINER ldap_simple_bind(MrBindUser, hidden) */ARSYS.AREA.LDAP FINEST After the bind */ARSYS.AREA.LDAP FINER ldap_search_ext(OU=Users,OU=fee,OU=fie,OU=foe,DC=fum,DC=com, 2, sAMAccountName=jdhood) */ARSYS.AREA.LDAP SEVERE Search: Can't connect to the LDAP server (LDAPERR Code 91) 202B: RefErr: DSID-031006E0, data 0, 1 access points ref 1: 'fum.com' */ARSYS.AREA.LDAP SEVERE Cannot find the user info in LDAP server */-VLFAIL This can wait for the other side of the holidays though. Merry Christmas All! Thanks, JDHood On Sat, Dec 24, 2011 at 3:24 AM, Walters, Mark mark_walt...@bmc.comwrote: You shouldn't have to manually edit the ar.cfg, all the necessary changes will be made when you configure
Re: AREA LDAP logging question
You shouldn't have to manually edit the ar.cfg, all the necessary changes will be made when you configure the additional LDAP servers via the AREA LDAP configuration form. If you're only authenticating against one LDAP server then the hub is not necessary, you should just have a Plugin: ..\arealdap.dll line in the ar.cfg. When you configure two or more LDAP servers this gets replaced by Plugin: ..\areahub.dll and there should be one AREA-Hug-Plugin: ..\arealdap.dll for EACH LDAP server - i.e. 2 LDAP servers, 2 AREA-Hub-Plugin: lines. The AREA LDAP configuration options are the ones that get the _1, _2, etc suffixes, not the plugin lines. Mark From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] On Behalf Of JD Hood [hood...@gmail.com] Sent: 23 December 2011 22:28 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** Now that that's working... If I have multiple domains defined for LDAP auth in the AREA form, I understand I need to specify additional arealdap.dll's on additional AREA-Hub-Plugin: lines, ala: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap_1.dll Is it just as simple as copying the existing arealdap.dll and renaming it to something like arealdap_1.dll and adding it on another AREA-Hub-Plugin line? I've tried that and it doesn't seem to work -- the authentication attempt doesn't progress it to the second LDAP server... Thanks, JDHood On Fri, Dec 23, 2011 at 8:59 AM, JD Hood hood...@gmail.commailto:hood...@gmail.com wrote: That did it and it's logging much more info now! I can *now* see from logging that the failure to auth is likely simple-bind being rejected on the LDAP server (I didn't realize LDP uses SASL by default). When I changed LDP to a simple, non ssl bind, the known-good login failed there as well. This would be a clue. Thank you ARSList! -JDHood On Thu, Dec 22, 2011 at 8:12 PM, Grooms, Frederick W frederick.w.gro...@xo.commailto:frederick.w.gro...@xo.com wrote: Ah ... It should be something like: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll So the hub will load the arealdap plugin. Without it the arealdap plugin is not loaded. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Thursday, December 22, 2011 6:37 PM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** Ok, I just tried that with logging on and I see: PLGN TID: 005276 RPC ID: 00 Queue: Dispatcher Client-RPC: 00 /* Thu Dec 22 2011 19:16:06.3790 */AREAPlug-In Loaded: ARSYS.AREA.HUB version 2 Next, I commented out the plugin server in the armonitor and cranked it up manually and I got the following: D:\Program Files\BMC Software\ARSystemarplugin.exe --unicode -i D:\Program Files\BMC Software\ARSystem -m Action Request System(R) Plug-In Server Version 7.6.04 SP2 201110080614 (c) Copyright 2001-2011 BMC Software, Inc. Action Request System(R) Approval Server Version 7.6.04 SP2 201110080614 (c) Copyright 1999-2011 BMC Software, Inc. Next item, checking the ar.cfg, I have the following lines that reference AREA and Plugin: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: Should I add the path to areahub.dll on the AREA-Hub-Plugin line? Or something else? Thanks, JDHood -Original Message- On Thu, Dec 22, 2011 at 6:49 PM, Danny Kellett wrote: ** JD, When you start the AR Server (or kill -9 arplugin) and it creates a new arplugin log file, do you see this anywhere? Plug-In Loaded: ARSYS.AREA.LDAP version 2 In fact I would search for ARSYS.AREA.LDAP. If you don't have any in there, then the plugin isn't loading. If this is the case, comment out the arplugin line in the armonitor.conf and restart. Then you can start the arplugin manually from the commandline. Then if something is up, it will echo it to the console. I don't think your arealdap plugin is loading. In your ar.conf, have you got the arealdap.so (or dll) on a line beginning with Plugin: or AREA-Hub-Plugin:? If its the second one, then make sure you have Plugin: someDir/areahub.so (or dll) Kind regards Danny -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 22 December 2011 23:39 To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** The plugin log only will show a single +VL and -VL per each login attempt. I don't see anything
AREA LDAP logging question
A little off topic, but one of my favourite SSO Plugin customer questions was as follows: Why do I need to configure the BMC AREA plugin when I've configured SSO Plugin to integrate with my Active Directory? And here is an example of why it's so important to listen to customers, because it hadn't occurred to me that we could drop the requirement for the BMC AREA LDAP plugin by providing our own login screen to authenticate users using the connection details for SSO. As Mark points out, multiple Active Directories (typically, domains) also requires multiple configurations with the BMC AREA LDAP plugin, yet SSO Plugin has just four fields for AD integration, with typically no further information required for multiple domains. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP logging question
My situation is with two different LDAP servers, in two different domains configured in the AREA Config form: Server-A.domain-A -- Remote untrusted Active Directory server defined in the form by I.P. B-Server.B-domain -- Local Active Directory server defined by hostname As regards area, the ar.cfg has the following lines for the plugins: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap_1.dll There are no trusts between the domains involved, but outside of Remedy, I can connect to either LDAP server and authenticate just fine. Connectivity and bind credentials are not an issue. Within Remedy, logging shows that the first server defined in the AREA LDAP config form is ever used. I have tried AREA -HUB-Plugin lines like the following, killing the plugin process after each change... A single line: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll This does not work Two Lines: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll This does not work Two Lines: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap_1.dll In this case, I copied arealdap.dll and renamed the copied file to arealdap_1.dll in it's own directory This does not work Here's logging showing that the plugin tries the same server twice, and doesn't progress to the second server. The user in this case *CAN* be authenticated on the second server. When I have reversed the order of the servers in the config form (so that this user's server is listed first), then this user authenticates just fine. */+VLAREAVerifyLoginCallback -- user jdhood */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback */ARSYS.AREA.LDAP FINER ldap_init(Server-A.domain-A, 389) */ARSYS.AREA.LDAP FINER connect timeout previously: -1 */ARSYS.AREA.LDAP FINER connect timeout used: 55000 */ARSYS.AREA.LDAP FINER ldap_set_option(Chase Referrals): ON (handled by plugin) */ARSYS.AREA.LDAP FINER ldap_simple_bind(MrBindUser, hidden) */ARSYS.AREA.LDAP FINEST After the bind */ARSYS.AREA.LDAP FINER ldap_search_ext(OU=Users,OU=fee,OU=fie,OU=foe,DC=fum,DC=com, 2, sAMAccountName=jdhood) */ARSYS.AREA.LDAP SEVERE Search: Can't connect to the LDAP server (LDAPERR Code 91) 202B: RefErr: DSID-031006E0, data 0, 1 access points ref 1: 'fum.com' */ARSYS.AREA.LDAP SEVERE Cannot find the user info in LDAP server */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback */ARSYS.AREA.LDAP FINER ldap_init(Server-A.domain-A, 389) */ARSYS.AREA.LDAP FINER connect timeout previously: -1 */ARSYS.AREA.LDAP FINER connect timeout used: 55000 */ARSYS.AREA.LDAP FINER ldap_set_option(Chase Referrals): ON (handled by plugin) */ARSYS.AREA.LDAP FINER ldap_simple_bind(MrBindUser, hidden) */ARSYS.AREA.LDAP FINEST After the bind */ARSYS.AREA.LDAP FINER ldap_search_ext(OU=Users,OU=fee,OU=fie,OU=foe,DC=fum,DC=com, 2, sAMAccountName=jdhood) */ARSYS.AREA.LDAP SEVERE Search: Can't connect to the LDAP server (LDAPERR Code 91) 202B: RefErr: DSID-031006E0, data 0, 1 access points ref 1: 'fum.com' */ARSYS.AREA.LDAP SEVERE Cannot find the user info in LDAP server */-VLFAIL This can wait for the other side of the holidays though. Merry Christmas All! Thanks, JDHood On Sat, Dec 24, 2011 at 3:24 AM, Walters, Mark mark_walt...@bmc.com wrote: You shouldn't have to manually edit the ar.cfg, all the necessary changes will be made when you configure the additional LDAP servers via the AREA LDAP configuration form. If you're only authenticating against one LDAP server then the hub is not necessary, you should just have a Plugin: ..\arealdap.dll line in the ar.cfg. When you configure two or more LDAP servers this gets replaced by Plugin: ..\areahub.dll and there should be one AREA-Hug-Plugin: ..\arealdap.dll for EACH LDAP server - i.e. 2 LDAP servers, 2 AREA-Hub-Plugin: lines. The AREA LDAP configuration options are the ones that get the _1, _2, etc suffixes, not the plugin lines. Mark From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] On Behalf Of JD Hood [hood...@gmail.com] Sent: 23 December 2011 22:28 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** Now that that's working... If I have multiple domains defined for LDAP auth in the AREA form, I understand I need to specify additional arealdap.dll's on additional AREA-Hub-Plugin: lines, ala: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap_1.dll Is it just
Re: AREA LDAP logging question
Hi JD, You found the areahub loading but not the arealdap. ARSYS.AREA.HUB You need ARSYS.AREA.LDAP So there is your issue. Add the following line to your ar.cfg AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll Then restart. That should do it. Just a final point, if you are not using any other external authentication plugin, or you only have one arealdap configured, then there is no reason to have the hub configured. Hope this helps, kind regards. Danny Single Sign On (SSO) for the BMC Remedy AR System and ITSM http://www.javasystemsolutions.com/jss/ssoplugin From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 23 December 2011 00:37 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** Ok, I just tried that with logging on and I see: PLGN TID: 005276 RPC ID: 00 Queue: Dispatcher Client-RPC: 00 /* Thu Dec 22 2011 19:16:06.3790 */AREAPlug-In Loaded: ARSYS.AREA.HUB version 2 Next, I commented out the plugin server in the armonitor and cranked it up manually and I got the following: D:\Program Files\BMC Software\ARSystemarplugin.exe --unicode -i D:\Program Files\BMC Software\ARSystem -m Action Request System(R) Plug-In Server Version 7.6.04 SP2 201110080614 (c) Copyright 2001-2011 BMC Software, Inc. Action Request System(R) Approval Server Version 7.6.04 SP2 201110080614 (c) Copyright 1999-2011 BMC Software, Inc. Next item, checking the ar.cfg, I have the following lines that reference AREA and Plugin: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: Should I add the path to areahub.dll on the AREA-Hub-Plugin line? Or something else? Thanks, JDHood On Thu, Dec 22, 2011 at 6:49 PM, Danny Kellett danny.kell...@strategicworkflow.com wrote: ** JD, When you start the AR Server (or kill -9 arplugin) and it creates a new arplugin log file, do you see this anywhere? Plug-In Loaded: ARSYS.AREA.LDAP version 2 In fact I would search for ARSYS.AREA.LDAP. If you don't have any in there, then the plugin isn't loading. If this is the case, comment out the arplugin line in the armonitor.conf and restart. Then you can start the arplugin manually from the commandline. Then if something is up, it will echo it to the console. I don't think your arealdap plugin is loading. In your ar.conf, have you got the arealdap.so (or dll) on a line beginning with Plugin: or AREA-Hub-Plugin:? If its the second one, then make sure you have Plugin: someDir/areahub.so (or dll) Kind regards Danny From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 22 December 2011 23:39 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** The plugin log only will show a single +VL and -VL per each login attempt. I don't see anything that indicates it's loading the AREA plugin in the plugin log. When support saw that, they went straight to the ar.cfg, but the AREA config entries in there look fine. We do know that the bind user, login pass are good because we can use those values with LDP to browse/search LDAP. So, something is wonky with the Remedy AREA plugin, they just don't know what yet. Bundled up the config files and logs (java stuff too) and they are going to have a look, presumably with engineering. After all this, I wouldn't be surprised to find it's a network issue or something outside of Remedy. If only we could get logging to wake up, we could have better visibility into what it's doing. But the logging side is just not cooperating... Thanks, JDHood On Thu, Dec 22, 2011 at 3:14 PM, Grooms, Frederick W frederick.w.gro...@xo.com wrote: Do you see the lines in the log where it is loading the AREA plugin? If not how is the arealdap plugin listed in the ar.cfg file? An additional thought... On Windows 7.6.04 is AREA now a Java plugin? If so it should be debugged thru the pluginsvr_config.xml and log4j_pluginsvr.xml files in the pluginsvr directory. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Wednesday, December 21, 2011 5:50 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP logging question ** 7.6.04 ITSM on Windows SQL Server I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login
Re: AREA LDAP logging question
That did it and it's logging much more info now! I can *now* see from logging that the failure to auth is likely simple-bind being rejected on the LDAP server (I didn't realize LDP uses SASL by default). When I changed LDP to a simple, non ssl bind, the known-good login failed there as well. This would be a clue. Thank you ARSList! -JDHood On Thu, Dec 22, 2011 at 8:12 PM, Grooms, Frederick W frederick.w.gro...@xo.com wrote: Ah ... It should be something like: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll So the hub will load the arealdap plugin. Without it the arealdap plugin is not loaded. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Thursday, December 22, 2011 6:37 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** Ok, I just tried that with logging on and I see: PLGN TID: 005276 RPC ID: 00 Queue: Dispatcher Client-RPC: 00 /* Thu Dec 22 2011 19:16:06.3790 */AREAPlug-In Loaded: ARSYS.AREA.HUB version 2 Next, I commented out the plugin server in the armonitor and cranked it up manually and I got the following: D:\Program Files\BMC Software\ARSystemarplugin.exe --unicode -i D:\Program Files\BMC Software\ARSystem -m Action Request System(R) Plug-In Server Version 7.6.04 SP2 201110080614 (c) Copyright 2001-2011 BMC Software, Inc. Action Request System(R) Approval Server Version 7.6.04 SP2 201110080614 (c) Copyright 1999-2011 BMC Software, Inc. Next item, checking the ar.cfg, I have the following lines that reference AREA and Plugin: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: Should I add the path to areahub.dll on the AREA-Hub-Plugin line? Or something else? Thanks, JDHood -Original Message- On Thu, Dec 22, 2011 at 6:49 PM, Danny Kellett wrote: ** JD, When you start the AR Server (or kill -9 arplugin) and it creates a new arplugin log file, do you see this anywhere? Plug-In Loaded: ARSYS.AREA.LDAP version 2 In fact I would search for ARSYS.AREA.LDAP. If you don't have any in there, then the plugin isn't loading. If this is the case, comment out the arplugin line in the armonitor.conf and restart. Then you can start the arplugin manually from the commandline. Then if something is up, it will echo it to the console. I don't think your arealdap plugin is loading. In your ar.conf, have you got the arealdap.so (or dll) on a line beginning with Plugin: or AREA-Hub-Plugin:? If its the second one, then make sure you have Plugin: someDir/areahub.so (or dll) Kind regards Danny -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 22 December 2011 23:39 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** The plugin log only will show a single +VL and -VL per each login attempt. I don't see anything that indicates it's loading the AREA plugin in the plugin log. When support saw that, they went straight to the ar.cfg, but the AREA config entries in there look fine. We do know that the bind user, login pass are good because we can use those values with LDP to browse/search LDAP. So, something is wonky with the Remedy AREA plugin, they just don't know what yet. Bundled up the config files and logs (java stuff too) and they are going to have a look, presumably with engineering. After all this, I wouldn't be surprised to find it's a network issue or something outside of Remedy. If only we could get logging to wake up, we could have better visibility into what it's doing. But the logging side is just not cooperating... Thanks, JDHood -Original Message- On Thu, Dec 22, 2011 at 3:14 PM, Grooms, Frederick W wrote: Do you see the lines in the log where it is loading the AREA plugin? If not how is the arealdap plugin listed in the ar.cfg file? An additional thought... On Windows 7.6.04 is AREA now a Java plugin? If so it should be debugged thru the pluginsvr_config.xml and log4j_pluginsvr.xml files in the pluginsvr directory. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Wednesday, December 21, 2011 5:50 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP logging question ** 7.6.04 ITSM on Windows SQL Server I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. At this point, I'm not even
Re: AREA LDAP logging question
From: JD Hood [mailto:hood...@gmail.com] Sent: Friday, December 23, 2011 08:59 AM To: arslist@ARSLIST.ORG arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** That did it and it's logging much more info now! I can *now* see from logging that the failure to auth is likely simple-bind being rejected on the LDAP server (I didn't realize LDP uses SASL by default). When I changed LDP to a simple, non ssl bind, the known-good login failed there as well. This would be a clue. Thank you ARSList! -JDHood On Thu, Dec 22, 2011 at 8:12 PM, Grooms, Frederick W frederick.w.gro...@xo.commailto:frederick.w.gro...@xo.com wrote: Ah ... It should be something like: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll So the hub will load the arealdap plugin. Without it the arealdap plugin is not loaded. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Thursday, December 22, 2011 6:37 PM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** Ok, I just tried that with logging on and I see: PLGN TID: 005276 RPC ID: 00 Queue: Dispatcher Client-RPC: 00 /* Thu Dec 22 2011 19:16:06.3790 */AREAPlug-In Loaded: ARSYS.AREA.HUB version 2 Next, I commented out the plugin server in the armonitor and cranked it up manually and I got the following: D:\Program Files\BMC Software\ARSystemarplugin.exe --unicode -i D:\Program Files\BMC Software\ARSystem -m Action Request System(R) Plug-In Server Version 7.6.04 SP2 201110080614 (c) Copyright 2001-2011 BMC Software, Inc. Action Request System(R) Approval Server Version 7.6.04 SP2 201110080614 (c) Copyright 1999-2011 BMC Software, Inc. Next item, checking the ar.cfg, I have the following lines that reference AREA and Plugin: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: Should I add the path to areahub.dll on the AREA-Hub-Plugin line? Or something else? Thanks, JDHood -Original Message- On Thu, Dec 22, 2011 at 6:49 PM, Danny Kellett wrote: ** JD, When you start the AR Server (or kill -9 arplugin) and it creates a new arplugin log file, do you see this anywhere? Plug-In Loaded: ARSYS.AREA.LDAP version 2 In fact I would search for ARSYS.AREA.LDAP. If you don't have any in there, then the plugin isn't loading. If this is the case, comment out the arplugin line in the armonitor.conf and restart. Then you can start the arplugin manually from the commandline. Then if something is up, it will echo it to the console. I don't think your arealdap plugin is loading. In your ar.conf, have you got the arealdap.so (or dll) on a line beginning with Plugin: or AREA-Hub-Plugin:? If its the second one, then make sure you have Plugin: someDir/areahub.so (or dll) Kind regards Danny -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 22 December 2011 23:39 To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** The plugin log only will show a single +VL and -VL per each login attempt. I don't see anything that indicates it's loading the AREA plugin in the plugin log. When support saw that, they went straight to the ar.cfg, but the AREA config entries in there look fine. We do know that the bind user, login pass are good because we can use those values with LDP to browse/search LDAP. So, something is wonky with the Remedy AREA plugin, they just don't know what yet. Bundled up the config files and logs (java stuff too) and they are going to have a look, presumably with engineering. After all this, I wouldn't be surprised to find it's a network issue or something outside of Remedy. If only we could get logging to wake up, we could have better visibility into what it's doing. But the logging side is just not cooperating... Thanks, JDHood -Original Message- On Thu, Dec 22, 2011 at 3:14 PM, Grooms, Frederick W wrote: Do you see the lines in the log where it is loading the AREA plugin? If not how is the arealdap plugin listed in the ar.cfg file? An additional thought... On Windows 7.6.04 is AREA now a Java plugin? If so it should be debugged thru the pluginsvr_config.xml and log4j_pluginsvr.xml files in the pluginsvr directory. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Wednesday, December 21, 2011 5:50 PM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: AREA LDAP logging question ** 7.6.04 ITSM on Windows SQL Server
Re: AREA LDAP logging question
Now that that's working... If I have multiple domains defined for LDAP auth in the AREA form, I understand I need to specify additional arealdap.dll's on additional AREA-Hub-Plugin: lines, ala: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap_1.dll Is it just as simple as copying the existing arealdap.dll and renaming it to something like arealdap_1.dll and adding it on another AREA-Hub-Plugin line? I've tried that and it doesn't seem to work -- the authentication attempt doesn't progress it to the second LDAP server... Thanks, JDHood On Fri, Dec 23, 2011 at 8:59 AM, JD Hood hood...@gmail.com wrote: That did it and it's logging much more info now! I can *now* see from logging that the failure to auth is likely simple-bind being rejected on the LDAP server (I didn't realize LDP uses SASL by default). When I changed LDP to a simple, non ssl bind, the known-good login failed there as well. This would be a clue. Thank you ARSList! -JDHood On Thu, Dec 22, 2011 at 8:12 PM, Grooms, Frederick W frederick.w.gro...@xo.com wrote: Ah ... It should be something like: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll So the hub will load the arealdap plugin. Without it the arealdap plugin is not loaded. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Thursday, December 22, 2011 6:37 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** Ok, I just tried that with logging on and I see: PLGN TID: 005276 RPC ID: 00 Queue: Dispatcher Client-RPC: 00 /* Thu Dec 22 2011 19:16:06.3790 */AREAPlug-In Loaded: ARSYS.AREA.HUB version 2 Next, I commented out the plugin server in the armonitor and cranked it up manually and I got the following: D:\Program Files\BMC Software\ARSystemarplugin.exe --unicode -i D:\Program Files\BMC Software\ARSystem -m Action Request System(R) Plug-In Server Version 7.6.04 SP2 201110080614 (c) Copyright 2001-2011 BMC Software, Inc. Action Request System(R) Approval Server Version 7.6.04 SP2 201110080614 (c) Copyright 1999-2011 BMC Software, Inc. Next item, checking the ar.cfg, I have the following lines that reference AREA and Plugin: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: Should I add the path to areahub.dll on the AREA-Hub-Plugin line? Or something else? Thanks, JDHood -Original Message- On Thu, Dec 22, 2011 at 6:49 PM, Danny Kellett wrote: ** JD, When you start the AR Server (or kill -9 arplugin) and it creates a new arplugin log file, do you see this anywhere? Plug-In Loaded: ARSYS.AREA.LDAP version 2 In fact I would search for ARSYS.AREA.LDAP. If you don't have any in there, then the plugin isn't loading. If this is the case, comment out the arplugin line in the armonitor.conf and restart. Then you can start the arplugin manually from the commandline. Then if something is up, it will echo it to the console. I don't think your arealdap plugin is loading. In your ar.conf, have you got the arealdap.so (or dll) on a line beginning with Plugin: or AREA-Hub-Plugin:? If its the second one, then make sure you have Plugin: someDir/areahub.so (or dll) Kind regards Danny -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 22 December 2011 23:39 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** The plugin log only will show a single +VL and -VL per each login attempt. I don't see anything that indicates it's loading the AREA plugin in the plugin log. When support saw that, they went straight to the ar.cfg, but the AREA config entries in there look fine. We do know that the bind user, login pass are good because we can use those values with LDP to browse/search LDAP. So, something is wonky with the Remedy AREA plugin, they just don't know what yet. Bundled up the config files and logs (java stuff too) and they are going to have a look, presumably with engineering. After all this, I wouldn't be surprised to find it's a network issue or something outside of Remedy. If only we could get logging to wake up, we could have better visibility into what it's doing. But the logging side is just not cooperating... Thanks, JDHood -Original Message- On Thu, Dec 22, 2011 at 3:14 PM, Grooms, Frederick W wrote: Do you see the lines in the log where it is loading the AREA plugin? If not how is the arealdap plugin listed in the ar.cfg file? An additional thought... On Windows
Re: AREA LDAP logging question
I'm not sure if you need an additional dll loaded in the hub. I think that just having the multiple entries in the config form and having the chaining option turned on should do the trick. The multiple dll option is when you need multiple types of authentication (such as having your own single sign on dll in addition to the Remedy AREA one). Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Friday, December 23, 2011 4:29 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** Now that that's working... If I have multiple domains defined for LDAP auth in the AREA form, I understand I need to specify additional arealdap.dll's on additional AREA-Hub-Plugin: lines, ala: AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap_1.dll Is it just as simple as copying the existing arealdap.dll and renaming it to something like arealdap_1.dll and adding it on another AREA-Hub-Plugin line? I've tried that and it doesn't seem to work -- the authentication attempt doesn't progress it to the second LDAP server... Thanks, JDHood -Original Message- On Fri, Dec 23, 2011 at 8:59 AM, JD Hood wrote: That did it and it's logging much more info now! I can *now* see from logging that the failure to auth is likely simple-bind being rejected on the LDAP server (I didn't realize LDP uses SASL by default). When I changed LDP to a simple, non ssl bind, the known-good login failed there as well. This would be a clue. Thank you ARSList! -JDHood On Thu, Dec 22, 2011 at 8:12 PM, Grooms, Frederick W frederick.w.gro...@xo.com wrote: Ah ... It should be something like: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll So the hub will load the arealdap plugin. Without it the arealdap plugin is not loaded. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Thursday, December 22, 2011 6:37 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** Ok, I just tried that with logging on and I see: PLGN TID: 005276 RPC ID: 00 Queue: Dispatcher Client-RPC: 00 /* Thu Dec 22 2011 19:16:06.3790 */AREA Plug-In Loaded: ARSYS.AREA.HUB version 2 Next, I commented out the plugin server in the armonitor and cranked it up manually and I got the following: D:\Program Files\BMC Software\ARSystemarplugin.exe --unicode -i D:\Program Files\BMC Software\ARSystem -m Action Request System(R) Plug-In Server Version 7.6.04 SP2 201110080614 (c) Copyright 2001-2011 BMC Software, Inc. Action Request System(R) Approval Server Version 7.6.04 SP2 201110080614 (c) Copyright 1999-2011 BMC Software, Inc. Next item, checking the ar.cfg, I have the following lines that reference AREA and Plugin: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: Should I add the path to areahub.dll on the AREA-Hub-Plugin line? Or something else? Thanks, JDHood -Original Message- On Thu, Dec 22, 2011 at 6:49 PM, Danny Kellett wrote: ** JD, When you start the AR Server (or kill -9 arplugin) and it creates a new arplugin log file, do you see this anywhere? Plug-In Loaded: ARSYS.AREA.LDAP version 2 In fact I would search for ARSYS.AREA.LDAP. If you don't have any in there, then the plugin isn't loading. If this is the case, comment out the arplugin line in the armonitor.conf and restart. Then you can start the arplugin manually from the commandline. Then if something is up, it will echo it to the console. I don't think your arealdap plugin is loading. In your ar.conf, have you got the arealdap.so (or dll) on a line beginning with Plugin: or AREA-Hub-Plugin:? If its the second one, then make sure you have Plugin: someDir/areahub.so (or dll) Kind regards Danny -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 22 December 2011 23:39 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** The plugin log only will show a single +VL and -VL per each login attempt. I don't see anything that indicates it's loading the AREA plugin in the plugin log. When support saw that, they went straight to the ar.cfg, but the AREA config entries in there look fine. We do know that the bind user, login pass are good because we can use those values with LDP to browse/search LDAP. So, something is wonky with the Remedy AREA plugin, they just don't know what yet. Bundled up the config files and logs (java stuff too) and they are going to have a look
AREA LDAP logging question
JD Set the Plugin-Log-Level to 100 in ar.cfg. That should give you much more logging. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP logging question
I appreciate the offer, but the client might frown on posting their info on the list. So, I've opened an issue with BMC instead. But I think you might be on to something. I see a ton of logging for ARDBC, but just a few lines for AREA on startup. And I just realized I've omitted that we are setting it up for multiple domain logins (Knowledge Article: KA288124 -- Configuring AREA LDAP in a Multi-Domain Environment); however, we just have the one LDAP server defined in AREA at this time. MS's LDP.exe confirms we can reach the target LDAP server *and* bind using our test user *and* authenticate with that test user outside of Remedy. But within Remedy, we get Authentication Failed. We know we have the user pass correct, so the possibilities are: Remedy isn't actually connecting to LDAP *or* it is connecting, but can't find the user. Until I can validate the plugin is starting up and get logging to spit out more info, I'm stuck using the braille method to troubleshoot. Full circle now -- time to engage BMC support. Thanks again, JDHood On Thu, Dec 22, 2011 at 2:44 AM, Walters, Mark mark_walt...@bmc.com wrote: ** I suspect that either the AREA LDAP plugin is not being loaded for some reason or there is a configuration issue. ** ** Are you able to post the ar.conf and the plugin log, from startup, so that I can see what you have set up? ** ** Mark ** ** I work for BMC, I don’t speak for them. ** ** *From:* Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] *On Behalf Of *JD Hood *Sent:* 21 December 2011 23:50 *To:* arslist@ARSLIST.ORG *Subject:* AREA LDAP logging question ** ** ** 7.6.04 ITSM on Windows SQL Server ** ** I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails.* *** ** ** I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. ** ** At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. ** ** With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login with a test user. ** ** Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: ** ** PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */+VLAREAVerifyLoginCallback -- user TRAIN19 PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */-VL FAIL ** ** ** ** This is like troubleshooting via braille method. Is there another AREA/LDAP log or some way to log the bind and auth attempt on the REMEDY side? ** ** I've checked ARSList archives and the BMC KB's and can't find anything that I haven't already tried. I do see some really nice log examples (Knowledge Article ID: KA334262) that I *WISH* I could capture on the Remedy Side. I think they would tell me what I need to know to get this working. For now, all I can find is those two measly log lines above. ** ** Any suggestions on how to get AREA logging much more verbose on the *REMEDY SIDE*? ** ** Thanks in advance! JDHood _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP logging question
JD Your log snippet is not an example of the plugin log level set to 100. So do you have that line duplicated in you AR.cfg by accident? The BMC plugin is very good at letting you know what is wrong when set to 100. Have you restarted since setting log level to 100? Regards Danny On 22 Dec 2011, at 18:53, JD Hood hood...@gmail.com wrote: ** I appreciate the offer, but the client might frown on posting their info on the list. So, I've opened an issue with BMC instead. But I think you might be on to something. I see a ton of logging for ARDBC, but just a few lines for AREA on startup. And I just realized I've omitted that we are setting it up for multiple domain logins (Knowledge Article: KA288124 -- Configuring AREA LDAP in a Multi-Domain Environment); however, we just have the one LDAP server defined in AREA at this time. MS's LDP.exe confirms we can reach the target LDAP server *and* bind using our test user *and* authenticate with that test user outside of Remedy. But within Remedy, we get Authentication Failed. We know we have the user pass correct, so the possibilities are: Remedy isn't actually connecting to LDAP *or* it is connecting, but can't find the user. Until I can validate the plugin is starting up and get logging to spit out more info, I'm stuck using the braille method to troubleshoot. Full circle now -- time to engage BMC support. Thanks again, JDHood On Thu, Dec 22, 2011 at 2:44 AM, Walters, Mark mark_walt...@bmc.com wrote: ** I suspect that either the AREA LDAP plugin is not being loaded for some reason or there is a configuration issue. Are you able to post the ar.conf and the plugin log, from startup, so that I can see what you have set up? Mark I work for BMC, I don’t speak for them. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 21 December 2011 23:50 To: arslist@ARSLIST.ORG Subject: AREA LDAP logging question ** 7.6.04 ITSM on Windows SQL Server I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login with a test user. Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */+VLAREAVerifyLoginCallback -- user TRAIN19 PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */-VL FAIL This is like troubleshooting via braille method. Is there another AREA/LDAP log or some way to log the bind and auth attempt on the REMEDY side? I've checked ARSList archives and the BMC KB's and can't find anything that I haven't already tried. I do see some really nice log examples (Knowledge Article ID: KA334262) that I *WISH* I could capture on the Remedy Side. I think they would tell me what I need to know to get this working. For now, all I can find is those two measly log lines above. Any suggestions on how to get AREA logging much more verbose on the *REMEDY SIDE*? Thanks in advance! JDHood _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP logging question
Do you see the lines in the log where it is loading the AREA plugin? If not how is the arealdap plugin listed in the ar.cfg file? An additional thought... On Windows 7.6.04 is AREA now a Java plugin? If so it should be debugged thru the pluginsvr_config.xml and log4j_pluginsvr.xml files in the pluginsvr directory. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Wednesday, December 21, 2011 5:50 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP logging question ** 7.6.04 ITSM on Windows SQL Server I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login with a test user. Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */+VL AREAVerifyLoginCallback -- user TRAIN19 PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */-VL FAIL This is like troubleshooting via braille method. Is there another AREA/LDAP log or some way to log the bind and auth attempt on the REMEDY side? I've checked ARSList archives and the BMC KB's and can't find anything that I haven't already tried. I do see some really nice log examples (Knowledge Article ID: KA334262) that I *WISH* I could capture on the Remedy Side. I think they would tell me what I need to know to get this working. For now, all I can find is those two measly log lines above. Any suggestions on how to get AREA logging much more verbose on the *REMEDY SIDE*? Thanks in advance! JDHood ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP logging question
Yep, it stumped BMC support during the webex too. It's there, plain as day (Plugin-Log-Level: 100)*and* everything else is logging like a champ (or appears to be). Just not AREA. No idea why or how to make it behave. Thanks JDHood On Thu, Dec 22, 2011 at 2:14 PM, Danny Kellett danny.kell...@strategicworkflow.com wrote: ** JD Your log snippet is not an example of the plugin log level set to 100. So do you have that line duplicated in you AR.cfg by accident? The BMC plugin is very good at letting you know what is wrong when set to 100. Have you restarted since setting log level to 100? Regards Danny On 22 Dec 2011, at 18:53, JD Hood hood...@gmail.com wrote: ** I appreciate the offer, but the client might frown on posting their info on the list. So, I've opened an issue with BMC instead. But I think you might be on to something. I see a ton of logging for ARDBC, but just a few lines for AREA on startup. And I just realized I've omitted that we are setting it up for multiple domain logins (Knowledge Article: KA288124 -- Configuring AREA LDAP in a Multi-Domain Environment); however, we just have the one LDAP server defined in AREA at this time. MS's LDP.exe confirms we can reach the target LDAP server *and* bind using our test user *and* authenticate with that test user outside of Remedy. But within Remedy, we get Authentication Failed. We know we have the user pass correct, so the possibilities are: Remedy isn't actually connecting to LDAP *or* it is connecting, but can't find the user. Until I can validate the plugin is starting up and get logging to spit out more info, I'm stuck using the braille method to troubleshoot. Full circle now -- time to engage BMC support. Thanks again, JDHood On Thu, Dec 22, 2011 at 2:44 AM, Walters, Mark mark_walt...@bmc.comwrote: ** I suspect that either the AREA LDAP plugin is not being loaded for some reason or there is a configuration issue. ** ** Are you able to post the ar.conf and the plugin log, from startup, so that I can see what you have set up? ** ** Mark ** ** I work for BMC, I don’t speak for them. ** ** *From:* Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] *On Behalf Of *JD Hood *Sent:* 21 December 2011 23:50 *To:* arslist@ARSLIST.ORG *Subject:* AREA LDAP logging question ** ** ** 7.6.04 ITSM on Windows SQL Server ** ** I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. ** ** I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. ** ** At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. ** ** With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login with a test user. ** ** Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: ** ** PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */+VL AREAVerifyLoginCallback -- user TRAIN19 PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */-VL FAIL ** ** ** ** This is like troubleshooting via braille method. Is there another AREA/LDAP log or some way to log the bind and auth attempt on the REMEDY side? ** ** I've checked ARSList archives and the BMC KB's and can't find anything that I haven't already tried. I do see some really nice log examples (Knowledge Article ID: KA334262) that I *WISH* I could capture on the Remedy Side. I think they would tell me what I need to know to get this working. For now, all I can find is those two measly log lines above. ** ** Any suggestions on how to get AREA logging much more verbose on the *REMEDY SIDE*? ** ** Thanks in advance! JDHood _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP logging question
The plugin log only will show a single +VL and -VL per each login attempt. I don't see anything that indicates it's loading the AREA plugin in the plugin log. When support saw that, they went straight to the ar.cfg, but the AREA config entries in there look fine. We do know that the bind user, login pass are good because we can use those values with LDP to browse/search LDAP. So, something is wonky with the Remedy AREA plugin, they just don't know what yet. Bundled up the config files and logs (java stuff too) and they are going to have a look, presumably with engineering. After all this, I wouldn't be surprised to find it's a network issue or something outside of Remedy. If only we could get logging to wake up, we could have better visibility into what it's doing. But the logging side is just not cooperating... Thanks, JDHood On Thu, Dec 22, 2011 at 3:14 PM, Grooms, Frederick W frederick.w.gro...@xo.com wrote: Do you see the lines in the log where it is loading the AREA plugin? If not how is the arealdap plugin listed in the ar.cfg file? An additional thought... On Windows 7.6.04 is AREA now a Java plugin? If so it should be debugged thru the pluginsvr_config.xml and log4j_pluginsvr.xml files in the pluginsvr directory. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Wednesday, December 21, 2011 5:50 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP logging question ** 7.6.04 ITSM on Windows SQL Server I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login with a test user. Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */+VLAREAVerifyLoginCallback -- user TRAIN19 PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */-VL FAIL This is like troubleshooting via braille method. Is there another AREA/LDAP log or some way to log the bind and auth attempt on the REMEDY side? I've checked ARSList archives and the BMC KB's and can't find anything that I haven't already tried. I do see some really nice log examples (Knowledge Article ID: KA334262) that I *WISH* I could capture on the Remedy Side. I think they would tell me what I need to know to get this working. For now, all I can find is those two measly log lines above. Any suggestions on how to get AREA logging much more verbose on the *REMEDY SIDE*? Thanks in advance! JDHood ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP logging question
JD, When you start the AR Server (or kill -9 arplugin) and it creates a new arplugin log file, do you see this anywhere? Plug-In Loaded: ARSYS.AREA.LDAP version 2 In fact I would search for ARSYS.AREA.LDAP. If you don't have any in there, then the plugin isn't loading. If this is the case, comment out the arplugin line in the armonitor.conf and restart. Then you can start the arplugin manually from the commandline. Then if something is up, it will echo it to the console. I don't think your arealdap plugin is loading. In your ar.conf, have you got the arealdap.so (or dll) on a line beginning with Plugin: or AREA-Hub-Plugin:? If its the second one, then make sure you have Plugin: someDir/areahub.so (or dll) Kind regards Danny From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 22 December 2011 23:39 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** The plugin log only will show a single +VL and -VL per each login attempt. I don't see anything that indicates it's loading the AREA plugin in the plugin log. When support saw that, they went straight to the ar.cfg, but the AREA config entries in there look fine. We do know that the bind user, login pass are good because we can use those values with LDP to browse/search LDAP. So, something is wonky with the Remedy AREA plugin, they just don't know what yet. Bundled up the config files and logs (java stuff too) and they are going to have a look, presumably with engineering. After all this, I wouldn't be surprised to find it's a network issue or something outside of Remedy. If only we could get logging to wake up, we could have better visibility into what it's doing. But the logging side is just not cooperating... Thanks, JDHood On Thu, Dec 22, 2011 at 3:14 PM, Grooms, Frederick W frederick.w.gro...@xo.com wrote: Do you see the lines in the log where it is loading the AREA plugin? If not how is the arealdap plugin listed in the ar.cfg file? An additional thought... On Windows 7.6.04 is AREA now a Java plugin? If so it should be debugged thru the pluginsvr_config.xml and log4j_pluginsvr.xml files in the pluginsvr directory. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Wednesday, December 21, 2011 5:50 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP logging question ** 7.6.04 ITSM on Windows SQL Server I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login with a test user. Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */+VLAREAVerifyLoginCallback -- user TRAIN19 PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */-VL FAIL This is like troubleshooting via braille method. Is there another AREA/LDAP log or some way to log the bind and auth attempt on the REMEDY side? I've checked ARSList archives and the BMC KB's and can't find anything that I haven't already tried. I do see some really nice log examples (Knowledge Article ID: KA334262) that I *WISH* I could capture on the Remedy Side. I think they would tell me what I need to know to get this working. For now, all I can find is those two measly log lines above. Any suggestions on how to get AREA logging much more verbose on the *REMEDY SIDE*? Thanks in advance! JDHood ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP logging question
Ok, I just tried that with logging on and I see: PLGN TID: 005276 RPC ID: 00 Queue: Dispatcher Client-RPC: 00 /* Thu Dec 22 2011 19:16:06.3790 */AREAPlug-In Loaded: ARSYS.AREA.HUB version 2 Next, I commented out the plugin server in the armonitor and cranked it up manually and I got the following: D:\Program Files\BMC Software\ARSystemarplugin.exe --unicode -i D:\Program Files\BMC Software\ARSystem -m Action Request System(R) Plug-In Server Version 7.6.04 SP2 201110080614 (c) Copyright 2001-2011 BMC Software, Inc. Action Request System(R) Approval Server Version 7.6.04 SP2 201110080614 (c) Copyright 1999-2011 BMC Software, Inc. Next item, checking the ar.cfg, I have the following lines that reference AREA and Plugin: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: Should I add the path to areahub.dll on the AREA-Hub-Plugin line? Or something else? Thanks, JDHood On Thu, Dec 22, 2011 at 6:49 PM, Danny Kellett danny.kell...@strategicworkflow.com wrote: ** JD, ** ** When you start the AR Server (or kill -9 arplugin) and it creates a new arplugin log file, do you see this anywhere? ** ** Plug-In Loaded: ARSYS.AREA.LDAP version 2 ** ** In fact I would search for ARSYS.AREA.LDAP. If you don’t have any in there, then the plugin isn’t loading. ** ** If this is the case, comment out the arplugin line in the armonitor.conf and restart. Then you can start the arplugin manually from the commandline. Then if something is up, it will echo it to the console. ** ** I don’t think your arealdap plugin is loading. In your ar.conf, have you got the arealdap.so (or dll) on a line beginning with Plugin: or AREA-Hub-Plugin:? ** ** If its the second one, then make sure you have Plugin: someDir/areahub.so (or dll) ** ** Kind regards Danny ** ** ** ** *From:* Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] *On Behalf Of *JD Hood *Sent:* 22 December 2011 23:39 *To:* arslist@ARSLIST.ORG *Subject:* Re: AREA LDAP logging question ** ** ** The plugin log only will show a single +VL and -VL per each login attempt. I don't see anything that indicates it's loading the AREA plugin in the plugin log. ** ** When support saw that, they went straight to the ar.cfg, but the AREA config entries in there look fine. ** ** We do know that the bind user, login pass are good because we can use those values with LDP to browse/search LDAP. ** ** So, something is wonky with the Remedy AREA plugin, they just don't know what yet. Bundled up the config files and logs (java stuff too) and they are going to have a look, presumably with engineering. ** ** After all this, I wouldn't be surprised to find it's a network issue or something outside of Remedy. If only we could get logging to wake up, we could have better visibility into what it's doing. But the logging side is just not cooperating... ** ** Thanks, JDHood ** ** ** ** ** ** ** ** ** ** ** ** On Thu, Dec 22, 2011 at 3:14 PM, Grooms, Frederick W frederick.w.gro...@xo.com wrote: Do you see the lines in the log where it is loading the AREA plugin? If not how is the arealdap plugin listed in the ar.cfg file? An additional thought... On Windows 7.6.04 is AREA now a Java plugin? If so it should be debugged thru the pluginsvr_config.xml and log4j_pluginsvr.xml files in the pluginsvr directory. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Wednesday, December 21, 2011 5:50 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP logging question ** 7.6.04 ITSM on Windows SQL Server I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login with a test user. Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */+VLAREAVerifyLoginCallback -- user TRAIN19 PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */-VL FAIL This is like troubleshooting via braille method. Is there another AREA/LDAP log or some way to log the bind and auth attempt on the REMEDY side? I've checked ARSList archives and the BMC KB's and can't
Re: AREA LDAP logging question
Ah ... It should be something like: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\arealdap.dll So the hub will load the arealdap plugin. Without it the arealdap plugin is not loaded. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Thursday, December 22, 2011 6:37 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** Ok, I just tried that with logging on and I see: PLGN TID: 005276 RPC ID: 00 Queue: Dispatcher Client-RPC: 00 /* Thu Dec 22 2011 19:16:06.3790 */AREA Plug-In Loaded: ARSYS.AREA.HUB version 2 Next, I commented out the plugin server in the armonitor and cranked it up manually and I got the following: D:\Program Files\BMC Software\ARSystemarplugin.exe --unicode -i D:\Program Files\BMC Software\ARSystem -m Action Request System(R) Plug-In Server Version 7.6.04 SP2 201110080614 (c) Copyright 2001-2011 BMC Software, Inc. Action Request System(R) Approval Server Version 7.6.04 SP2 201110080614 (c) Copyright 1999-2011 BMC Software, Inc. Next item, checking the ar.cfg, I have the following lines that reference AREA and Plugin: Plugin-Path: D:\Program Files\BMC Software\ARSystem\arealdap Plugin: D:\Program Files\BMC Software\ARSystem\arealdap\areahub.dll AREA-Hub-Plugin: Should I add the path to areahub.dll on the AREA-Hub-Plugin line? Or something else? Thanks, JDHood -Original Message- On Thu, Dec 22, 2011 at 6:49 PM, Danny Kellett wrote: ** JD, When you start the AR Server (or kill -9 arplugin) and it creates a new arplugin log file, do you see this anywhere? Plug-In Loaded: ARSYS.AREA.LDAP version 2 In fact I would search for ARSYS.AREA.LDAP. If you don't have any in there, then the plugin isn't loading. If this is the case, comment out the arplugin line in the armonitor.conf and restart. Then you can start the arplugin manually from the commandline. Then if something is up, it will echo it to the console. I don't think your arealdap plugin is loading. In your ar.conf, have you got the arealdap.so (or dll) on a line beginning with Plugin: or AREA-Hub-Plugin:? If its the second one, then make sure you have Plugin: someDir/areahub.so (or dll) Kind regards Danny -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 22 December 2011 23:39 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP logging question ** The plugin log only will show a single +VL and -VL per each login attempt. I don't see anything that indicates it's loading the AREA plugin in the plugin log. When support saw that, they went straight to the ar.cfg, but the AREA config entries in there look fine. We do know that the bind user, login pass are good because we can use those values with LDP to browse/search LDAP. So, something is wonky with the Remedy AREA plugin, they just don't know what yet. Bundled up the config files and logs (java stuff too) and they are going to have a look, presumably with engineering. After all this, I wouldn't be surprised to find it's a network issue or something outside of Remedy. If only we could get logging to wake up, we could have better visibility into what it's doing. But the logging side is just not cooperating... Thanks, JDHood -Original Message- On Thu, Dec 22, 2011 at 3:14 PM, Grooms, Frederick W wrote: Do you see the lines in the log where it is loading the AREA plugin? If not how is the arealdap plugin listed in the ar.cfg file? An additional thought... On Windows 7.6.04 is AREA now a Java plugin? If so it should be debugged thru the pluginsvr_config.xml and log4j_pluginsvr.xml files in the pluginsvr directory. Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: Wednesday, December 21, 2011 5:50 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP logging question ** 7.6.04 ITSM on Windows SQL Server I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login with a test user. Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */+VL AREAVerifyLoginCallback -- user TRAIN19
AREA LDAP logging question
7.6.04 ITSM on Windows SQL Server I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login with a test user. Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */+VLAREAVerifyLoginCallback -- user TRAIN19 PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */-VL FAIL This is like troubleshooting via braille method. Is there another AREA/LDAP log or some way to log the bind and auth attempt on the REMEDY side? I've checked ARSList archives and the BMC KB's and can't find anything that I haven't already tried. I do see some really nice log examples (Knowledge Article ID: KA334262) that I *WISH* I could capture on the Remedy Side. I think they would tell me what I need to know to get this working. For now, all I can find is those two measly log lines above. Any suggestions on how to get AREA logging much more verbose on the *REMEDY SIDE*? Thanks in advance! JDHood ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP logging question
Thanks Jesus, I'm OK with the set-up and with an ldap browser, I just need to get more verbose logging on the Remedy side so I can see what the Remedy plugin is doing to troubleshoot it. Thanks again, JDHood On Wed, Dec 21, 2011 at 7:14 PM, VARGAS, JESUS EMILIO (JESUS EMILIO) jesus_emilio.var...@alcatel-lucent.com wrote: ** ** ** The second mail part1 with the guide..! ** ** Best Regards. ** ** ** ** *J. Emilio Vargas* ALCATEL-LUCENT Av. Ciencia #13 Zona Industrial. Cuautitlan Izcalli - México T: +52 55 5870 9000 M: +52 1 55 5509 5590 jesus_emilio.var...@alcatel-lucent.com -- *From:* VARGAS, JESUS EMILIO (JESUS EMILIO) *Sent:* Miércoles, 21 de Diciembre de 2011 06:12 p.m. *To:* 'arslist@ARSLIST.ORG' *Subject:* FW: AREA LDAP logging question ** ** Hi JD Hood ** ** My recommendation is first check if you AR Server is able to connect to AREA Server (Active Directory), as attach I send you a small software than can help you to do the test. Ldp.exe (.zip file) ** ** And in a second mail w2guides “how to configure AREA…!” Is for old version, but the process is the same ** ** Best Regards. *J. Emilio Vargas* ALCATEL-LUCENT Av. Ciencia #13 Zona Industrial. Cuautitlan Izcalli - México T: +52 55 5870 9000 M: +52 1 55 5509 5590 jesus_emilio.var...@alcatel-lucent.com -- *From:* Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] *On Behalf Of *JD Hood *Sent:* Miércoles, 21 de Diciembre de 2011 05:50 p.m. *To:* arslist@ARSLIST.ORG *Subject:* AREA LDAP logging question ** ** ** 7.6.04 ITSM on Windows SQL Server ** ** I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails.* *** ** ** I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. ** ** At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. ** ** With plugin logging on and set to **ALL**, I get about 730 lines of logging when I attempt to login with a test user. ** ** Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: ** ** PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed **Dec 21 2011** 18:14:13.9300 */+VL AREAVerifyLoginCallback -- user TRAIN19 PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed **Dec 21 2011** 18:14:13.9300 */-VL FAIL ** ** ** ** This is like troubleshooting via braille method. Is there another AREA/LDAP log or some way to log the bind and auth attempt on the REMEDY side? ** ** I've checked ARSList archives and the **BMC** KB's and can't find anything that I haven't already tried. I do see some really nice log examples (Knowledge Article ID: KA334262) that I *WISH* I could capture on the Remedy Side. I think they would tell me what I need to know to get this working. For now, all I can find is those two measly log lines above. ** ** Any suggestions on how to get AREA logging much more verbose on the *REMEDY **SIDE***? ** ** Thanks in advance! JDHood _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP logging question
I suspect that either the AREA LDAP plugin is not being loaded for some reason or there is a configuration issue. Are you able to post the ar.conf and the plugin log, from startup, so that I can see what you have set up? Mark I work for BMC, I don't speak for them. From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of JD Hood Sent: 21 December 2011 23:50 To: arslist@ARSLIST.ORG Subject: AREA LDAP logging question ** 7.6.04 ITSM on Windows SQL Server I'm trying to configure AREA authentication. I have everything configured enough to make an authentication attempt and the attempt naturally fails. I do not have a POC at the LDAP server to check my test user's account or to check logging on the LDAP end. At this point, I'm not even sure I'm reaching LDAP, successfully binding and/or hitting the test user's LDAP account. With plugin logging on and set to ALL, I get about 730 lines of logging when I attempt to login with a test user. Out of those 730 lines of logging, I only get the following two lines that mention AREA or my user: PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */+VLAREAVerifyLoginCallback -- user TRAIN19 PLGN TID: 005436 RPC ID: 86 Queue: AREA Client-RPC: 390695 /* Wed Dec 21 2011 18:14:13.9300 */-VL FAIL This is like troubleshooting via braille method. Is there another AREA/LDAP log or some way to log the bind and auth attempt on the REMEDY side? I've checked ARSList archives and the BMC KB's and can't find anything that I haven't already tried. I do see some really nice log examples (Knowledge Article ID: KA334262) that I *WISH* I could capture on the Remedy Side. I think they would tell me what I need to know to get this working. For now, all I can find is those two measly log lines above. Any suggestions on how to get AREA logging much more verbose on the *REMEDY SIDE*? Thanks in advance! JDHood _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
AREA LDAP Chase Referrals
Hi all, Firts of all, I'm going to explain the situation of the REMEDY system I have: Server: SO: HP-UX 11.23 BD: Oracle 10g (remote server) Version: ARSystem 7.5 patch 3 (no ITSM) LDAP: Active Directory The client I'm working for has a system like that, with ARDBC and AREA LDAP plugins enabled. Both authentication and data retrieval from LDAP into Vendor forms work correctly. The fact is that AREA LDAP plugin seems to be chasing referrals, despite of the parameter AREA-LDAP-Chase-Referral is 'F', because there are opened connections into the server to another LDAPs of the organization.¿Is there any way to prevent AREA LDAP plugin to follow referrals into REMEDY?. Below I attached a portion of the aplugin log, and the AREA-LDAP parameters into the ar.conf file: PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2221 */+VL AREAVerifyLoginCallback -- user x PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2224 */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2226 */ARSYS.AREA.LDAP FINER ldap_init(x, 389) PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2229 */ARSYS.AREA.LDAP FINER connect timeout previously: -1 PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2231 */ARSYS.AREA.LDAP FINER connect timeout used: 35000 PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2233 */ARSYS.AREA.LDAP FINER ldap_simple_bind(x, hidden) PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2285 */ARSYS.AREA.LDAP FINEST After the bind PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2290 */ARSYS.AREA.LDAP FINER ldap_search_ext(DC=x,DC=x, 2, sAMAccountName=x) *PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2451 */ARSYS.AREA.LDAP FINER Following referral - rebinding* *PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2545 */ARSYS.AREA.LDAP FINER Following referral - rebinding* *PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2622 */ARSYS.AREA.LDAP FINER Following referral - rebinding* *PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2658 */ARSYS.AREA.LDAP FINER Following referral - rebinding* *PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2661 */ARSYS.AREA.LDAP FINER Following referral - rebinding* *PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2665 */ARSYS.AREA.LDAP FINER Following referral - rebinding* PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.2775 */ARSYS.AREA.LDAP FINER ldap_simple_bind(CN=x,OU=INFR,OU=Usuarios,OU=x,OU=x,DC=x,DC=x, hidden) ... ... PLGN TID: 05 RPC ID: 001233 Queue: AREA Client-RPC: 390695 /* Mon Jul 18 2011 10:56:45.3123 */-VL OK AREA-LDAP-Bind-Password: AREA-LDAP-Bind-User: \x AREA-LDAP-Port: 389 AREA-LDAP-Hostname: x AREA-LDAP-Use-Groups: 0 AREA-LDAP-User-Base: DC=x,DC=x AREA-LDAP-User-Filter: sAMAccountName=$\USER$ AREA-LDAP-UseSSL: F AREA-LDAP-Chase-Referral: F Thanks in advance, Miguel ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
AREA LDAP
Hello, Sorry, this is a bit of an advert, but also an interesting addition to this thread. At JSS, we've just completed a solution to reduce the complexity of AR System authentication after a customer asked us why they still needed the BMC AREA LDAP plugin if they had SSO enabled their AR System. It was a good question, because BMC are dropping support for the Windows User Tool and hence all front end user access will be via the Midtier. The AREA Plugin is not quick to configure, and a separate plugin can be required for each Active Directory, providing multiple levels of effort/configuration. In contrast, you can configure SSO Plugin with four pieces of information - two of which are the service account username/password and the other two are available from opening a Windows command prompt. Once configured, the plugin can authenticate users against all Domain Controllers on a typical corporate network. Only yesterday did we put together a video on this topic, so if you're interested in seeing the functionality, click on the features and functions video on this page (http://www.javasystemsolutions.com/jss/ssoplugin) and step through to 3min 50sec. Credit for this superb suggestion goes to Sascha, a Remedy Admin at a large German BMC client :-) John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
Re: AREA LDAP
Would this work if people are using the browser from a non-windows platform? Susan Bisanti HPC and National Operations Chief Information Officer Branch Environment Canada 2121 Trans-Canada Highway, Dorval (Quebec) H9P 1J3 susan.bisa...@ec.gc.ca Telephone 514-421-4666 Facsimile 514-421-4703 Government of Canada Website www.ec.gc.ca Susan Bisanti CHP et opérations nationales Direction générale du dirigeant principal de Iinformation Environnement Canada 2121 route Transcanadienne, Dorval (Québec) H9P 1J3 susan.bisa...@ec.gc.ca Téléphone 514-421-4666 Télécopieur 514-421-4703 Gouvernement du Canada Site Web www.ec.gc.ca -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of John Baker Sent: 30 November, 2010 03:57 To: arslist@ARSLIST.ORG Subject: AREA LDAP Hello, Sorry, this is a bit of an advert, but also an interesting addition to this thread. At JSS, we've just completed a solution to reduce the complexity of AR System authentication after a customer asked us why they still needed the BMC AREA LDAP plugin if they had SSO enabled their AR System. It was a good question, because BMC are dropping support for the Windows User Tool and hence all front end user access will be via the Midtier. The AREA Plugin is not quick to configure, and a separate plugin can be required for each Active Directory, providing multiple levels of effort/configuration. In contrast, you can configure SSO Plugin with four pieces of information - two of which are the service account username/password and the other two are available from opening a Windows command prompt. Once configured, the plugin can authenticate users against all Domain Controllers on a typical corporate network. Only yesterday did we put together a video on this topic, so if you're interested in seeing the functionality, click on the features and functions video on this page (http://www.javasystemsolutions.com/jss/ssoplugin) and step through to 3min 50sec. Credit for this superb suggestion goes to Sascha, a Remedy Admin at a large German BMC client :-) John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
Re: AREA LDAP
In our system, it does not prompt them for the login again--but the application re-authenticates them as they do things, so they end up locking their login accounts. We tell our people to close Remedy before changing their password. Anne Ramey -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of John Baker Sent: Friday, November 26, 2010 3:37 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP Hello, They will not be prompted to login again until they login again, at which point they will need to use the new password. John -- Single Sign On for AR System http://www.javasystemsolutions.com/jss/ssoplugin ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be disclosed to third parties by an authorized state official. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
Re: AREA LDAP
Folks, What actually happens is that there is a configuration setting for the server that indicates at what interval a user should be reauthenticated. When you first login, we go and authenticate the user. Then, we have this user as a valid user in the system and subsequent API calls check this user instance. If that instance is ever lost, we simply go an authenticate the user and the user. The instance is rarely lost (only when something like the server is recycled) so generally that instance record is present for a long time. The configuration setting allows you to indicate how long since the last time you did an authentication you want to repeat the authentication check even if there is an active instance record. I am not sure what the default setting is but I think the ar.conf line that controls the value is External-Authentication-Sync-Timeout: I suspect the value specified is in seconds, but it could be minutes. OK, since I was coming up with a bunch of I am not sure, I did the unheard of and just checked the documentation -- what a concept. This is indeed the setting. The value is in seconds. The default is 300 seconds. (older version of server so this may have changed) Setting the value to 0 causes it to never recheck. What this means is the following: On a change to the password (or rights or any other characteristic being returned by AREA), there is no immediate affect, the user remains logged in and active. However, when the sync timeout comes around -- this may be immediate if the last sync was over the interval or may be up to the full interval -- the user is rechecked. If their password was changed, they are no longer a valid user and will get an authentication error and the error should be returned to the user. Now, the issue reported by Anne can occur if the re-check tries with a bad password and gets an error and the user tries some other things, well, more bad password tries occur and that can cross the threshold of maximum bad password attempts. If the user cleanly relogins in on the authentication error, they will likely not have an issue -- but remember they already have a strike or two from the bad attempts so they have to get things right quickly. Best is to have the user log out of all systems -- because other systems may have a similar recheck to the AR System so now you potentially have multiple systems re-checking with bad passwords and it doesn't take long to hit that bad password limit. The recheck is to accomplish several things: 1) Pick up new data -- like new rights or email address or other information you are getting from the AREA source 2) Make sure that a user cannot just stay in with an old session forever and to force them to supply the new password within a configured time if the change was a password change. I hope this helps address the question and gives a bit of background on why things are working the way they are. Doug Mueller -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ramey, Anne Sent: Monday, November 29, 2010 8:40 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP In our system, it does not prompt them for the login again--but the application re-authenticates them as they do things, so they end up locking their login accounts. We tell our people to close Remedy before changing their password. Anne Ramey -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of John Baker Sent: Friday, November 26, 2010 3:37 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP Hello, They will not be prompted to login again until they login again, at which point they will need to use the new password. John -- Single Sign On for AR System http://www.javasystemsolutions.com/jss/ssoplugin ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are E-mail correspondence to and from this address may be subject to the North Carolina Public Records Law and may be disclosed to third parties by an authorized state official. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
AREA LDAP
Hi, I've got the question about an authentication. I'm going to configurate the Remedy 7.1 server for AREA LDAP using. All users in User form will have the blank password. The users will be prompted for login once only. The question is what happens if the password will be changed within LDAP? Does it mean that this user will be prompted for login once more? Best regards, Irina ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
AREA LDAP
Hello, They will not be prompted to login again until they login again, at which point they will need to use the new password. John -- Single Sign On for AR System http://www.javasystemsolutions.com/jss/ssoplugin ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
AW: AREA LDAP
Hi Irina, you are talking about Cross Ref Blank Password, which means that only the password will be authenticated against the LDAP directory. 1. The user has to login to his Windows PC with his DomainName+ DomainPassword 2. He starts the Usertool and has to give DomainName + DomainPassword again (except you disabled the Flag prompt for login) If the Password in the LDAP Directory changes, then of course this will be invalid on your next login to ARS and Autologin via disabled flag prompt for login will fail. Best regards Andreas Von: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] Im Auftrag von irina solarcuka Gesendet: Freitag, 26. November 2010 09:08 An: arslist@ARSLIST.ORG Betreff: AREA LDAP ** Hi, I've got the question about an authentication. I'm going to configurate the Remedy 7.1 server for AREA LDAP using. All users in User form will have the blank password. The users will be prompted for login once only. The question is what happens if the password will be changed within LDAP? Does it mean that this user will be prompted for login once more? Best regards, Irina _attend WWRUG11 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: Where the Answers Are
AREA LDAP Integration - please help me to start it
Hi All, We would like to have our AD integration with our remedy tool. How can I start it. Any guidance would be appreciated. Thanks Regards, Ram Rudra ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP Integration - please help me to start it
Best place to start would be the Integration Guide for AR System. LDAP plug-ins are documented in Chapter 8. -David J. Easter Sr. Product Manager, Enterprise Service Management BMC Software, Inc. The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 10:04 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP Integration - please help me to start it ** Hi All, We would like to have our AD integration with our remedy tool. How can I start it. Any guidance would be appreciated. Thanks Regards, Ram Rudra _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP Integration - please help me to start it
Start by reading the 'Integrating with Plug-ins and Third-Party Products' document starting on 102. Then read the 'Configuring' starting on 172. These are for 7.1 versions of the docs..reading those should give you most if not all the information you need to configure it..if you have any specific questions, please feel free to come back and ask. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 11:04 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP Integration - please help me to start it ** Hi All, We would like to have our AD integration with our remedy tool. How can I start it. Any guidance would be appreciated. Thanks Regards, Ram Rudra _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP Integration - please help me to start it
Thanks and Appreciated the Response, May I know the information about Base DN for Discovery Field from 'ARDBC LDAP Configuration' form. What can I give an input there for my Microsoft AD Server to improve the discovery performance. Thanks Regards, Rambabu Rudra System Administrator From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Wednesday, April 28, 2010 11:14 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Start by reading the 'Integrating with Plug-ins and Third-Party Products' document starting on 102. Then read the 'Configuring' starting on 172. These are for 7.1 versions of the docs..reading those should give you most if not all the information you need to configure it..if you have any specific questions, please feel free to come back and ask. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 11:04 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP Integration - please help me to start it ** Hi All, We would like to have our AD integration with our remedy tool. How can I start it. Any guidance would be appreciated. Thanks Regards, Ram Rudra _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP Integration - please help me to start it
This information is going to need to come from your AD guys. It depends entirely upon your domain structure. Yours might be OU=Users,DC= GSSAMERICA,DC=com But in all honesty I don't know where your domain admins keep their user records..don't know if they store them in the Users, or some other folder..don't know what your structure is.so you will need to check with them From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 12:08 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Thanks and Appreciated the Response, May I know the information about Base DN for Discovery Field from 'ARDBC LDAP Configuration' form. What can I give an input there for my Microsoft AD Server to improve the discovery performance. Thanks Regards, Rambabu Rudra System Administrator From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Wednesday, April 28, 2010 11:14 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Start by reading the 'Integrating with Plug-ins and Third-Party Products' document starting on 102. Then read the 'Configuring' starting on 172. These are for 7.1 versions of the docs..reading those should give you most if not all the information you need to configure it..if you have any specific questions, please feel free to come back and ask. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 11:04 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP Integration - please help me to start it ** Hi All, We would like to have our AD integration with our remedy tool. How can I start it. Any guidance would be appreciated. Thanks Regards, Ram Rudra _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP Integration - please help me to start it
Thanks LJ as of now, My Base User configuration done by your guidance now am doing from there onwards. your help is really appreciated in this regard. Thanks a ton Thanks Regards, Rambabu Rudra System Administrator From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Thursday, April 29, 2010 12:06 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** This information is going to need to come from your AD guys. It depends entirely upon your domain structure. Yours might be OU=Users,DC= GSSAMERICA,DC=com But in all honesty I don't know where your domain admins keep their user records..don't know if they store them in the Users, or some other folder..don't know what your structure is.so you will need to check with them From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 12:08 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Thanks and Appreciated the Response, May I know the information about Base DN for Discovery Field from 'ARDBC LDAP Configuration' form. What can I give an input there for my Microsoft AD Server to improve the discovery performance. Thanks Regards, Rambabu Rudra System Administrator From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Wednesday, April 28, 2010 11:14 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Start by reading the 'Integrating with Plug-ins and Third-Party Products' document starting on 102. Then read the 'Configuring' starting on 172. These are for 7.1 versions of the docs..reading those should give you most if not all the information you need to configure it..if you have any specific questions, please feel free to come back and ask. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 11:04 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP Integration - please help me to start it ** Hi All, We would like to have our AD integration with our remedy tool. How can I start it. Any guidance would be appreciated. Thanks Regards, Ram Rudra _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP Integration - please help me to start it
Thanks for the reply, In a configuration of LDAP with ARSystem To map LDAP groups to AR System groups - May I know what I have to mention in 'LDAP Group name' and 'ARSystem Group' field under 'EA' tab in Server information form. Thanks Regards, Rambabu Rudra System Administrator From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Thursday, April 29, 2010 12:06 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** This information is going to need to come from your AD guys. It depends entirely upon your domain structure. Yours might be OU=Users,DC= GSSAMERICA,DC=com But in all honesty I don't know where your domain admins keep their user records..don't know if they store them in the Users, or some other folder..don't know what your structure is.so you will need to check with them From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 12:08 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Thanks and Appreciated the Response, May I know the information about Base DN for Discovery Field from 'ARDBC LDAP Configuration' form. What can I give an input there for my Microsoft AD Server to improve the discovery performance. Thanks Regards, Rambabu Rudra System Administrator From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Wednesday, April 28, 2010 11:14 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Start by reading the 'Integrating with Plug-ins and Third-Party Products' document starting on 102. Then read the 'Configuring' starting on 172. These are for 7.1 versions of the docs..reading those should give you most if not all the information you need to configure it..if you have any specific questions, please feel free to come back and ask. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 11:04 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP Integration - please help me to start it ** Hi All, We would like to have our AD integration with our remedy tool. How can I start it. Any guidance would be appreciated. Thanks Regards, Ram Rudra _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP Integration - please help me to start it
I've never used the LDAP-ARS mapping feature, sorry..I have no experience that can help you there. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 2:12 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Thanks for the reply, In a configuration of LDAP with ARSystem To map LDAP groups to AR System groups - May I know what I have to mention in 'LDAP Group name' and 'ARSystem Group' field under 'EA' tab in Server information form. Thanks Regards, Rambabu Rudra System Administrator From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Thursday, April 29, 2010 12:06 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** This information is going to need to come from your AD guys. It depends entirely upon your domain structure. Yours might be OU=Users,DC= GSSAMERICA,DC=com But in all honesty I don't know where your domain admins keep their user records..don't know if they store them in the Users, or some other folder..don't know what your structure is.so you will need to check with them From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 12:08 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Thanks and Appreciated the Response, May I know the information about Base DN for Discovery Field from 'ARDBC LDAP Configuration' form. What can I give an input there for my Microsoft AD Server to improve the discovery performance. Thanks Regards, Rambabu Rudra System Administrator From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Wednesday, April 28, 2010 11:14 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Start by reading the 'Integrating with Plug-ins and Third-Party Products' document starting on 102. Then read the 'Configuring' starting on 172. These are for 7.1 versions of the docs..reading those should give you most if not all the information you need to configure it..if you have any specific questions, please feel free to come back and ask. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 11:04 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP Integration - please help me to start it ** Hi All, We would like to have our AD integration with our remedy tool. How can I start it. Any guidance would be appreciated. Thanks Regards, Ram Rudra _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP Integration - please help me to start it
Hi, You can use ldap browser ( http://www.ldapbrowser.com www.ldapbrowser.com) to navigate on the ldap tree. This tool will help you configure arealdap plugin. Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Wednesday, April 28, 2010 11:00 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** I've never used the LDAP-ARS mapping feature, sorry..I have no experience that can help you there. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 2:12 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Thanks for the reply, In a configuration of LDAP with ARSystem To map LDAP groups to AR System groups - May I know what I have to mention in 'LDAP Group name' and 'ARSystem Group' field under 'EA' tab in Server information form. Thanks Regards, Rambabu Rudra System Administrator From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Thursday, April 29, 2010 12:06 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** This information is going to need to come from your AD guys. It depends entirely upon your domain structure. Yours might be OU=Users,DC= GSSAMERICA,DC=com But in all honesty I don't know where your domain admins keep their user records..don't know if they store them in the Users, or some other folder..don't know what your structure is.so you will need to check with them From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 12:08 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Thanks and Appreciated the Response, May I know the information about Base DN for Discovery Field from 'ARDBC LDAP Configuration' form. What can I give an input there for my Microsoft AD Server to improve the discovery performance. Thanks Regards, Rambabu Rudra System Administrator From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of LJ LongWing Sent: Wednesday, April 28, 2010 11:14 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP Integration - please help me to start it ** Start by reading the 'Integrating with Plug-ins and Third-Party Products' document starting on 102. Then read the 'Configuring' starting on 172. These are for 7.1 versions of the docs..reading those should give you most if not all the information you need to configure it..if you have any specific questions, please feel free to come back and ask. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Ram Rudra Sent: Wednesday, April 28, 2010 11:04 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP Integration - please help me to start it ** Hi All, We would like to have our AD integration with our remedy tool. How can I start it. Any guidance would be appreciated. Thanks Regards, Ram Rudra _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade
I have set the log level to Finest for plugin logs and I only see the following entries... I don't see any failures in the log. PLGN TID: 56671136 RPC ID: 000110 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9027 */+GLEWF ARDBCGetListEntryWithFields -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION table Server Info Plugin Setttings PLGN TID: 56671136 RPC ID: 000110 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9027 */-GLEWF OK PLGN TID: 56671136 RPC ID: 000111 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9030 */+CTARDBCCommitTransaction -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION PLGN TID: 56671136 RPC ID: 000111 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9030 */-CT OK PLGN TID: 56671136 RPC ID: 000112 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0009 */+GLEWF ARDBCGetListEntryWithFields -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION table Server Info Plugin Setttings PLGN TID: 56671136 RPC ID: 000112 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0010 */-GLEWF OK PLGN TID: 56671136 RPC ID: 000113 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0027 */+CTARDBCCommitTransaction -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION PLGN TID: 56671136 RPC ID: 000113 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0028 */-CT OK I do see the following in aruser.log: LOGIN FAILED loginid (password) I also see the following in arapi.log during log-in time: API TID: 0089148320 RPC ID: 015023 Queue: Fast Client-RPC: 390620USER: loginid/* Wed Apr 21 2010 07:15:11.5996 */+GSIARGetServerInfo -- as user 436557 from Remedy User (protocol 13) at IP address ipaddress API TID: 0089148320 RPC ID: 015023 Queue: Fast Client-RPC: 390620USER: loginid/* Wed Apr 21 2010 07:15:11.6036 */-GSI FAIL But nothing in any of the logs indicate what could be causing the authentication failure. Any other configurations to check? Thanks, -- Shyam From: Joe D'Souza jdso...@shyle.net To: arslist@ARSLIST.ORG Sent: Tue, April 20, 2010 6:31:17 PM Subject: Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Shyam, Enable the plugin log and set it to Fine and see what you get when you are trying to authenticate using the plugin.. Joe -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org]on Behalf Of Shyam Attavar Sent: Tuesday, April 20, 2010 7:49 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Dear Listers, We upgraded our test environment from AR Server 7.1.0 Patch 006 to Patch 009. As part of the upgrade we upgraded the AREA LDAP plugin as well. After the upgrade, we are unable to authenticate against LDAP. We can login to the system by setting a local password in the user form. I have reconfigured the AREA LDAP entries from the AR System Administration Console, but unable to resolve the issue. Anyone else seen this issue after upgrading to AR Server 7.1.0 Patch 009? if so, how were you able to resolve the issue? Environment: AR Server on RHEL Oracle 10gR4 on RHEL Thanks in advance, -- Shyam_attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade
Are there any entries from the AREA plugin at all? Are you sure it's being loaded? Mark From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Shyam Attavar Sent: 21 April 2010 15:19 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** I have set the log level to Finest for plugin logs and I only see the following entries... I don't see any failures in the log. PLGN TID: 56671136 RPC ID: 000110 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9027 */+GLEWF ARDBCGetListEntryWithFields -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION table Server Info Plugin Setttings PLGN TID: 56671136 RPC ID: 000110 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9027 */-GLEWF OK PLGN TID: 56671136 RPC ID: 000111 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9030 */+CTARDBCCommitTransaction -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION PLGN TID: 56671136 RPC ID: 000111 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9030 */-CT OK PLGN TID: 56671136 RPC ID: 000112 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0009 */+GLEWF ARDBCGetListEntryWithFields -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION table Server Info Plugin Setttings PLGN TID: 56671136 RPC ID: 000112 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0010 */-GLEWF OK PLGN TID: 56671136 RPC ID: 000113 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0027 */+CTARDBCCommitTransaction -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION PLGN TID: 56671136 RPC ID: 000113 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0028 */-CT OK I do see the following in aruser.log: LOGIN FAILED loginid (password) I also see the following in arapi.log during log-in time: API TID: 0089148320 RPC ID: 015023 Queue: Fast Client-RPC: 390620USER: loginid/* Wed Apr 21 2010 07:15:11.5996 */+GSIARGetServerInfo -- as user 436557 from Remedy User (protocol 13) at IP address ipaddress API TID: 0089148320 RPC ID: 015023 Queue: Fast Client-RPC: 390620USER: loginid/* Wed Apr 21 2010 07:15:11.6036 */-GSI FAIL But nothing in any of the logs indicate what could be causing the authentication failure. Any other configurations to check? Thanks, -- Shyam From: Joe D'Souza jdso...@shyle.net To: arslist@ARSLIST.ORG Sent: Tue, April 20, 2010 6:31:17 PM Subject: Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Shyam, Enable the plugin log and set it to Fine and see what you get when you are trying to authenticate using the plugin.. Joe -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org]on Behalf Of Shyam Attavar Sent: Tuesday, April 20, 2010 7:49 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Dear Listers, We upgraded our test environment from AR Server 7.1.0 Patch 006 to Patch 009. As part of the upgrade we upgraded the AREA LDAP plugin as well. After the upgrade, we are unable to authenticate against LDAP. We can login to the system by setting a local password in the user form. I have reconfigured the AREA LDAP entries from the AR System Administration Console, but unable to resolve the issue. Anyone else seen this issue after upgrading to AR Server 7.1.0 Patch 009? if so, how were you able to resolve the issue? Environment: AR Server on RHEL Oracle 10gR4 on RHEL Thanks in advance, -- Shyam _attend WWRUG10 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG10 www.wwrug.com ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: {Remedy ARS} AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade
I had an ldap issue with an update to 7.1 patch 3 long ago. It was a little different. I could authenticate with the first ldap in the config but the rest wouldn't work. So not sure if this will help. = Found out a little bit of information, well confirmed it actually, concerning the information on page 174 of the Integration Guide. What this means is that you can only have one plugin dll in the ar.cfg file. What I see in your ar.cfg file is this: Plugin: arealdap.dll and Plugin: areahub.dll Since the arealdap.dll is listed first in the ar.cfg file, that is the plugin being used. Please comment out or remove the Plugin: arealdap.dll line that exists at the top of the ar.cfg file, then restart ARServer and test. What I also confirmed was that when using the AREA Hub dll, if a user authentication call fails for any reason, it should still failover to the next LDAP server in the AREALDAP Configuration form list, until it authenticates the user or exhausts the list of directory servers. Let me know if this information helps to resolve the issue. On Apr 20, 7:48 pm, Shyam Attavar atta...@sbcglobal.net wrote: Dear Listers, We upgraded our test environment from AR Server 7.1.0 Patch 006 to Patch 009. As part of the upgrade we upgraded the AREA LDAP plugin as well. After the upgrade, we are unable to authenticate against LDAP. We can login to the system by setting a local password in the user form. I have reconfigured the AREA LDAP entries from the AR System Administration Console, but unable to resolve the issue. Anyone else seen this issue after upgrading to AR Server 7.1.0 Patch 009? if so, how were you able to resolve the issue? Environment: AR Server on RHEL Oracle 10gR4 on RHEL Thanks in advance, -- Shyam ___ UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org attend wwrug10www.wwrug.comARSlist: Where the Answers Are -- You received this message because you are subscribed to the Google Groups Remedy ARS group. To post to this group, send email to arsl...@googlegroups.com. To unsubscribe from this group, send email to arslist+unsubscr...@googlegroups.com. For more options, visit this group athttp://groups.google.com/group/arslist?hl=en. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: {Remedy ARS} AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade
Shyam, Go to your armonitor.cfg file (assuming windows) and make sure your entries for arplugin.exe are correct. When I upgraded from 7.1P2 -- 7.1P7, 2 of my plugin entries were chopped off. You should be able to compare your Dev and your Prod environments. I use 3 plugins because I have 3 directories I authenticate users to.. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of remedy lee Sent: Wednesday, April 21, 2010 9:24 AM To: arslist@ARSLIST.ORG Subject: Re: {Remedy ARS} AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade I had an ldap issue with an update to 7.1 patch 3 long ago. It was a little different. I could authenticate with the first ldap in the config but the rest wouldn't work. So not sure if this will help. = Found out a little bit of information, well confirmed it actually, concerning the information on page 174 of the Integration Guide. What this means is that you can only have one plugin dll in the ar.cfg file. What I see in your ar.cfg file is this: Plugin: arealdap.dll and Plugin: areahub.dll Since the arealdap.dll is listed first in the ar.cfg file, that is the plugin being used. Please comment out or remove the Plugin: arealdap.dll line that exists at the top of the ar.cfg file, then restart ARServer and test. What I also confirmed was that when using the AREA Hub dll, if a user authentication call fails for any reason, it should still failover to the next LDAP server in the AREALDAP Configuration form list, until it authenticates the user or exhausts the list of directory servers. Let me know if this information helps to resolve the issue. On Apr 20, 7:48 pm, Shyam Attavar atta...@sbcglobal.net wrote: Dear Listers, We upgraded our test environment from AR Server 7.1.0 Patch 006 to Patch 009. As part of the upgrade we upgraded the AREA LDAP plugin as well. After the upgrade, we are unable to authenticate against LDAP. We can login to the system by setting a local password in the user form. I have reconfigured the AREA LDAP entries from the AR System Administration Console, but unable to resolve the issue. Anyone else seen this issue after upgrading to AR Server 7.1.0 Patch 009? if so, how were you able to resolve the issue? Environment: AR Server on RHEL Oracle 10gR4 on RHEL Thanks in advance, -- Shyam ___ UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org attend wwrug10www.wwrug.comARSlist: Where the Answers Are -- You received this message because you are subscribed to the Google Groups Remedy ARS group. To post to this group, send email to arsl...@googlegroups.com. To unsubscribe from this group, send email to arslist+unsubscr...@googlegroups.com. For more options, visit this group athttp://groups.google.com/group/arslist?hl=en. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade
Shyam, That's the same thing I would ask that Mark did. It appears as though the AREA plugin is not being called at all in the logs if that is all you see in your plugin log file. Joe -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org]on Behalf Of Walters, Mark Sent: Wednesday, April 21, 2010 10:21 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Are there any entries from the AREA plugin at all? Are you sure it's being loaded? Mark From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Shyam Attavar Sent: 21 April 2010 15:19 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** I have set the log level to Finest for plugin logs and I only see the following entries... I don't see any failures in the log. PLGN TID: 56671136 RPC ID: 000110 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9027 */+GLEWF ARDBCGetListEntryWithFields -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION table Server Info Plugin Setttings PLGN TID: 56671136 RPC ID: 000110 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9027 */-GLEWF OK PLGN TID: 56671136 RPC ID: 000111 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9030 */+CT ARDBCCommitTransaction -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION PLGN TID: 56671136 RPC ID: 000111 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9030 */-CT OK PLGN TID: 56671136 RPC ID: 000112 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0009 */+GLEWF ARDBCGetListEntryWithFields -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION table Server Info Plugin Setttings PLGN TID: 56671136 RPC ID: 000112 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0010 */-GLEWF OK PLGN TID: 56671136 RPC ID: 000113 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0027 */+CT ARDBCCommitTransaction -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION PLGN TID: 56671136 RPC ID: 000113 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0028 */-CT OK I do see the following in aruser.log: LOGIN FAILED loginid (password) I also see the following in arapi.log during log-in time: API TID: 0089148320 RPC ID: 015023 Queue: Fast Client-RPC: 390620USER: loginid /* Wed Apr 21 2010 07:15:11.5996 */+GSIARGetServerInfo -- as user 436557 from Remedy User (protocol 13) at IP address ipaddress API TID: 0089148320 RPC ID: 015023 Queue: Fast Client-RPC: 390620USER: loginid /* Wed Apr 21 2010 07:15:11.6036 */-GSI FAIL But nothing in any of the logs indicate what could be causing the authentication failure. Any other configurations to check? Thanks, -- Shyam -- From: Joe D'Souza jdso...@shyle.net To: arslist@ARSLIST.ORG Sent: Tue, April 20, 2010 6:31:17 PM Subject: Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Shyam, Enable the plugin log and set it to Fine and see what you get when you are trying to authenticate using the plugin.. Joe -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org]on Behalf Of Shyam Attavar Sent: Tuesday, April 20, 2010 7:49 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Dear Listers, We upgraded our test environment from AR Server 7.1.0 Patch 006 to Patch 009. As part of the upgrade we upgraded the AREA LDAP plugin as well. After the upgrade, we are unable to authenticate against LDAP. We can login to the system by setting a local password in the user form. I have reconfigured the AREA LDAP entries from the AR System Administration Console, but unable to resolve the issue. Anyone else seen this issue after upgrading to AR Server 7.1.0 Patch 009? if so, how were you able to resolve the issue? Environment: AR Server on RHEL Oracle 10gR4 on RHEL Thanks in advance, -- Shyam ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade
Joe, Mark, et al Thanks for your input. I'll confirm the AREA plugin is being loaded and see if there are indicators for errors. -- Shyam From: Joe D'Souza jdso...@shyle.net To: arslist@ARSLIST.ORG Sent: Wed, April 21, 2010 10:02:18 AM Subject: Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Shyam, That's the same thing I would ask that Mark did. It appears as though the AREA plugin is not being called at all in the logs if that is all you see in your plugin log file. Joe -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org]on Behalf Of Walters, Mark Sent: Wednesday, April 21, 2010 10:21 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Are there any entries from the AREA plugin at all? Are you sure it’s being loaded? Mark From:Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Shyam Attavar Sent: 21 April 2010 15:19 To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** I have set the log level to Finest for plugin logs and I only see the following entries... I don't see any failures in the log. PLGN TID: 56671136 RPC ID: 000110 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9027 */+GLEWF ARDBCGetListEntryWithFields -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION table Server Info Plugin Setttings PLGN TID: 56671136 RPC ID: 000110 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9027 */-GLEWF OK PLGN TID: 56671136 RPC ID: 000111 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9030 */+CT ARDBCCommitTransaction -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION PLGN TID: 56671136 RPC ID: 000111 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:12.9030 */-CT OK PLGN TID: 56671136 RPC ID: 000112 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0009 */+GLEWF ARDBCGetListEntryWithFields -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION table Server Info Plugin Setttings PLGN TID: 56671136 RPC ID: 000112 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0010 */-GLEWF OK PLGN TID: 56671136 RPC ID: 000113 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0027 */+CT ARDBCCommitTransaction -- vendor REMEDY.ARDBC.SERVER.ADMINISTRATION PLGN TID: 56671136 RPC ID: 000113 Queue: ARDBC Client-RPC: 390695 /* Wed Apr 21 2010 06:59:13.0028 */-CT OK I do see the following in aruser.log: LOGIN FAILED loginid (password) I also see the following in arapi.log during log-in time: API TID: 0089148320 RPC ID: 015023 Queue: Fast Client-RPC: 390620 USER: loginid /* Wed Apr 21 2010 07:15:11.5996 */+GSIARGetServerInfo -- as user 436557 from Remedy User (protocol 13) at IP address ipaddress API TID: 0089148320 RPC ID: 015023 Queue: Fast Client-RPC: 390620USER: loginid /* Wed Apr 21 2010 07:15:11.6036 */-GSI FAIL But nothing in any of the logs indicate what could be causing the authentication failure. Any other configurations to check? Thanks, -- Shyam From:Joe D'Souza jdso...@shyle.net To: arslist@ARSLIST.ORG Sent: Tue, April 20, 2010 6:31:17 PM Subject: Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Shyam, Enable the plugin log and set it to Fine and see what you get when you are trying to authenticate using the plugin.. Joe -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org]on Behalf Of Shyam Attavar Sent: Tuesday, April 20, 2010 7:49 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Dear Listers, We upgraded our test environment from AR Server 7.1.0 Patch 006 to Patch 009. As part of the upgrade we upgraded the AREA LDAP plugin as well. After the upgrade, we are unable to authenticate against LDAP. We can login to the system by setting a local password in the user form. I have reconfigured the AREA LDAP entries from the AR System Administration Console, but unable to resolve the issue. Anyone else seen this issue after upgrading to AR Server 7.1.0 Patch 009? if so, how were you able to resolve the issue? Environment: AR Server on RHEL Oracle 10gR4
AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade
Dear Listers, We upgraded our test environment from AR Server 7.1.0 Patch 006 to Patch 009. As part of the upgrade we upgraded the AREA LDAP plugin as well. After the upgrade, we are unable to authenticate against LDAP. We can login to the system by setting a local password in the user form. I have reconfigured the AREA LDAP entries from the AR System Administration Console, but unable to resolve the issue. Anyone else seen this issue after upgrading to AR Server 7.1.0 Patch 009? if so, how were you able to resolve the issue? Environment: AR Server on RHEL Oracle 10gR4 on RHEL Thanks in advance, -- Shyam ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade
Shyam, Enable the plugin log and set it to Fine and see what you get when you are trying to authenticate using the plugin.. Joe -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org]on Behalf Of Shyam Attavar Sent: Tuesday, April 20, 2010 7:49 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP issue after upgrading to AR Server 7.1.0 Patch 9 upgrade ** Dear Listers, We upgraded our test environment from AR Server 7.1.0 Patch 006 to Patch 009. As part of the upgrade we upgraded the AREA LDAP plugin as well. After the upgrade, we are unable to authenticate against LDAP. We can login to the system by setting a local password in the user form. I have reconfigured the AREA LDAP entries from the AR System Administration Console, but unable to resolve the issue. Anyone else seen this issue after upgrading to AR Server 7.1.0 Patch 009? if so, how were you able to resolve the issue? Environment: AR Server on RHEL Oracle 10gR4 on RHEL Thanks in advance, -- Shyam ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: AREA LDAP plug-in
We have the same setup and using a single hostname eventually came back to bite us when someone decommissioned the server without telling us. I don't think there is a way to run multiple plugins, but what we did was use a load-balanced virtual IP in place of a host name. This way the DCs can change at will as long the new ones are added to the load balancer. It also eliminated us from having to maintain a list of active DCs. From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Philip, Saji L Sent: Thursday, November 05, 2009 8:52 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP plug-in ** This is probably an old question. But I am running ARS 6.3 with Help Desk 6.0. We are in the process of authenticating logins using the AREA LDAP plug-in. We have multiple Domain Controllers in our AD environment, and I would like to know if I can create more then one plug-in with different ' Host Names '? And if I can create multiple Group bases. Thanks _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:rmisoluti...@verizon.net ARSlist: Where the Answers Are
Re: Copying AREA LDAP Plugin from one server to another SOLVED
My mistake. I exported the ARDBC LDAP Configuration form our test server and imported it into the live server. But I just exported the form. I needed to check Add All Related. Thank you, Pawan of BMC support for figuring it out! (And thanks again, Axton, for your input.) Dwayne From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Axton Sent: Friday, August 28, 2009 3:14 PM To: arslist@ARSLIST.ORG Subject: Re: Copying AREA LDAP Plugin from one server to another ** Then all you should need is this in the ar.conf: Plugin: /path/to/remedy/plugin/ardbcldap.so Then restart the plugin server. Enable the plugin logs and make sure the plugin is loaded properly. Axton Grams On Fri, Aug 28, 2009 at 1:24 PM, Robert D Martin marti...@jmu.edumailto:marti...@jmu.edu wrote: ** Just - ARDBC LDAP to handle reading data from an LDAP store via a Vendor form. Dwayne From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG] On Behalf Of Axton Sent: Friday, August 28, 2009 2:09 PM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: Copying AREA LDAP Plugin from one server to another ** What all plugin(s) are you trying to move over? - AREA LDAP for authentication - AREA HUB to handle multiple authentication sources - ARDBC LDAP to handle reading data from an LDAP store via a Vendor form - ARDBC CONF to handle the configuration of the pre-built AREA plugin If you are trying to do the AREA authentication using the pre-built plugins, you need both the AREA LDAP plugin and the ARDBC CONF plugin. In addition to this, you will need to move the AREA LDAP Configuration and Configuration ARDBC forms for the AREA configuration form to work properly. Axton Grams On Fri, Aug 28, 2009 at 11:27 AM, Robert D Martin marti...@jmu.edumailto:marti...@jmu.edu wrote: ** I should also add that ardbcldap.so is in /opt/remedy/bin in both servers, and both ar.conf files have Plugin: /opt/remedy/bin/ardbcldap.so lines Dwayne From: Robert D Martin Sent: Friday, August 28, 2009 12:19 PM To: 'arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG' Subject: RE: Copying AREA LDAP Plugin from one server to another Thanks, Axton. I should have included that in my email. The ar.conf files are identical, at least all the lines that start with AREA-LDAP. Dwayne From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG] On Behalf Of Axton Sent: Friday, August 28, 2009 10:46 AM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: Copying AREA LDAP Plugin from one server to another ** You have to register the plugin in ar.conf. Take a look at your source server and target server to identify the lines that are missing. Axton Grams On Fri, Aug 28, 2009 at 9:39 AM, Robert D Martin marti...@jmu.edumailto:marti...@jmu.edu wrote: ** Dear List, We installed ARS 7.1 on our live system, and at the time we didn't think we needed the AREA LDAP Plugin. But now we do, and we don't want to do a re-install because of the risk that something will go wrong. But we do have the Plugin installed on our test arsystem. Is it possible to copy objects and data from the test system over to the live system? If so, what all needs to be moved and configured? We've copied over arealdap.so and ardbcconf.so, but when we try to create a new Vendor form, ARSYS.ARDBC.LDAP isn't on the list of Available Vendor Names. (In fact, the choices that were there are gone, which means that we have messed something up.) Any advice? (ARS 7.1, RH Linux server, Oracle 10.2 db) _Platinum Sponsor: rmisoluti...@verizon.netmailto:rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.netmailto:rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.netmailto:rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.netmailto:rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.netmailto:rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:rmisoluti...@verizon.net ARSlist: Where the Answers Are
Copying AREA LDAP Plugin from one server to another
Dear List, We installed ARS 7.1 on our live system, and at the time we didn't think we needed the AREA LDAP Plugin. But now we do, and we don't want to do a re-install because of the risk that something will go wrong. But we do have the Plugin installed on our test arsystem. Is it possible to copy objects and data from the test system over to the live system? If so, what all needs to be moved and configured? We've copied over arealdap.so and ardbcconf.so, but when we try to create a new Vendor form, ARSYS.ARDBC.LDAP isn't on the list of Available Vendor Names. (In fact, the choices that were there are gone, which means that we have messed something up.) Any advice? (ARS 7.1, RH Linux server, Oracle 10.2 db) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:rmisoluti...@verizon.net ARSlist: Where the Answers Are
Re: Copying AREA LDAP Plugin from one server to another
You have to register the plugin in ar.conf. Take a look at your source server and target server to identify the lines that are missing. Axton Grams On Fri, Aug 28, 2009 at 9:39 AM, Robert D Martin marti...@jmu.edu wrote: ** Dear List, We installed ARS 7.1 on our live system, and at the time we didn’t think we needed the AREA LDAP Plugin. But now we do, and we don’t want to do a re-install because of the risk that something will go wrong. But we do have the Plugin installed on our test arsystem. Is it possible to copy objects and data from the test system over to the live system? If so, what all needs to be moved and configured? We’ve copied over “arealdap.so” and “ardbcconf.so”, but when we try to create a new Vendor form, “ARSYS.ARDBC.LDAP” isn’t on the list of “Available Vendor Names.” (In fact, the choices that were there are gone, which means that we have messed something up.) Any advice? (ARS 7.1, RH Linux server, Oracle 10.2 db) _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:rmisoluti...@verizon.net ARSlist: Where the Answers Are
Re: Copying AREA LDAP Plugin from one server to another
Thanks, Axton. I should have included that in my email. The ar.conf files are identical, at least all the lines that start with AREA-LDAP. Dwayne From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Axton Sent: Friday, August 28, 2009 10:46 AM To: arslist@ARSLIST.ORG Subject: Re: Copying AREA LDAP Plugin from one server to another ** You have to register the plugin in ar.conf. Take a look at your source server and target server to identify the lines that are missing. Axton Grams On Fri, Aug 28, 2009 at 9:39 AM, Robert D Martin marti...@jmu.edumailto:marti...@jmu.edu wrote: ** Dear List, We installed ARS 7.1 on our live system, and at the time we didn't think we needed the AREA LDAP Plugin. But now we do, and we don't want to do a re-install because of the risk that something will go wrong. But we do have the Plugin installed on our test arsystem. Is it possible to copy objects and data from the test system over to the live system? If so, what all needs to be moved and configured? We've copied over arealdap.so and ardbcconf.so, but when we try to create a new Vendor form, ARSYS.ARDBC.LDAP isn't on the list of Available Vendor Names. (In fact, the choices that were there are gone, which means that we have messed something up.) Any advice? (ARS 7.1, RH Linux server, Oracle 10.2 db) _Platinum Sponsor: rmisoluti...@verizon.netmailto:rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:rmisoluti...@verizon.net ARSlist: Where the Answers Are
Re: Copying AREA LDAP Plugin from one server to another
I should also add that ardbcldap.so is in /opt/remedy/bin in both servers, and both ar.conf files have Plugin: /opt/remedy/bin/ardbcldap.so lines Dwayne From: Robert D Martin Sent: Friday, August 28, 2009 12:19 PM To: 'arslist@ARSLIST.ORG' Subject: RE: Copying AREA LDAP Plugin from one server to another Thanks, Axton. I should have included that in my email. The ar.conf files are identical, at least all the lines that start with AREA-LDAP. Dwayne From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Axton Sent: Friday, August 28, 2009 10:46 AM To: arslist@ARSLIST.ORG Subject: Re: Copying AREA LDAP Plugin from one server to another ** You have to register the plugin in ar.conf. Take a look at your source server and target server to identify the lines that are missing. Axton Grams On Fri, Aug 28, 2009 at 9:39 AM, Robert D Martin marti...@jmu.edumailto:marti...@jmu.edu wrote: ** Dear List, We installed ARS 7.1 on our live system, and at the time we didn't think we needed the AREA LDAP Plugin. But now we do, and we don't want to do a re-install because of the risk that something will go wrong. But we do have the Plugin installed on our test arsystem. Is it possible to copy objects and data from the test system over to the live system? If so, what all needs to be moved and configured? We've copied over arealdap.so and ardbcconf.so, but when we try to create a new Vendor form, ARSYS.ARDBC.LDAP isn't on the list of Available Vendor Names. (In fact, the choices that were there are gone, which means that we have messed something up.) Any advice? (ARS 7.1, RH Linux server, Oracle 10.2 db) _Platinum Sponsor: rmisoluti...@verizon.netmailto:rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:rmisoluti...@verizon.net ARSlist: Where the Answers Are
Re: Copying AREA LDAP Plugin from one server to another
What all plugin(s) are you trying to move over? - AREA LDAP for authentication - AREA HUB to handle multiple authentication sources - ARDBC LDAP to handle reading data from an LDAP store via a Vendor form - ARDBC CONF to handle the configuration of the pre-built AREA plugin If you are trying to do the AREA authentication using the pre-built plugins, you need both the AREA LDAP plugin and the ARDBC CONF plugin. In addition to this, you will need to move the AREA LDAP Configuration and Configuration ARDBC forms for the AREA configuration form to work properly. Axton Grams On Fri, Aug 28, 2009 at 11:27 AM, Robert D Martin marti...@jmu.edu wrote: ** I should also add that “ardbcldap.so” is in “ /opt/remedy/bin” in both servers, and both ar.conf files have “Plugin: /opt/remedy/bin/ardbcldap.so” lines Dwayne *From:* Robert D Martin *Sent:* Friday, August 28, 2009 12:19 PM *To:* 'arslist@ARSLIST.ORG' *Subject:* RE: Copying AREA LDAP Plugin from one server to another Thanks, Axton. I should have included that in my email. The ar.conf files are identical, at least all the lines that start with “AREA-LDAP.” Dwayne *From:* Action Request System discussion list(ARSList) [mailto: arsl...@arslist.org] *On Behalf Of *Axton *Sent:* Friday, August 28, 2009 10:46 AM *To:* arslist@ARSLIST.ORG *Subject:* Re: Copying AREA LDAP Plugin from one server to another ** You have to register the plugin in ar.conf. Take a look at your source server and target server to identify the lines that are missing. Axton Grams On Fri, Aug 28, 2009 at 9:39 AM, Robert D Martin marti...@jmu.edu wrote: ** Dear List, We installed ARS 7.1 on our live system, and at the time we didn’t think we needed the AREA LDAP Plugin. But now we do, and we don’t want to do a re-install because of the risk that something will go wrong. But we do have the Plugin installed on our test arsystem. Is it possible to copy objects and data from the test system over to the live system? If so, what all needs to be moved and configured? We’ve copied over “arealdap.so” and “ardbcconf.so”, but when we try to create a new Vendor form, “ARSYS.ARDBC.LDAP” isn’t on the list of “Available Vendor Names.” (In fact, the choices that were there are gone, which means that we have messed something up.) Any advice? (ARS 7.1, RH Linux server, Oracle 10.2 db) _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:rmisoluti...@verizon.net ARSlist: Where the Answers Are
Re: Copying AREA LDAP Plugin from one server to another
Just - ARDBC LDAP to handle reading data from an LDAP store via a Vendor form. Dwayne From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Axton Sent: Friday, August 28, 2009 2:09 PM To: arslist@ARSLIST.ORG Subject: Re: Copying AREA LDAP Plugin from one server to another ** What all plugin(s) are you trying to move over? - AREA LDAP for authentication - AREA HUB to handle multiple authentication sources - ARDBC LDAP to handle reading data from an LDAP store via a Vendor form - ARDBC CONF to handle the configuration of the pre-built AREA plugin If you are trying to do the AREA authentication using the pre-built plugins, you need both the AREA LDAP plugin and the ARDBC CONF plugin. In addition to this, you will need to move the AREA LDAP Configuration and Configuration ARDBC forms for the AREA configuration form to work properly. Axton Grams On Fri, Aug 28, 2009 at 11:27 AM, Robert D Martin marti...@jmu.edumailto:marti...@jmu.edu wrote: ** I should also add that ardbcldap.so is in /opt/remedy/bin in both servers, and both ar.conf files have Plugin: /opt/remedy/bin/ardbcldap.so lines Dwayne From: Robert D Martin Sent: Friday, August 28, 2009 12:19 PM To: 'arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG' Subject: RE: Copying AREA LDAP Plugin from one server to another Thanks, Axton. I should have included that in my email. The ar.conf files are identical, at least all the lines that start with AREA-LDAP. Dwayne From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG] On Behalf Of Axton Sent: Friday, August 28, 2009 10:46 AM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: Copying AREA LDAP Plugin from one server to another ** You have to register the plugin in ar.conf. Take a look at your source server and target server to identify the lines that are missing. Axton Grams On Fri, Aug 28, 2009 at 9:39 AM, Robert D Martin marti...@jmu.edumailto:marti...@jmu.edu wrote: ** Dear List, We installed ARS 7.1 on our live system, and at the time we didn't think we needed the AREA LDAP Plugin. But now we do, and we don't want to do a re-install because of the risk that something will go wrong. But we do have the Plugin installed on our test arsystem. Is it possible to copy objects and data from the test system over to the live system? If so, what all needs to be moved and configured? We've copied over arealdap.so and ardbcconf.so, but when we try to create a new Vendor form, ARSYS.ARDBC.LDAP isn't on the list of Available Vendor Names. (In fact, the choices that were there are gone, which means that we have messed something up.) Any advice? (ARS 7.1, RH Linux server, Oracle 10.2 db) _Platinum Sponsor: rmisoluti...@verizon.netmailto:rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.netmailto:rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.netmailto:rmisoluti...@verizon.net ARSlist: Where the Answers Are_ _Platinum Sponsor: rmisoluti...@verizon.net ARSlist: Where the Answers Are_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor:rmisoluti...@verizon.net ARSlist: Where the Answers Are