Re: How does Non-Unicode AR Server handle AREA LDAP authentication having unicode characters in CN ?
If you are able to get onto the 9.1 platform, you can open a defect with BMC regarding it and they will fix I would recommend checking it against 9.1.04 if possible because that's the latest currently available... On Mon, Mar 5, 2018 at 12:45 AM, Narayanan, Radhika < radhika.naraya...@cgi.com> wrote: > Hi, > > > > Thank you. I’m trying to reproduce this error on non-unicode ARS 9.1.03. > If it gives the same error there due to AREA Plugin defect, perhaps it will > be fixed on 9.1.03 ? > > > > *Thanks,* > > *Radhika Narayanan* > > > > *From:* ARSList [mailto:arslist-boun...@arslist.org] *On Behalf Of *LJ > LongWing > *Sent:* Sunday, March 04, 2018 9:51 PM > *To:* ARSList > *Subject:* Re: How does Non-Unicode AR Server handle AREA LDAP > authentication having unicode characters in CN ? > > > > Radhika, > > Ultimately the only thing that matters is the login name, so the CN in AD > shouldn't matter, but apparently, everyone else is working but the unicode > ones aren't?...if that's the case you may be dealing with a defect in the > AREA pluginunfortunately for you, the version that you are on is no > longer supported from a 'code fix' perspectiveso I'm not sure you are > going to be able to get this working without doing either data cleanup to > remove all of the unicode characters, or potentially converting to unicode > yourselfunfortunately, if the problem is in the area plugin in relation > to unicode, converting to unicode for Remedy might not help you out... > > > > On Thu, Feb 22, 2018 at 7:34 AM, Narayanan, Radhika < > radhika.naraya...@cgi.com> wrote: > > Hi, > > > > We’ve a non-unicode AR Server. Remedy Login Ids are in English only both > on AD and AR Server. > > Where the Active Directory had First or Last Name with Unicode character > such as Vytautas Morkūnas, the corresponding name will be held in ITSM > CTM:People form as Vytautas Morknas (ARS can’t store the Unicode character > ū as it is currently installed as non-unicode). When this user logs in with > correct AD password, he/she gets Authentication failed. > > > > In AREA Configuration, User Search Filter = sAMAccountName=$\USER$. In the > AREA Plugin Log, we see that bind is successful for login id = abc1234 and > AD returns the following : *CN=Morkūnas\, Vytautas > (abc1234),OU=Users,OU=xx,OU=yy,OU=zz,DC=xyz. * > > Even though bind is successful, AR still throws authentication failed > error. Is it because AREA Plugin or ARS is unable to read the Unicode > character in CN ?*CN=Morkūnas\, Vytautas (abc1234). *Please suggest how > to get authenticated successfully. > > > > Environment: ARS & ITSM 8.1.02 > > Non-Unicode Setup. > > > > *Thanks,* > > *Radhika Narayanan* > > > -- > ARSList mailing list > ARSList@arslist.org > https://mailman.rrr.se/cgi/listinfo/arslist > <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.rrr.se_cgi_listinfo_arslist=DwMFaQ=H50I6Bh8SW87d_bXfZP_8g=blQKSsGpUV3vEddB0ufOi2izy5lUOikNQGO3le4xQkw=VqG7Dzwd_ygboR3qGti7ARgXbQvyjENLC0PLBiR7ugI=HEir2-e0ByIuGYxRvcOWntYIIKtQHzdff1DVDUjBlVY=> > > > > -- > ARSList mailing list > ARSList@arslist.org > https://mailman.rrr.se/cgi/listinfo/arslist > > -- ARSList mailing list ARSList@arslist.org https://mailman.rrr.se/cgi/listinfo/arslist
RE: How does Non-Unicode AR Server handle AREA LDAP authentication having unicode characters in CN ?
Hi, Thank you. I’m trying to reproduce this error on non-unicode ARS 9.1.03. If it gives the same error there due to AREA Plugin defect, perhaps it will be fixed on 9.1.03 ? Thanks, Radhika Narayanan From: ARSList [mailto:arslist-boun...@arslist.org] On Behalf Of LJ LongWing Sent: Sunday, March 04, 2018 9:51 PM To: ARSList Subject: Re: How does Non-Unicode AR Server handle AREA LDAP authentication having unicode characters in CN ? Radhika, Ultimately the only thing that matters is the login name, so the CN in AD shouldn't matter, but apparently, everyone else is working but the unicode ones aren't?...if that's the case you may be dealing with a defect in the AREA pluginunfortunately for you, the version that you are on is no longer supported from a 'code fix' perspectiveso I'm not sure you are going to be able to get this working without doing either data cleanup to remove all of the unicode characters, or potentially converting to unicode yourselfunfortunately, if the problem is in the area plugin in relation to unicode, converting to unicode for Remedy might not help you out... On Thu, Feb 22, 2018 at 7:34 AM, Narayanan, Radhika <radhika.naraya...@cgi.com<mailto:radhika.naraya...@cgi.com>> wrote: Hi, We’ve a non-unicode AR Server. Remedy Login Ids are in English only both on AD and AR Server. Where the Active Directory had First or Last Name with Unicode character such as Vytautas Morkūnas, the corresponding name will be held in ITSM CTM:People form as Vytautas Morknas (ARS can’t store the Unicode character ū as it is currently installed as non-unicode). When this user logs in with correct AD password, he/she gets Authentication failed. In AREA Configuration, User Search Filter = sAMAccountName=$\USER$. In the AREA Plugin Log, we see that bind is successful for login id = abc1234 and AD returns the following : CN=Morkūnas\, Vytautas (abc1234),OU=Users,OU=xx,OU=yy,OU=zz,DC=xyz. Even though bind is successful, AR still throws authentication failed error. Is it because AREA Plugin or ARS is unable to read the Unicode character in CN ?CN=Morkūnas\, Vytautas (abc1234). Please suggest how to get authenticated successfully. Environment: ARS & ITSM 8.1.02 Non-Unicode Setup. Thanks, Radhika Narayanan -- ARSList mailing list ARSList@arslist.org<mailto:ARSList@arslist.org> https://mailman.rrr.se/cgi/listinfo/arslist<https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.rrr.se_cgi_listinfo_arslist=DwMFaQ=H50I6Bh8SW87d_bXfZP_8g=blQKSsGpUV3vEddB0ufOi2izy5lUOikNQGO3le4xQkw=VqG7Dzwd_ygboR3qGti7ARgXbQvyjENLC0PLBiR7ugI=HEir2-e0ByIuGYxRvcOWntYIIKtQHzdff1DVDUjBlVY=> -- ARSList mailing list ARSList@arslist.org https://mailman.rrr.se/cgi/listinfo/arslist
Re: How does Non-Unicode AR Server handle AREA LDAP authentication having unicode characters in CN ?
Radhika, Ultimately the only thing that matters is the login name, so the CN in AD shouldn't matter, but apparently, everyone else is working but the unicode ones aren't?...if that's the case you may be dealing with a defect in the AREA pluginunfortunately for you, the version that you are on is no longer supported from a 'code fix' perspectiveso I'm not sure you are going to be able to get this working without doing either data cleanup to remove all of the unicode characters, or potentially converting to unicode yourselfunfortunately, if the problem is in the area plugin in relation to unicode, converting to unicode for Remedy might not help you out... On Thu, Feb 22, 2018 at 7:34 AM, Narayanan, Radhika < radhika.naraya...@cgi.com> wrote: > Hi, > > > > We’ve a non-unicode AR Server. Remedy Login Ids are in English only both > on AD and AR Server. > > Where the Active Directory had First or Last Name with Unicode character > such as Vytautas Morkūnas, the corresponding name will be held in ITSM > CTM:People form as Vytautas Morknas (ARS can’t store the Unicode character > ū as it is currently installed as non-unicode). When this user logs in with > correct AD password, he/she gets Authentication failed. > > > > In AREA Configuration, User Search Filter = sAMAccountName=$\USER$. In the > AREA Plugin Log, we see that bind is successful for login id = abc1234 and > AD returns the following : *CN=Morkūnas\, Vytautas > (abc1234),OU=Users,OU=xx,OU=yy,OU=zz,DC=xyz. * > > Even though bind is successful, AR still throws authentication failed > error. Is it because AREA Plugin or ARS is unable to read the Unicode > character in CN ?*CN=Morkūnas\, Vytautas (abc1234). *Please suggest how > to get authenticated successfully. > > > > Environment: ARS & ITSM 8.1.02 > > Non-Unicode Setup. > > > > *Thanks,* > > *Radhika Narayanan* > > -- > ARSList mailing list > ARSList@arslist.org > https://mailman.rrr.se/cgi/listinfo/arslist > > -- ARSList mailing list ARSList@arslist.org https://mailman.rrr.se/cgi/listinfo/arslist
How does Non-Unicode AR Server handle AREA LDAP authentication having unicode characters in CN ?
Hi, We’ve a non-unicode AR Server. Remedy Login Ids are in English only both on AD and AR Server. Where the Active Directory had First or Last Name with Unicode character such as Vytautas Morkūnas, the corresponding name will be held in ITSM CTM:People form as Vytautas Morknas (ARS can’t store the Unicode character ū as it is currently installed as non-unicode). When this user logs in with correct AD password, he/she gets Authentication failed. In AREA Configuration, User Search Filter = sAMAccountName=$\USER$. In the AREA Plugin Log, we see that bind is successful for login id = abc1234 and AD returns the following : CN=Morkūnas\, Vytautas (abc1234),OU=Users,OU=xx,OU=yy,OU=zz,DC=xyz. Even though bind is successful, AR still throws authentication failed error. Is it because AREA Plugin or ARS is unable to read the Unicode character in CN ?CN=Morkūnas\, Vytautas (abc1234). Please suggest how to get authenticated successfully. Environment: ARS & ITSM 8.1.02 Non-Unicode Setup. Thanks, Radhika Narayanan -- ARSList mailing list ARSList@arslist.org https://mailman.rrr.se/cgi/listinfo/arslist
Re: SSL for LDAP
The error means that the JVM doesn't trust the issuing CA on the remote side (ldap server). You can get the CA path from the remote server using openssl: openssl s_client -connect ldap.server.com:636 That will give you the certs in pem format as well as the chain up to the root. Add the root CA and any intermediate CA certs into the cacerts used by Remedy. You need to know which cacerts to update. Most Java software uses the cacerts bundled with the JRE under jre/lib/security/cacerts by default. You can optionally tell the JRE to use a different cacert using a command line argument: -Djavax.net.ssl.trustStore=/path/to/cacerts Axton On Wed, Nov 9, 2016 at 6:19 PM, Fawver, Dustin <faw...@mail.etsu.edu> wrote: > ** > > Greetings! > > > I have been trying to get AREA to use LDAP over SSL now. I followed the > instructions over at https://docs.bmc.com/docs/display/public/brid91/ > Enabling+LDAP+plug-ins+for+SSL+connections+post-installation. The > systems administrator instructed me some time ago to go to one of our > servers and export the security certificate from within Firefox. I did > that and used keytool to create the store. I am getting the error message > below. > > > > < > ARPluginContext.java:176 > /* Wed Nov 09 2016 07:12:12.805 */ > Ldap Authentication failed!javax.naming.CommunicationException: > simple bind failed: jcdc1.etsu.edu:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target] > > > Looking at the certificate chain, I saw that there was a GeoTrust CA cert > and a GeoTrust SHA cert. I exported those from the same server and added > those to the trust store. While searching for a solution, I found some > people would add the certs to the primary Java cacerts store located in > /jre/lib/security/. I did that as well and specified the path for the > primary cacerts store in the AREA LDAP configuration screen. I am still > receiving the error message. > > > Is there something else that I'm missing? If I need to ask something else > from the systems administrator, please let me know what to ask for. > > > Thanks in advance for your help! > > > --Dustin Fawver > > > HelpDesk Technician > > East Tennessee State University > _ARSlist: "Where the Answers Are" and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: SSL for LDAP
Hi, If you are using a Java Keystore, they are very explicit about what the key chain is and where the certificates are stored. Generally you import the Root and Intermediate certs into the common Java Keystore (cacerts) that the system is referencing, then you add the Server certificate to your custom Keystore - however if you have multiple versions of Java installed you need to identify the system default Java and Keystore (which may end up in trial and error). Windows is more "forgiving" on certificates than Java is and only has one store (with multiple sections), where Java can have multiple stores which will be based on what Java runtime your actual application is using e.g. could be a JVM or a JDK (and you may have multiple versions of each installed). For the Certificate: I would recommend that you have an Administrator for the Active Directory Server export the certificate using Cert Manager and for them to include all certificates in the Chain (checkbox option in export) to a "*.p7b" file (certificate zip file containing all certs in the chain i.e. Root, Intermediate and Server certificates). Example: Open the Certificate file (Server Certificate) and export to p7b by selecting Details > Copy to File.. > Cryptographic Message .. (.P7B) - Check "Include all certificates in the certification path if possible" > Filename You will end up with a "*.p7b" file that when opened look like a file structure inside which includes all 3 certificates (Root, Intermediate and Server). For the import to your custom Keystore: Then import this "chained certificate" p7b file into your custom Keystore. That way you end up with all 3 required certificates in the keystore - these will be "linked" as you have exported them in a "chain" and not individually. When you reference this Keystore, you will not need to worry about any other "system" based Java cacerts stores as all certificates are in the one place an available. -- Kind Regards, Carl Wilson From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Fawver, Dustin Sent: 10 November 2016 00:19 To: arslist@ARSLIST.ORG Subject: SSL for LDAP ** Greetings! I have been trying to get AREA to use LDAP over SSL now. I followed the instructions over at https://docs.bmc.com/docs/display/public/brid91/Enabling+LDAP+plug-ins+for+S SL+connections+post-installation. The systems administrator instructed me some time ago to go to one of our servers and export the security certificate from within Firefox. I did that and used keytool to create the store. I am getting the error message below. < ARPluginContext.java:176 > /* Wed Nov 09 2016 07:12:12.805 */ Ldap Authentication failed!javax.naming.CommunicationException: simple bind failed: jcdc1.etsu.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] Looking at the certificate chain, I saw that there was a GeoTrust CA cert and a GeoTrust SHA cert. I exported those from the same server and added those to the trust store. While searching for a solution, I found some people would add the certs to the primary Java cacerts store located in /jre/lib/security/. I did that as well and specified the path for the primary cacerts store in the AREA LDAP configuration screen. I am still receiving the error message. Is there something else that I'm missing? If I need to ask something else from the systems administrator, please let me know what to ask for. Thanks in advance for your help! --Dustin Fawver HelpDesk Technician East Tennessee State University _ARSlist: "Where the Answers Are" and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
SSL for LDAP
Greetings! I have been trying to get AREA to use LDAP over SSL now. I followed the instructions over at https://docs.bmc.com/docs/display/public/brid91/Enabling+LDAP+plug-ins+for+SSL+connections+post-installation. The systems administrator instructed me some time ago to go to one of our servers and export the security certificate from within Firefox. I did that and used keytool to create the store. I am getting the error message below. < ARPluginContext.java:176 > /* Wed Nov 09 2016 07:12:12.805 */ Ldap Authentication failed!javax.naming.CommunicationException: simple bind failed: jcdc1.etsu.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] Looking at the certificate chain, I saw that there was a GeoTrust CA cert and a GeoTrust SHA cert. I exported those from the same server and added those to the trust store. While searching for a solution, I found some people would add the certs to the primary Java cacerts store located in /jre/lib/security/. I did that as well and specified the path for the primary cacerts store in the AREA LDAP configuration screen. I am still receiving the error message. Is there something else that I'm missing? If I need to ask something else from the systems administrator, please let me know what to ask for. Thanks in advance for your help! --Dustin Fawver HelpDesk Technician East Tennessee State University ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: AREA LDAP password in 9x
It's in the DB now, AR_System_Configuration_Settin is the name of the view/table. In arschema as, AR System Configuration Setting. On Thu, Aug 4, 2016 at 12:52 PM, William Rentfrow < wrentf...@stratacominc.com> wrote: > ** > > So you update the password in the centralized config - which is > finebut where is it actually stored now? > > > > It's not in ar.conf or anywhere obvious... > > > > William Rentfrow > > wrentf...@stratacominc.com > > Office: 715-204-3061 or 701-232-5697x25 > > Cell: 715-498-5056 > > > _ARSlist: "Where the Answers Are" and have been for 20 years_ -- Brian Gillock ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
AREA LDAP password in 9x
So you update the password in the centralized config - which is finebut where is it actually stored now? It's not in ar.conf or anywhere obvious... William Rentfrow wrentf...@stratacominc.com Office: 715-204-3061 or 701-232-5697x25 Cell: 715-498-5056 ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Turn off AREA LDAP Polling?
Never mind. I found it. For those of you who are wondering - On the EA tab in the Server Information Configuration form, you'll see a box called "Need To Sync". If this is set to 0, Remedy won't periodically make AD checks. From: Sinclair, Keith Sent: Wednesday, March 16, 2016 8:58 AM To: arslist@ARSLIST.ORG Subject: Turn off AREA LDAP Polling? If I recall correctly, there is a way to tell Remedy to not make periodic AD checks every so often with a user's account that signed into Remedy using AREA LDAP but for the life of me, I cannot remember how or where it's done. Anyone know where the setting is at? Keith Sinclair Remedy Development ShopperTrak Chicago, USA O 312.676.8289 ksincl...@shoppertrak.com<mailto:ksincl...@shoppertrak.com> | shoppertrak.com Retail Profitability, Improved. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Turn off AREA LDAP Polling?
And if you are looking for the AR.CONF (ar.CFG for Windows) value it is External-Authentication-Sync-Timeout From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Sinclair, Keith Sent: Wednesday, March 16, 2016 9:05 AM To: arslist@ARSLIST.ORG Subject: Re: Turn off AREA LDAP Polling? ** Never mind. I found it. For those of you who are wondering - On the EA tab in the Server Information Configuration form, you'll see a box called "Need To Sync". If this is set to 0, Remedy won't periodically make AD checks. From: Sinclair, Keith Sent: Wednesday, March 16, 2016 8:58 AM To: arslist@ARSLIST.ORG<mailto:arslist@ARSLIST.ORG> Subject: Turn off AREA LDAP Polling? If I recall correctly, there is a way to tell Remedy to not make periodic AD checks every so often with a user's account that signed into Remedy using AREA LDAP but for the life of me, I cannot remember how or where it's done. Anyone know where the setting is at? Keith Sinclair Remedy Development ShopperTrak Chicago, USA O 312.676.8289 ksincl...@shoppertrak.com<mailto:ksincl...@shoppertrak.com> | shoppertrak.com Retail Profitability, Improved. _ARSlist: "Where the Answers Are" and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Re: Turn off AREA LDAP Polling?
I think its AR system Administration Console > General > Server info > EA Tab > Need to Sync. Set this to 0 -- Danny Kellett dkell...@javasystemsolutions.com On Wed, Mar 16, 2016, at 01:57 PM, Sinclair, Keith wrote: > ** > > If I recall correctly, there is a way to tell Remedy to not make > periodic AD checks every so often with a user’s account that signed > into Remedy using AREA LDAP but for the life of me, I cannot remember > how or where it’s done. > > Anyone know where the setting is at? > > *Keith Sinclair* > Remedy Development > ShopperTrak Chicago, USA > *O* 312.676.8289 > ksincl...@shoppertrak.com | shoppertrak.com > *Retail Profitability, Improved.* > > _ARSlist: "Where the Answers Are" and have been for 20 years_ > ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Turn off AREA LDAP Polling?
If I recall correctly, there is a way to tell Remedy to not make periodic AD checks every so often with a user's account that signed into Remedy using AREA LDAP but for the life of me, I cannot remember how or where it's done. Anyone know where the setting is at? Keith Sinclair Remedy Development ShopperTrak Chicago, USA O 312.676.8289 ksincl...@shoppertrak.com<mailto:ksincl...@shoppertrak.com> | shoppertrak.com Retail Profitability, Improved. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
Does the LDAP authentication service for remedy 7.1, running on SunOS 5.9 support SHA2 encryption?
Hi All, This is a query related to AREA LDAP authentication for ARS 7.1. Would like to know experts' opinions. Our LDAP servers are currently using SHA1 and soon they are going to be using SHA2, hence want to know if it is possible in remedy to have AREA LDAP configuration supporting SHA2. Need some expert advice urgently on this please. Does the LDAP authentication service for remedy 7.1, running on SunOS 5.9 support SHA2 encryption? If yes how can we configure it or it has to do something from LDAP and not from remedy. Regards, Saurabh -- View this message in context: http://ars-action-request-system.1.n7.nabble.com/Does-the-LDAP-authentication-service-for-remedy-7-1-running-on-SunOS-5-9-support-SHA2-encryption-tp120382.html Sent from the ARS (Action Request System) mailing list archive at Nabble.com. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Integrating AR with Sun Microsystems LDAP Exchange server
Hello Experts, I am using AR/ITSM 8.1 SP1. And I am trying to integrate this with Sun Microsystem LDAP exchange server. I am not able to get this done due to LDAP Error Code-12 (LDAP: error code 12 - Unavailable Critical Extension) Has anyone tired this earlier specific to Sun Microsystems LDAP servers. I am suspecting there must be some configuration setting related to maxPageSize on Exchange server side. But not sure. Any ideas or opinions are welcome. Thanks in advance. -- Regards, Onkar Shinde Senior Software Engineer Vyom Labs Pvt. Ltd. BSM Solutions Services || ITIL Consulting Training Telephone: +91-20-6632-1000 Mobile: +91-7709008719 Email: onkar.shi...@vyomlabs.com Web: www.vyomlabs.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Getting plugin LDAP error 12 while integrating a LDAP server
Hi Kelvin, Yes, I have also configured the AREA LDAP configuration, but in my case AREA is also not working. During AREA logging in by LDAP user, I get following error 05:19:47,492 ERROR [pool-4-thread-14] com.bmc.arsys.pluginsvr.plugins.ARPluginContext (?:?) - AREA.LDAPLdap Authentication failed!javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN] Also through Pentaho client I am able to pull all People data without any issues, by providing the same LDAP user inputs. Is there any settings or pre-requirement to configure these 2 plugins from Remedy side. Because I choose simple method to connect to LDAP server through LDP exe utility. Otherwise it couldn't connect. I need to also provide whole DN, as username like uid=userid,ou=,dc=clients name of domain,dc=com Anyone has faced this issue please advise. Thanks. On Tue, Dec 16, 2014 at 9:24 PM, Kevin Eldridge kevin.eldri...@itsmuniversity.net wrote: ** Hello Oscar, I forgot to mention that we had to enable the AREA LDAP Configuration to get this to work properly. I was unable to access the ARDBC from Dev Studio until after I did this. I copied most of the settings from the ARDBC configuration information to set this up. Once I did this, saved the settings in AR Server, and restarted AR Services, I was able to access the ARSYS.ARDBC.LDAP from the New Vendor Form. Hopefully, this helps you, Kevin Eldridge _ARSlist: Where the Answers Are and have been for 20 years_ -- Regards, Onkar Shinde Senior Software Engineer Vyom Labs Pvt. Ltd. BSM Solutions Services || ITIL Consulting Training Telephone: +91-20-6632-1000 Mobile: +91-7709008719 Email: onkar.shi...@vyomlabs.com Web: www.vyomlabs.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Getting plugin LDAP error 12 while integrating a LDAP server
Hello Onkar, If you are able to make the connection using port 389, then making the modifications to your connection should not be that difficult. I never had much luck using the LDP LDAP browser. We had the most success using Softerra LDAP Browser 4.5 (http://www.ldapadministrator.com/download.htm if you want to try that and click on LDAP Browser 4.5 as LDAP Administrator 2014.1 is a paid software). It is a much more robust LDAP browser. LDP kept telling me it had authentication failures. However, when I configured Softera LDAP Browser, it was able to connect to the SSL connection without issues. You might try that instead to make your connection and ensure you can connect properly. Prior to configuring anything inside Remedy, I would ensure you have proper connection to the LDAP server first. Then, you can move from there.\ You might need to use the fully qualified DN, such as cn=username,ou=my group,dc=mycomany,dc=com, for the username parameter. I hope this helps you in some way, Kevin Eldridge From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of onkar shinde Sent: Monday, December 22, 2014 6:54 AM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: Re: Getting plugin LDAP error 12 while integrating a LDAP server ** Hi Kelvin, Yes, I have also configured the AREA LDAP configuration, but in my case AREA is also not working. During AREA logging in by LDAP user, I get following error 05:19:47,492 ERROR [pool-4-thread-14] com.bmc.arsys.pluginsvr.plugins.ARPluginContext (?:?) - AREA.LDAPLdap Authentication failed!javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN] Also through Pentaho client I am able to pull all People data without any issues, by providing the same LDAP user inputs. Is there any settings or pre-requirement to configure these 2 plugins from Remedy side. Because I choose simple method to connect to LDAP server through LDP exe utility. Otherwise it couldn't connect. I need to also provide whole DN, as username like uid=userid,ou=,dc=clients name of domain,dc=com Anyone has faced this issue please advise. Thanks. On Tue, Dec 16, 2014 at 9:24 PM, Kevin Eldridge kevin.eldri...@itsmuniversity.netmailto:kevin.eldri...@itsmuniversity.net wrote: ** Hello Oscar, I forgot to mention that we had to enable the AREA LDAP Configuration to get this to work properly. I was unable to access the ARDBC from Dev Studio until after I did this. I copied most of the settings from the ARDBC configuration information to set this up. Once I did this, saved the settings in AR Server, and restarted AR Services, I was able to access the ARSYS.ARDBC.LDAP from the New Vendor Form. Hopefully, this helps you, Kevin Eldridge _ARSlist: Where the Answers Are and have been for 20 years_ -- Regards, Onkar Shinde Senior Software Engineer Vyom Labs Pvt. Ltd. BSM Solutions Services || ITIL Consulting Training Telephone: +91-20-6632-1000 Mobile: +91-7709008719 Email: onkar.shi...@vyomlabs.commailto:onkar.shi...@vyomlabs.com Web: www.vyomlabs.comhttp://www.vyomlabs.com _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Getting plugin LDAP error 12 while integrating a LDAP server
Hello Oscar, I forgot to mention that we had to enable the AREA LDAP Configuration to get this to work properly. I was unable to access the ARDBC from Dev Studio until after I did this. I copied most of the settings from the ARDBC configuration information to set this up. Once I did this, saved the settings in AR Server, and restarted AR Services, I was able to access the ARSYS.ARDBC.LDAP from the New Vendor Form. Hopefully, this helps you, Kevin Eldridge ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Getting plugin LDAP error 12 while integrating a LDAP server
Hi Kelvin, I have reconfigured the settings and mentioned the base DN for discovery like you suggested. Still I am not able to get the plugin configured. I have restarted the AR server. Below is the exact excert of the arjavaplugin.log (I have replaced actual clients values with tags): 2014-12-15 03:41:26,846 ERROR [pool-4-thread-22] com.bmc.arsys.pluginsvr.plugins.a (?:?) - getListForms() FAILs in plugin: ARSYS.ARDBC.LDAP ERROR (3377): The LDAP operation has failed; javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]; remaining name 'ou=ou of bindaccounts,dc=clietns DOmain group,dc=com' at com.bmc.arsys.plugins.ardbcldap.ARDBCLDAPPlugin.getListForms(Unknown Source) at com.bmc.arsys.pluginsvr.plugins.a.ArdbcGetListForms(Unknown Source) at com.bmc.arsys.pluginsvr.a.ArEsArdbcGetListForms_5(Unknown Source) at com.bmc.arsys.pluginsvr.a.ArEsArdbcGetListForms_4(Unknown Source) at com.bmc.arsys.arrpc.ARPluginServerDispatcher.dispatchOncRpcCall(Unknown Source) at com.bmc.arsys.arrpc.nio.ArRpcCallHandler.dispatchCall(Unknown Source) at com.bmc.arsys.arrpc.nio.ArRpcCallHandler.if(Unknown Source) at com.bmc.arsys.arrpc.nio.ArRpcCallHandler.processRpcCall(Unknown Source) at com.bmc.arsys.arrpc.nio.ArRpcCallHandler$Processor.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Kindly suggest. Thanks in advance. Onkar. On Sun, Dec 14, 2014 at 8:47 AM, onkar shinde onkarbshi...@gmail.com wrote: Hey kevin, Many Thanks for your quick reply. Yes i am actually going to use SSL, i have already created cert.db files using certutil... But i thought 1st to give a shot without SSL, as the given Ldap server is a test server, enabled on both 389 and 636. So coming back to configuration, below is what i have configured on ARDBC LDAP form: Host name: clients LDAP server hostname Port: 389 for time being Bind user: uid=test,ou=bindaccounts,dc=clients LDAP hostname,dc=com Bind password: given password No SSL. LDAP Server generalised timing. Failover timeout:5 Directory page size:1000 Base DN for discovery: dc=clients hostname,dc=com So i guess only information which is not configured correctly is Base DN for discovery, here I am not specifying ou.. but only mere Base DN. I will give this a try and let you know. Thanks again. Onkar. On Dec 14, 2014 4:10 AM, Kevin Eldridge kevin.eldri...@itsmuniversity.net wrote: ** Hello Onkar, I ran into a similar issue when connecting to a Red Hat LDAP server, using UID, and not a MS Exchange server, since that is what the sAMAccountName is used for. I used the following settings to make the ARDBC LDAP connection: Host Name: ldap.host.com Port Number: 636 Bind User: uid=ldapuser,ou=service,dc=host,dc=com Bind Password: password Use Secure Socket Layer: Yes Certificate Database: Path to java keystore; e.x. C:\LDAP\ldaptrust.jks LDAP Date-Time Format: Generalized Time Failover Timeout: 3000 Directory Page Size: 1000 Base DN for Discovery: ou=people,dc=host,dc=com If you are not using SSL, this will make things much, much easier. Your default port for non-SSL is 389. If you are using SSL, ensure you have created your Java Keystore using the following command: Create the Cert Database: certutil -N -d certDir Import the certs into the keytool -import -noprompt -trustcacerts -keystore PATH TO JavaKeyStore; i.e. C:\JKS\javakeystore.jks -storepass Password for JKS file -alias Provide an alias -file PATH TO Certificate file; i.e. C:\CERT\certificate.crt There is a good bit of information on the Java Keystore in the AR System 8.1 documentation I hope this helps. Kevin Eldridge _ARSlist: Where the Answers Are and have been for 20 years_ -- Regards, Onkar Shinde Senior Software Engineer Vyom Labs Pvt. Ltd. BSM Solutions Services || ITIL Consulting Training Telephone: +91-20-6632-1000 Mobile: +91-7709008719 Email: onkar.shi...@vyomlabs.com Web: www.vyomlabs.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Getting plugin LDAP error 12 while integrating a LDAP server
Hello list, I have been trying to integrate ar server 8.1sp1 with one customers Ldap server. I have tested connectivity with LDP.exe first with the provided LDAP hostname and bind username/password. With this all information i am able to connect and bind successfully. One thing about to mention here that i am not using conventional sAMAccountName to bind user, but using username like below uid=,ou=,dc=,dc=com with simple method to connect. When i entered the same in ARDBC LDAP Configuration form, the plugin ARSYS.ARDBC.LDAP is not showing up in list of plugin menus while creating vendor forms. In java log i see something like below: Ldap error code 12. Exceptional dc='' Will post exact error text soon as soon as i get the log file. Can anyone let me know, what exact cause it could be, or anyone has already faced this kind of issue/error. Thanks in advance. Onkar. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Getting plugin LDAP error 12 while integrating a LDAP server
Hello Onkar, I ran into a similar issue when connecting to a Red Hat LDAP server, using UID, and not a MS Exchange server, since that is what the sAMAccountName is used for. I used the following settings to make the ARDBC LDAP connection: Host Name: ldap.host.com Port Number: 636 Bind User: uid=ldapuser,ou=service,dc=host,dc=com Bind Password: password Use Secure Socket Layer: Yes Certificate Database: Path to java keystore; e.x. C:\LDAP\ldaptrust.jks LDAP Date-Time Format: Generalized Time Failover Timeout: 3000 Directory Page Size: 1000 Base DN for Discovery: ou=people,dc=host,dc=com If you are not using SSL, this will make things much, much easier. Your default port for non-SSL is 389. If you are using SSL, ensure you have created your Java Keystore using the following command: Create the Cert Database: certutil -N -d certDir Import the certs into the keytool -import -noprompt -trustcacerts -keystore PATH TO JavaKeyStore; i.e. C:\JKS\javakeystore.jks -storepass Password for JKS file -alias Provide an alias -file PATH TO Certificate file; i.e. C:\CERT\certificate.crt There is a good bit of information on the Java Keystore in the AR System 8.1 documentation I hope this helps. Kevin Eldridge ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Getting plugin LDAP error 12 while integrating a LDAP server
Hey kevin, Many Thanks for your quick reply. Yes i am actually going to use SSL, i have already created cert.db files using certutil... But i thought 1st to give a shot without SSL, as the given Ldap server is a test server, enabled on both 389 and 636. So coming back to configuration, below is what i have configured on ARDBC LDAP form: Host name: clients LDAP server hostname Port: 389 for time being Bind user: uid=test,ou=bindaccounts,dc=clients LDAP hostname,dc=com Bind password: given password No SSL. LDAP Server generalised timing. Failover timeout:5 Directory page size:1000 Base DN for discovery: dc=clients hostname,dc=com So i guess only information which is not configured correctly is Base DN for discovery, here I am not specifying ou.. but only mere Base DN. I will give this a try and let you know. Thanks again. Onkar. On Dec 14, 2014 4:10 AM, Kevin Eldridge kevin.eldri...@itsmuniversity.net wrote: ** Hello Onkar, I ran into a similar issue when connecting to a Red Hat LDAP server, using UID, and not a MS Exchange server, since that is what the sAMAccountName is used for. I used the following settings to make the ARDBC LDAP connection: Host Name: ldap.host.com Port Number: 636 Bind User: uid=ldapuser,ou=service,dc=host,dc=com Bind Password: password Use Secure Socket Layer: Yes Certificate Database: Path to java keystore; e.x. C:\LDAP\ldaptrust.jks LDAP Date-Time Format: Generalized Time Failover Timeout: 3000 Directory Page Size: 1000 Base DN for Discovery: ou=people,dc=host,dc=com If you are not using SSL, this will make things much, much easier. Your default port for non-SSL is 389. If you are using SSL, ensure you have created your Java Keystore using the following command: Create the Cert Database: certutil -N -d certDir Import the certs into the keytool -import -noprompt -trustcacerts -keystore PATH TO JavaKeyStore; i.e. C:\JKS\javakeystore.jks -storepass Password for JKS file -alias Provide an alias -file PATH TO Certificate file; i.e. C:\CERT\certificate.crt There is a good bit of information on the Java Keystore in the AR System 8.1 documentation I hope this helps. Kevin Eldridge _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP and SSL3.0/POODLE
Slightly OT, AREA LDAP on 8.1 it's now a Java plugin so for SSL you'll need a Java Keystore versus a Certificate Store. On Thu, Oct 23, 2014 at 12:57 PM, Sinclair, Keith ksincl...@shoppertrak.com wrote: ** Apologies if this has been answered and/or brought up before. Does ARS 8.1 AREA LDAP use SSL3.0 when making calls to Active Directory? I ask because the infrastructure guys are rolling out a series of POODLE fixes and I need to know if this will break anything. Thanks, *Keith Sinclair* *Remedy Development* *ShopperTrak Chicago USA* O: 312.676.8289 | M: 630.946.4744 *ksincl...@shoppertrak.com ksincl...@shoppertrak.com* | @shoppertrak www.shoppertrak.com _ARSlist: Where the Answers Are and have been for 20 years_ -- Brian Gillock Principal Consultant, BGBS, Inc brian.gill...@pbs-consulting.com ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AREA LDAP and SSL3.0/POODLE
Apologies if this has been answered and/or brought up before. Does ARS 8.1 AREA LDAP use SSL3.0 when making calls to Active Directory? I ask because the infrastructure guys are rolling out a series of POODLE fixes and I need to know if this will break anything. Thanks, Keith Sinclair Remedy Development ShopperTrak Chicago USA O: 312.676.8289 | M: 630.946.4744 ksincl...@shoppertrak.commailto:ksincl...@shoppertrak.com | @shoppertrak www.shoppertrak.comhttp://www.shoppertrak.com/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
ARDBC LDAP Vendor Form Question
We are configuring the ARDBC LDAP to pull information from Active Directory. We are trying to setup a vendor form to access the data and for the most part this seems to be working. We are running into one issue that I need some help figuring out. We create the vendor form by selecting the ARSYS.ARDBC.LDAP vendor, and then select the appropriate table to see the information we want. In this case we are selecting the entry associated with the (objectclass=person). The issue is when trying to select the attributes from the available columns, we only see some of the attributes. Our question is why aren't all the attributes included? This is all new to me so hopefully I'm making sense. I appreciate any assistance you can provide. Thanks, Todd Arner -- The information contained in this communication may be confidential, is intended only for the use of the recipient(s) named above, and may be protected under state or federal law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please forward the communication to no...@glhec.org immediately and destroy or delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: ARDBC LDAP Vendor Form Question
Todd, I have experienced the same, however, I have found that as long as I know the attribute name I want, I can create the appropriate field, and in the vendor field properties for that field, I just plug in the correct 'attribute', and the values come across properly... On Fri, Sep 26, 2014 at 7:55 AM, Arner, Todd tar...@glhec.org wrote: ** We are configuring the ARDBC LDAP to pull information from Active Directory. We are trying to setup a vendor form to access the data and for the most part this seems to be working. We are running into one issue that I need some help figuring out. We create the vendor form by selecting the ARSYS.ARDBC.LDAP vendor, and then select the appropriate table to see the information we want. In this case we are selecting the entry associated with the (objectclass=person). The issue is when trying to select the attributes from the available columns, we only see some of the attributes. Our question is why aren’t all the attributes included? This is all new to me so hopefully I’m making sense. I appreciate any assistance you can provide. Thanks, Todd Arner -- The information contained in this communication may be confidential, is intended only for the use of the recipient(s) named above, and may be protected under state or federal law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please forward the communication to no...@glhec.org immediately and destroy or delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender. _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: ARDBC LDAP Vendor Form Question
Thanks LJ! That worked. I also have a request open with support. I’ll let you know if they have any solution to show all. Todd From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of LJ LongWing Sent: Friday, September 26, 2014 9:10 AM To: arslist@ARSLIST.ORG Subject: Re: ARDBC LDAP Vendor Form Question ** Todd, I have experienced the same, however, I have found that as long as I know the attribute name I want, I can create the appropriate field, and in the vendor field properties for that field, I just plug in the correct 'attribute', and the values come across properly... On Fri, Sep 26, 2014 at 7:55 AM, Arner, Todd tar...@glhec.orgmailto:tar...@glhec.org wrote: ** We are configuring the ARDBC LDAP to pull information from Active Directory. We are trying to setup a vendor form to access the data and for the most part this seems to be working. We are running into one issue that I need some help figuring out. We create the vendor form by selecting the ARSYS.ARDBC.LDAP vendor, and then select the appropriate table to see the information we want. In this case we are selecting the entry associated with the (objectclass=person). The issue is when trying to select the attributes from the available columns, we only see some of the attributes. Our question is why aren’t all the attributes included? This is all new to me so hopefully I’m making sense. I appreciate any assistance you can provide. Thanks, Todd Arner The information contained in this communication may be confidential, is intended only for the use of the recipient(s) named above, and may be protected under state or federal law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please forward the communication to no...@glhec.orgmailto:no...@glhec.org immediately and destroy or delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender. _ARSlist: Where the Answers Are and have been for 20 years_ _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: ARDBC LDAP Vendor Form Question
It will be interesting to see what you find out from Support. This is one reason it is handy to have an LDAP browser http://www.ldapbrowser.com/info_softerra-ldap-browser.htm. Jason On Fri, Sep 26, 2014 at 7:21 AM, Arner, Todd tar...@glhec.org wrote: ** Thanks LJ! That worked. I also have a request open with support. I’ll let you know if they have any solution to show all. Todd *From:* Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] *On Behalf Of *LJ LongWing *Sent:* Friday, September 26, 2014 9:10 AM *To:* arslist@ARSLIST.ORG *Subject:* Re: ARDBC LDAP Vendor Form Question ** Todd, I have experienced the same, however, I have found that as long as I know the attribute name I want, I can create the appropriate field, and in the vendor field properties for that field, I just plug in the correct 'attribute', and the values come across properly... On Fri, Sep 26, 2014 at 7:55 AM, Arner, Todd tar...@glhec.org wrote: ** We are configuring the ARDBC LDAP to pull information from Active Directory. We are trying to setup a vendor form to access the data and for the most part this seems to be working. We are running into one issue that I need some help figuring out. We create the vendor form by selecting the ARSYS.ARDBC.LDAP vendor, and then select the appropriate table to see the information we want. In this case we are selecting the entry associated with the (objectclass=person). The issue is when trying to select the attributes from the available columns, we only see some of the attributes. Our question is why aren’t all the attributes included? This is all new to me so hopefully I’m making sense. I appreciate any assistance you can provide. Thanks, Todd Arner -- The information contained in this communication may be confidential, is intended only for the use of the recipient(s) named above, and may be protected under state or federal law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please forward the communication to no...@glhec.org immediately and destroy or delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender. _ARSlist: Where the Answers Are and have been for 20 years_ _ARSlist: Where the Answers Are and have been for 20 years_ _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Issue with LDAP
Hi All, Sorry for coming back to this thread after a long time. Resolved the issue by doing below. I employed using jExplorer utility for checking the connectivity to LDAP AD. Once the connection was made over jXplorer, i used the same credentials and setting and updated ARDBC and AREA config forms (ar.conf) and restarted the services. Regards, Saurabh -- View this message in context: http://ars-action-request-system.1.n7.nabble.com/Issue-with-LDAP-tp117574p119011.html Sent from the ARS (Action Request System) mailing list archive at Nabble.com. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Issue with LDAP
Hi All, My environment is or ARS 7.1 on Solaris with DB on Sybase. Currently our system is using both AREA LAP (for authenticating users) and ARDBC LDAP (for fetching user details). Our LDAP host is soon to be decommissioned and replaced with a new one. I have modified ARDBC Configuration form and AREA Configuration form with the new server details, but still when I see in the plugin logs it shows older host name. I have checked ar.conf file and verified it points to the new LDAP. Can someone tell me where else I have to modify existing LDAP server name with the new one. Regards, Saurabh -- View this message in context: http://ars-action-request-system.1.n7.nabble.com/Issue-with-LDAP-tp117574.html Sent from the ARS (Action Request System) mailing list archive at Nabble.com. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Issue with LDAP
If it's ARDBC related check the Vendor Information tab under Form Properties in the Admin tool for the vendor form. The LDAP connect string is in there and needs to be changed. Mark -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of MalviyaSaurabh Sent: 25 June 2014 08:16 To: arslist@ARSLIST.ORG Subject: Issue with LDAP Hi All, My environment is or ARS 7.1 on Solaris with DB on Sybase. Currently our system is using both AREA LAP (for authenticating users) and ARDBC LDAP (for fetching user details). Our LDAP host is soon to be decommissioned and replaced with a new one. I have modified ARDBC Configuration form and AREA Configuration form with the new server details, but still when I see in the plugin logs it shows older host name. I have checked ar.conf file and verified it points to the new LDAP. Can someone tell me where else I have to modify existing LDAP server name with the new one. Regards, Saurabh -- View this message in context: http://ars-action-request-system.1.n7.nabble.com/Issue-with-LDAP-tp117574.html Sent from the ARS (Action Request System) mailing list archive at Nabble.com. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Issue with LDAP
did you restart ARS after making the updates? On 25 June 2014 12:52, Walters, Mark mark_walt...@bmc.com wrote: If it's ARDBC related check the Vendor Information tab under Form Properties in the Admin tool for the vendor form. The LDAP connect string is in there and needs to be changed. Mark -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of MalviyaSaurabh Sent: 25 June 2014 08:16 To: arslist@ARSLIST.ORG Subject: Issue with LDAP Hi All, My environment is or ARS 7.1 on Solaris with DB on Sybase. Currently our system is using both AREA LAP (for authenticating users) and ARDBC LDAP (for fetching user details). Our LDAP host is soon to be decommissioned and replaced with a new one. I have modified ARDBC Configuration form and AREA Configuration form with the new server details, but still when I see in the plugin logs it shows older host name. I have checked ar.conf file and verified it points to the new LDAP. Can someone tell me where else I have to modify existing LDAP server name with the new one. Regards, Saurabh -- View this message in context: http://ars-action-request-system.1.n7.nabble.com/Issue-with-LDAP-tp117574.html Sent from the ARS (Action Request System) mailing list archive at Nabble.com. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years -- - Karthik ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Issue with LDAP
Thanks Mark for your response. Yes i did create a test vendor form with the new vendor name and table name (i had to manually key in the details as it was not coming as part of the drop down). When I tried opening this test form i am getting the error as shown below: 390695 /* Fri Jun 20 2014 07:08:19.2693 */ARSYS.ARDBC.LDAP SEVERE Invalid credentials (LDAPERR 49)80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580 The above error refers to invalid username/password. While modifying ARDBC config from user tool, I gave the un-encypted password (which probably got auto-encrypted and I could see the encrypted password in ar.conf). Is this the correct way of modifying ARDBC config or should i provide the un-encypted in ar.conf. I would like to know even after modifying the ARDBC configuration with the new LDAP server details, why I am seeing the old LDAP server name in arplugin.log Any pointers would surely help. Regards, Saurabh -- View this message in context: http://ars-action-request-system.1.n7.nabble.com/Issue-with-LDAP-tp117574p117577.html Sent from the ARS (Action Request System) mailing list archive at Nabble.com. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Issue with LDAP
Yes i did restart the services. Regards, Saurabh -- View this message in context: http://ars-action-request-system.1.n7.nabble.com/Issue-with-LDAP-tp117574p117578.html Sent from the ARS (Action Request System) mailing list archive at Nabble.com. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Issue with LDAP
hi All, Would really appreciate any help in this regards. Regards, Saurabh -- View this message in context: http://ars-action-request-system.1093659.n2.nabble.com/Issue-with-LDAP-tp7597202p7597221.html Sent from the ARS (Action Request System) mailing list archive at Nabble.com. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP
Hi Fred, We don't have any server set up with local password. Regards, Rajesh On Fri, Jun 13, 2014 at 3:58 AM, Grooms, Frederick W frederick.w.gro...@xo.com wrote: Do you have any servers set up with a local password? Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto: arslist@ARSLIST.ORG] On Behalf Of Rajesh Singh Sent: Thursday, June 12, 2014 1:45 PM To: arslist@ARSLIST.ORG Subject: LDAP Hi Team, I am new to the remedy , i want to know something about LDAP configuration. most of the time when I already logged in to the system , meanwhile when I am trying to log in to any other server my account get locked. I have to unlock my account after that only i can able to login to that server. Could you please let me know if there is any LDAP related issue what is my first approach to check. Please give me your valuable input here. Regards, Rajesh Singh ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
LDAP
Hi Team, I am new to the remedy , i want to know something about LDAP configuration. most of the time when I already logged in to the system , meanwhile when I am trying to log in to any other server my account get locked. I have to unlock my account after that only i can able to login to that server. Could you please let me know if there is any LDAP related issue what is my first approach to check. Please give me your valuable input here. Regards, Rajesh Singh ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP
Do you have any servers set up with a local password? Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Rajesh Singh Sent: Thursday, June 12, 2014 1:45 PM To: arslist@ARSLIST.ORG Subject: LDAP Hi Team, I am new to the remedy , i want to know something about LDAP configuration. most of the time when I already logged in to the system , meanwhile when I am trying to log in to any other server my account get locked. I have to unlock my account after that only i can able to login to that server. Could you please let me know if there is any LDAP related issue what is my first approach to check. Please give me your valuable input here. Regards, Rajesh Singh ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP integration - ARDBC Configuration
You are right in your PS notes.. The available list of Vendor Tables you see there are just a subset of actual list of tables you would actually see in a LDAP browser. I am not sure how the plugin populates that subset, but it is not the complete list - not even close according to a LDAP administrators advise to me given in the past. I am not an LDAP administrator, so I wasn't in the position to find out why the ARS AREA plugin cannot see the full list. However, when you manually type in the correct search path, it does display the field or column list of that table. Cheers Joe -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Grooms, Frederick W Sent: Tuesday, March 18, 2014 6:21 PM To: arslist@ARSLIST.ORG Subject: Re: LDAP integration - ARDBC Configuration Added here from BMC Communities cross post https://communities.bmc.com/thread/103006 For Outlook groups in AD I don't think I have seen No Children. What I see is a list of records in the member attribute. Also Groups should be ??sub?(objectclass=group) objectclass=inetorgperson is individual people records not groups i.e. ldap://mail.mydomain.com/DC=mail,DC=mydomain,DC=com??sub?(objectclass=group) Fred P.S. I always thought the Available Vendor Tables showed the ones that have been used in other Vendor forms not a list of all possible choices for LDAP. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Karthick S Sent: Monday, March 17, 2014 11:01 PM To: arslist@ARSLIST.ORG Subject: LDAP integration - ARDBC Configuration ** Hi All, I have successfully implemented AREA and it works fine. Requirement: Now I am planning to use ARDBC for retrieving AD information for the employee(s) into Remedy application. Our client requirement is 'Whenever an employee(s) is added to Remedy group in active directory remedy profile need to created automatically', for automatic profile creation I can write using workflows. Issue: The issue here is I am unable to see the employee is listed in the group when I tried connecting to ARDBC 'ARSYS.ARDBC.LDAP' and I am unable to see the syntax like 'ldap://orangina/o=remedy.com??sub?(objectclass=inetorgperson)'. Please find the attached screen shot. I have tried using the ldap.exe utility to find the dn and verified the group it show 'No Children', but When I verified the group in Outlook users were present in that group, Is there any other way to implement this, please help me on this. Regards, Karthick S ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP integration - ARDBC Configuration
Can you browse the Remedy group using ldap.exe? This should be pretty straight forward. Once you get the search path using any standard ldap browser and are able to browse the Remedy group, copy that search path to create your LDAP Vendor table. Joe _ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Karthick S Sent: Tuesday, March 18, 2014 12:01 AM To: arslist@ARSLIST.ORG Subject: LDAP integration - ARDBC Configuration ** Hi All, I have successfully implemented AREA and it works fine. Requirement: Now I am planning to use ARDBC for retrieving AD information for the employee(s) into Remedy application. Our client requirement is 'Whenever an employee(s) is added to Remedy group in active directory remedy profile need to created automatically', for automatic profile creation I can write using workflows. Issue: The issue here is I am unable to see the employee is listed in the group when I tried connecting to ARDBC 'ARSYS.ARDBC.LDAP' and I am unable to see the syntax like 'ldap://orangina/o=remedy.com??sub?(objectclass=inetorgperson)'. Please find the attached screen shot. I have tried using the ldap.exe utility to find the dn and verified the group it show 'No Children', but When I verified the group in Outlook users were present in that group, Is there any other way to implement this, please help me on this. Regards, Karthick S ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP integration - ARDBC Configuration
Added here from BMC Communities cross post https://communities.bmc.com/thread/103006 For Outlook groups in AD I don't think I have seen No Children. What I see is a list of records in the member attribute. Also Groups should be ??sub?(objectclass=group) objectclass=inetorgperson is individual people records not groups i.e. ldap://mail.mydomain.com/DC=mail,DC=mydomain,DC=com??sub?(objectclass=group) Fred P.S. I always thought the Available Vendor Tables showed the ones that have been used in other Vendor forms not a list of all possible choices for LDAP. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Karthick S Sent: Monday, March 17, 2014 11:01 PM To: arslist@ARSLIST.ORG Subject: LDAP integration - ARDBC Configuration ** Hi All, I have successfully implemented AREA and it works fine. Requirement: Now I am planning to use ARDBC for retrieving AD information for the employee(s) into Remedy application. Our client requirement is 'Whenever an employee(s) is added to Remedy group in active directory remedy profile need to created automatically', for automatic profile creation I can write using workflows. Issue: The issue here is I am unable to see the employee is listed in the group when I tried connecting to ARDBC 'ARSYS.ARDBC.LDAP' and I am unable to see the syntax like 'ldap://orangina/o=remedy.com??sub?(objectclass=inetorgperson)'. Please find the attached screen shot. I have tried using the ldap.exe utility to find the dn and verified the group it show 'No Children', but When I verified the group in Outlook users were present in that group, Is there any other way to implement this, please help me on this. Regards, Karthick S ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Company Access issue for User through LDAP
Thanx Roney, I missed that only. Now the issue is resolved. :) Regards, Sumit Vasudev On Fri, Mar 7, 2014 at 7:07 PM, Roney Samuel Varghese. ronzr...@gmail.comwrote: Is your push field appending Unrestricted Access to the user form as well? You need to push to the CTM:People Permission group form as well which will take care of the user form. Regards, Roney Samuel Varghese. Sent from my iPhone On Mar 6, 2014, at 11:36 PM, Sumit Vasudev mssumitvasu...@gmail.com wrote: Hi Experts, I am facing one issue with People records. Records are created in People form through LDAP. All the people have Unrestricted Access selected through the filter which is sending records from Staging Form to People Form. But when logged in through that people profile, User didn't have access to any company. When I deselect the Unrestricted Access check box from People form and save the record and again select Unrestricted Access through People form and save the record, then issue get resolve and people will get access to all the companies. Can anyone please explain me, why this uneven behavior when Unrestricted Access is set from filter Push field action, User din't get access to the Company but when same thing did from people form User will get access for the Company. Regards, Sumit Vasudev ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Company Access issue for User through LDAP
Is your push field appending Unrestricted Access to the user form as well? You need to push to the CTM:People Permission group form as well which will take care of the user form. Regards, Roney Samuel Varghese. Sent from my iPhone On Mar 6, 2014, at 11:36 PM, Sumit Vasudev mssumitvasu...@gmail.com wrote: Hi Experts, I am facing one issue with People records. Records are created in People form through LDAP. All the people have Unrestricted Access selected through the filter which is sending records from Staging Form to People Form. But when logged in through that people profile, User didn't have access to any company. When I deselect the Unrestricted Access check box from People form and save the record and again select Unrestricted Access through People form and save the record, then issue get resolve and people will get access to all the companies. Can anyone please explain me, why this uneven behavior when Unrestricted Access is set from filter Push field action, User din't get access to the Company but when same thing did from people form User will get access for the Company. Regards, Sumit Vasudev ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Company Access issue for User through LDAP
Hi Experts, I am facing one issue with People records. Records are created in People form through LDAP. All the people have Unrestricted Access selected through the filter which is sending records from Staging Form to People Form. But when logged in through that people profile, User didn't have access to any company. When I deselect the Unrestricted Access check box from People form and save the record and again select Unrestricted Access through People form and save the record, then issue get resolve and people will get access to all the companies. Can anyone please explain me, why this uneven behavior when Unrestricted Access is set from filter Push field action, User din't get access to the Company but when same thing did from people form User will get access for the Company. Regards, Sumit Vasudev ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Remedy AR Server and LDAP
Chris, The LDAP authentication runs as a C-plugin, at least up through 7.6.x, so the error messages will be found in the arplugin.log file, assuming you have enabled it. What you get back from LDAP depends on the LDAP implementation. Sometimes it is a plain text message such as bad password and sometimes it can be an obscure 8 hex digit number, but I have found that entering such a number in the Google search to bar usually leads to something helpful. I don't think that you can divert the arplugin.log to log to a form. There's no easy way to capture that log file through workflow associated with the attempt to log in and authenticate via LDAP ( for starters, you can't run workflow unless you're already logged in ). You could run a command line process periodically to look or grep for known error texts and send a notification based on that... Hope this helps... Doug -- Doug Blair +1 224-558-5462 Sent from my iPad Air Auto-corrected typos, misspellings and non-sequiturs are gratefully attributed to Steve Jobs :-) On Feb 27, 2014, at 9:10 AM, Pruitt, Christopher (Bank of America Account) christopher.pru...@hp.com wrote: Hello All, Has ever heard of a way to capture specific LDAP error code/return codes to display different messages? I don't think the different LDAP errors are controlled by any specific code we have control over and as far as I understand it the BMC Remedy engine uses a Java plugin that communicates to LDAP via a jar file. Meaning that is no source code. However, I found the following couple error messages in BMC documentation and it looks like the lockout message isn't coming from LDAP but from Remedy AR System Server itself... 623 Error Authentication failed. Make sure that your user name and password were entered correctly. 624 Error User account locked out due to too many bad password attempts. Consecutive login attempts failed because of invalid passwords. The AR System server administrator can configure the number of attempts to allow. To unlock your account, reset your password or contact your administrator. So we are trying to determine if there is a way to capture specific LDAP error code/return codes to display different messages. Any Feedback on this would be appreciated. Christopher Pruitt Business Consulting III HP Enterprises Services christopher.pru...@hp.com www.hp.comhttp://www.hp.com/ Confidentiality Notice: This message and any files transmitted with it are intended for the sole use of the entity or individual to whom it is addressed, and may contain information that is confidential, privileged, and exempt from disclosure under applicable law. If you are not the intended addressee for this e-mail, you are hereby notified that any copying, distribution, or dissemination of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately destroy, erase, or discard this message. Please notify the sender immediately by return e-mail if you have received this e-mail by mistake. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Remedy AR Server and LDAP
Hello All, Has ever heard of a way to capture specific LDAP error code/return codes to display different messages? I don't think the different LDAP errors are controlled by any specific code we have control over and as far as I understand it the BMC Remedy engine uses a Java plugin that communicates to LDAP via a jar file. Meaning that is no source code. However, I found the following couple error messages in BMC documentation and it looks like the lockout message isn't coming from LDAP but from Remedy AR System Server itself... 623 Error Authentication failed. Make sure that your user name and password were entered correctly. 624 Error User account locked out due to too many bad password attempts. Consecutive login attempts failed because of invalid passwords. The AR System server administrator can configure the number of attempts to allow. To unlock your account, reset your password or contact your administrator. So we are trying to determine if there is a way to capture specific LDAP error code/return codes to display different messages. Any Feedback on this would be appreciated. Christopher Pruitt Business Consulting III HP Enterprises Services christopher.pru...@hp.com www.hp.comhttp://www.hp.com/ Confidentiality Notice: This message and any files transmitted with it are intended for the sole use of the entity or individual to whom it is addressed, and may contain information that is confidential, privileged, and exempt from disclosure under applicable law. If you are not the intended addressee for this e-mail, you are hereby notified that any copying, distribution, or dissemination of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately destroy, erase, or discard this message. Please notify the sender immediately by return e-mail if you have received this e-mail by mistake. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Remedy AR Server and LDAP
If you enable plugin logging for the appropriate plugin server that is hosting your LDAP plugin you should see the error codes but I don't think they're passed back to the server. The only codes returned are login successful, failed and unknown user. The 623 can result from both internal and AREA authentication failures, I think 624 only comes from internal failures. Mark -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pruitt, Christopher (Bank of America Account) Sent: 27 February 2014 15:10 To: arslist@ARSLIST.ORG Subject: Remedy AR Server and LDAP Hello All, Has ever heard of a way to capture specific LDAP error code/return codes to display different messages? I don't think the different LDAP errors are controlled by any specific code we have control over and as far as I understand it the BMC Remedy engine uses a Java plugin that communicates to LDAP via a jar file. Meaning that is no source code. However, I found the following couple error messages in BMC documentation and it looks like the lockout message isn't coming from LDAP but from Remedy AR System Server itself... 623 Error Authentication failed. Make sure that your user name and password were entered correctly. 624 Error User account locked out due to too many bad password attempts. Consecutive login attempts failed because of invalid passwords. The AR System server administrator can configure the number of attempts to allow. To unlock your account, reset your password or contact your administrator. So we are trying to determine if there is a way to capture specific LDAP error code/return codes to display different messages. Any Feedback on this would be appreciated. Christopher Pruitt Business Consulting III HP Enterprises Services christopher.pru...@hp.com www.hp.comhttp://www.hp.com/ Confidentiality Notice: This message and any files transmitted with it are intended for the sole use of the entity or individual to whom it is addressed, and may contain information that is confidential, privileged, and exempt from disclosure under applicable law. If you are not the intended addressee for this e-mail, you are hereby notified that any copying, distribution, or dissemination of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately destroy, erase, or discard this message. Please notify the sender immediately by return e-mail if you have received this e-mail by mistake. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Remedy AR Server and LDAP
Hi, Looks like the LDAP user credential configured in AREA LDAP configuration form has been locked. Check the user configured in AREA LDAP form in AD and unlock. After that changed password need to be change in AREA LDAP form as well. Hope this will help! Regards, Sandeep Pandey On Thu, Feb 27, 2014 at 8:40 PM, Pruitt, Christopher (Bank of America Account) christopher.pru...@hp.com wrote: Hello All, Has ever heard of a way to capture specific LDAP error code/return codes to display different messages? I don't think the different LDAP errors are controlled by any specific code we have control over and as far as I understand it the BMC Remedy engine uses a Java plugin that communicates to LDAP via a jar file. Meaning that is no source code. However, I found the following couple error messages in BMC documentation and it looks like the lockout message isn't coming from LDAP but from Remedy AR System Server itself... 623 Error Authentication failed. Make sure that your user name and password were entered correctly. 624 Error User account locked out due to too many bad password attempts. Consecutive login attempts failed because of invalid passwords. The AR System server administrator can configure the number of attempts to allow. To unlock your account, reset your password or contact your administrator. So we are trying to determine if there is a way to capture specific LDAP error code/return codes to display different messages. Any Feedback on this would be appreciated. Christopher Pruitt Business Consulting III HP Enterprises Services christopher.pru...@hp.com www.hp.comhttp://www.hp.com/ Confidentiality Notice: This message and any files transmitted with it are intended for the sole use of the entity or individual to whom it is addressed, and may contain information that is confidential, privileged, and exempt from disclosure under applicable law. If you are not the intended addressee for this e-mail, you are hereby notified that any copying, distribution, or dissemination of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately destroy, erase, or discard this message. Please notify the sender immediately by return e-mail if you have received this e-mail by mistake. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AREA LDAP SSL
We are running ARS 7.6.04 SP2 on a Windows 2008 Server. Our LDAP servers were changed to require SSL connections to LDAP yesterday, without any warning. Our remedy servers will no longer let users in. I need to enable SSL in LDAP but am having trouble finding out how to create the certificate database. We are running on a Secure system so I am unable to download any additional software to do this. Is there a way to create the cert7.db file using software from the windows 2008 server or remedy? Dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP SSL
Dan, check this link https://kb.bmc.com/infocenter/index?page=contentid=S%3AKA319087 - Karthik -- Forwarded message -- From: Daniel Pritchard daniel.b.pritch...@gmail.com Date: 10 February 2014 15:05 Subject: AREA LDAP SSL To: arslist@arslist.org We are running ARS 7.6.04 SP2 on a Windows 2008 Server. Our LDAP servers were changed to require SSL connections to LDAP yesterday, without any warning. Our remedy servers will no longer let users in. I need to enable SSL in LDAP but am having trouble finding out how to create the certificate database. We are running on a Secure system so I am unable to download any additional software to do this. Is there a way to create the cert7.db file using software from the windows 2008 server or remedy? Dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years -- - Karthik ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP SSL
Hello Dan, Please refer BMC 7.6.04 Integration document page 402, About certificate databases: AR System uses the Mozilla C-LDAP libraries to support LDAP plug-ins and remote authentication. These libraries enable LDAP plug-ins to use NSS to establish Secure Sockets Layer (SSL) connections with LDAP servers. To do this,NSS requires the LDAP server's certification authority (CA) certificate to be in a certificate database (cert8.db file). To perform the procedures in this appendix, use the command-line certutil utility, which is included in the Mozilla NSS security tools set (see http://www.mozilla.org/projects/security/pki/nss/tools/). So I don't think you have any option from Windows or Remedy to create the cert db file. Thanks. Regards Munesh On Mon, Feb 10, 2014 at 3:05 PM, Daniel Pritchard daniel.b.pritch...@gmail.com wrote: We are running ARS 7.6.04 SP2 on a Windows 2008 Server. Our LDAP servers were changed to require SSL connections to LDAP yesterday, without any warning. Our remedy servers will no longer let users in. I need to enable SSL in LDAP but am having trouble finding out how to create the certificate database. We are running on a Secure system so I am unable to download any additional software to do this. Is there a way to create the cert7.db file using software from the windows 2008 server or remedy? Dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP SSL
Thanks for the help. I finally got the Mozilla tools downloaded and installed and created the cert8.db file and it works ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP SSL
This may be of some help. The NSS Tools were installed as a Linux package, but since these are used only to create the .DB files (which you can move to the correct locations on your Windows systems), they may help. https://communities.bmc.com/community/bmcdn/bmc_it_service_support/blog/2013/03/13/remedy-8--digital-certificates Karl Miller | Principal Product Manager - Remedy Platform | BMC Software W 678-779-4998 | C 678-779-4998 The industry’s leading ITSM solution now available via Software as a Service (SaaS) -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Daniel Pritchard Sent: Monday, February 10, 2014 4:36 AM To: arslist@ARSLIST.ORG Subject: AREA LDAP SSL We are running ARS 7.6.04 SP2 on a Windows 2008 Server. Our LDAP servers were changed to require SSL connections to LDAP yesterday, without any warning. Our remedy servers will no longer let users in. I need to enable SSL in LDAP but am having trouble finding out how to create the certificate database. We are running on a Secure system so I am unable to download any additional software to do this. Is there a way to create the cert7.db file using software from the windows 2008 server or remedy? Dan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: BMC Mobility and LDAP Authentication
Shawn How is LDAP integrated with the AR System - AREA or SSO. If you are using AREA it is supported. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: BMC Mobility and LDAP Authentication
Pratik, Thank you for the response. We have both (although the SSO we are using is Java Systems Solution SSO, not BMC's fake SSO) but using SSO doesn't prevent AREA from working either via the Mid Tier or the User Tool so I wouldn't have expected it to cause an issue for Mobility since authentication should be happening on the server side. Is there an undocumented config file that I may need to set up on the mobility server or something? Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Pratik Nahata Sent: Tuesday, December 17, 2013 2:46 AM To: arslist@ARSLIST.ORG Subject: Re: BMC Mobility and LDAP Authentication Shawn How is LDAP integrated with the AR System - AREA or SSO. If you are using AREA it is supported. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
BMC Mobility and LDAP Authentication
Good afternoon, I can't find any information on BMC's (extremely slow today) site, whether in their knowledge base, product documentation, or on developer network concerning how authentication works with BMC Mobility for Incidents. We've gotten it to work with our test users that have hardcoded passwords, but it doesn't seem to authenticate via LDAP against Active Directory. We're going to open a ticket with BMC, but I wanted to check here as well. Do any of you know what would be required to get Mobility working with LDAP enabled accounts? Thanks, Shawn Pierson Remedy Developer | Energy Transfer Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Copy AREA LDAP entries
Hello, Wondering if anyone has successfully copied AREA LDAP entries from one ARS to another. We have several entries so exporting would save time, but I was told this had to be done manually through AREA LDAP Configuration. I was able to export entries in arx format from Configuration ARDBC and import them but not sure if this is all that is needed. Any assistance would be welcomed. Thank You, Chad Wilhelm CareTech Solutions [cid:image001.gif@01CEF195.22D02310]http://www.caretech.com/ Helping extraordinary people do extraordinary things Best in KLAS Partial IT Outsourcing 2012 Extensive IT Outsourcing 2008, 2009, 2010 and 2011 Best in KLAS Awards: Software Services www.KLASresearch.comhttp://www.klasresearch.com/ [cid:image003.jpg@01CEF195.B55B8C60] ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years inline: image001.gifinline: image003.jpg
Re: Copy AREA LDAP entries
Chad, If by 'entries', you are referring to the configuration in the AREALDAP form, those values are stored in the ar.cfg file. I routinely copy/paste those entries from an existing environment to a new environment when building it outso I would say yes...it's possible, but not in the export/arx method you are describing. On Thu, Dec 5, 2013 at 6:40 AM, Chad Wilhelm chad.wilh...@caretech.comwrote: ** Hello, Wondering if anyone has successfully copied AREA LDAP entries from one ARS to another. We have several entries so exporting would save time, but I was told this had to be done manually through AREA LDAP Configuration. I was able to export entries in arx format from Configuration ARDBC and import them but not sure if this is all that is needed. Any assistance would be welcomed. Thank You, Chad Wilhelm CareTech Solutions [image: Description: cid:image001.gif@01CDCBC5.16E98150]http://www.caretech.com/ Helping extraordinary people do extraordinary things Best in KLAS Partial IT Outsourcing 2012 Extensive IT Outsourcing 2008, 2009, 2010 and 2011 Best in KLAS Awards: Software Services www.KLASresearch.com http://www.klasresearch.com/ * [image: Description: Description: KLAS_2013]* _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Copy AREA LDAP entries
I noticed when I imported the LDAP entries they created in ar.cfg automatically. I will give your method a try. Thanks LJ. Chad Wilhelm CareTech Solutions [cid:image001.gif@01CEF1A1.A35B4760]http://www.caretech.com/ Helping extraordinary people do extraordinary things Best in KLAS Partial IT Outsourcing 2012 Extensive IT Outsourcing 2008, 2009, 2010 and 2011 Best in KLAS Awards: Software Services www.KLASresearch.comhttp://www.klasresearch.com/ [cid:image002.jpg@01CEF1A1.A35B4760] From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of LJ LongWing Sent: Thursday, December 05, 2013 9:04 AM To: arslist@ARSLIST.ORG Subject: Re: Copy AREA LDAP entries ** Chad, If by 'entries', you are referring to the configuration in the AREALDAP form, those values are stored in the ar.cfg file. I routinely copy/paste those entries from an existing environment to a new environment when building it outso I would say yes...it's possible, but not in the export/arx method you are describing. On Thu, Dec 5, 2013 at 6:40 AM, Chad Wilhelm chad.wilh...@caretech.commailto:chad.wilh...@caretech.com wrote: ** Hello, Wondering if anyone has successfully copied AREA LDAP entries from one ARS to another. We have several entries so exporting would save time, but I was told this had to be done manually through AREA LDAP Configuration. I was able to export entries in arx format from Configuration ARDBC and import them but not sure if this is all that is needed. Any assistance would be welcomed. Thank You, Chad Wilhelm CareTech Solutions Helping extraordinary people do extraordinary thingshttp://www.caretech.com/ Best in KLAShttp://www.caretech.com/ Partial IT Outsourcing 2012http://www.caretech.com/ Extensive IT Outsourcing 2008, 2009, 2010 and 2011http://www.caretech.com/ Best in KLAS Awards: Software Serviceshttp://www.caretech.com/ www.KLASresearch.comhttp://www.caretech.com/ http://www.caretech.com/ http://www.caretech.com/ http://www.caretech.com/ _ARSlist: Where the Answers Are and have been for 20 years_ http://www.caretech.com/ http://www.caretech.com/ _ARSlist: Where the Answers Are and have been for 20 years_ http://www.caretech.com/ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years inline: image001.gifinline: image002.jpg
Remedy Upgrade to 8 - LDAP Integration - sAMAccountName
Howdy all Hope everyone is well We are in the process of testing a upgrade from 7.5 patch 003 to version 8 patch 002. On the old version of Remedy, we had a simple vendor form that connected to our AD server and returned the AD details of our users. On our test server, we have setup version 8 and configured the LDAP integration exactly the same way as our current live server. However, when we do a search on our live system (running 7.5 patch 003) on the vendor form, we get a result in the 'Request ID' field of 'johns'. The same searchon the version 8 system however, we are getting back DC=abcops,DC=ne|t:-:johns This is affecting our SSO solution and for the life of me I cannot figure out why we are getting a different format back. Has anyone experience this or have any idea on where I can start looking. I have also checked the source code in the AD system and the sAMAccountName is correctly stored as johns. Any advice or assistance is appreciated. Thanks Brad ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Remedy Upgrade to 8 - LDAP Integration - sAMAccountName
Brad, One thing you may be experiencing is with the change from C LDAP plugin to Java LDAP Plugin, one thing you could try is to disable the Java one, re-implement the C one, and see if the problem goes away...if it does, obviously log a bug on the Java version with BMC. If the problem remains, you may have a mapping difference on your Vendor form, check what attribute the Request ID field is mapped to on both systems to verify where the problem may be coming from. On Fri, Nov 8, 2013 at 6:27 AM, BradRemedy bradrem...@gmail.com wrote: ** Howdy all Hope everyone is well We are in the process of testing a upgrade from 7.5 patch 003 to version 8 patch 002. On the old version of Remedy, we had a simple vendor form that connected to our AD server and returned the AD details of our users. On our test server, we have setup version 8 and configured the LDAP integration exactly the same way as our current live server. However, when we do a search on our live system (running 7.5 patch 003) on the vendor form, we get a result in the 'Request ID' field of 'johns'. The same searchon the version 8 system however, we are getting back DC=abcops,DC=ne|t:-:johns This is affecting our SSO solution and for the life of me I cannot figure out why we are getting a different format back. Has anyone experience this or have any idea on where I can start looking. I have also checked the source code in the AD system and the sAMAccountName is correctly stored as johns. Any advice or assistance is appreciated. Thanks Brad _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP Authentication Case Sensitivity
Frank, I have personally found that while Remedy is user id case sensitive, active directory isn'tso really, the only thing that matters is that you match the case of the user id in your remedy user table...the password is of course case sensitive...but the user name should not be, not in AD at least. On Thu, Sep 5, 2013 at 11:16 AM, Frank Caruso caruso.fr...@gmail.comwrote: ITSM 764 sp2; RHEL, Oracle, Weblogic Using AREALdap for authentication. From the web the user types in their network ID and we match against the sAMAccountName in LDAP. The ID is stored in AD in all upper case letters; at least that is what I thought. Come to find out the ID is stored in mixed case; sometimes all upper, sometimes all lower and sometimes mixed. So, unless the user knows how their ID is stored in LDAP the login to Remedy will fail. I was forcing all logins to upper case when the login button was clicked but am now realizing that will not work for all IDs. Is this something I can handle in AREALDAP? Thank you Frank Caruso ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
LDAP Authentication Case Sensitivity
ITSM 764 sp2; RHEL, Oracle, Weblogic Using AREALdap for authentication. From the web the user types in their network ID and we match against the sAMAccountName in LDAP. The ID is stored in AD in all upper case letters; at least that is what I thought. Come to find out the ID is stored in mixed case; sometimes all upper, sometimes all lower and sometimes mixed. So, unless the user knows how their ID is stored in LDAP the login to Remedy will fail. I was forcing all logins to upper case when the login button was clicked but am now realizing that will not work for all IDs. Is this something I can handle in AREALDAP? Thank you Frank Caruso ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP Authentication Case Sensitivity
Arg!!!I asked the user several times if their account was locked and then said no, but it was! That was the issue. Once unlocked they could login and AD authenticate. Thank you all for your help! Frank Caruso ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP Authentication Case Sensitivity
What most people do is to force the Remedy login into a known case (either all upper or all lower) in the User form and on the Mid-Tier login.jsp add the onChange action to the username field. onChange=javascript:this.value = this.value.toLowerCase(); or onChange=javascript:this.value = this.value.toUpperCase(); Fred -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Rjust Sent: Thursday, September 05, 2013 2:43 PM To: arslist@ARSLIST.ORG Subject: Re: LDAP Authentication Case Sensitivity The issue is the login on the User form must be the same as the login that the user typed into the login screen. Sent from my iPhone On Sep 5, 2013, at 3:40 PM, Frank Caruso wrote: So if I can do an ldapsearch and find the ID using any format, then the issue is probably not the ID being in mixed case letters. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP Authentication Case Sensitivity
I've had similar issues. What I did was 1) change my LDAP ARDBC integration to do a lower() function on the AD attributes (such as cn) that stored the login name when I pulled it in to Remedy, and 2) customized the login.jsp page to automatically set the values in the Login Name field to be lower case I believe when it lost focus. However, since then we've been using an SSO tool so it hasn't been an issue for a few years. Thanks, Shawn Pierson Remedy Developer | Energy Transfer -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Frank Caruso Sent: Thursday, September 05, 2013 12:16 PM To: arslist@ARSLIST.ORG Subject: LDAP Authentication Case Sensitivity ITSM 764 sp2; RHEL, Oracle, Weblogic Using AREALdap for authentication. From the web the user types in their network ID and we match against the sAMAccountName in LDAP. The ID is stored in AD in all upper case letters; at least that is what I thought. Come to find out the ID is stored in mixed case; sometimes all upper, sometimes all lower and sometimes mixed. So, unless the user knows how their ID is stored in LDAP the login to Remedy will fail. I was forcing all logins to upper case when the login button was clicked but am now realizing that will not work for all IDs. Is this something I can handle in AREALDAP? Thank you Frank Caruso ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years Private and confidential as detailed here: http://www.energytransfer.com/mail_disclaimer.aspx . If you cannot access the link, please e-mail sender. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP Authentication Case Sensitivity
The issue is the login on the User form must be the same as the login that the user typed into the login screen. Sent from my iPhone On Sep 5, 2013, at 3:40 PM, Frank Caruso caruso.fr...@gmail.com wrote: So if I can do an ldapsearch and find the ID using any format, then the issue is probably not the ID being in mixed case letters. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP Authentication Case Sensitivity
their fault for not saying yes, or your fault for believing them? :D On Thu, Sep 5, 2013 at 2:00 PM, Frank Caruso caruso.fr...@gmail.com wrote: Arg!!!I asked the user several times if their account was locked and then said no, but it was! That was the issue. Once unlocked they could login and AD authenticate. Thank you all for your help! Frank Caruso ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP Authentication Case Sensitivity
So if I can do an ldapsearch and find the ID using any format, then the issue is probably not the ID being in mixed case letters. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: LDAP Authentication Case Sensitivity
that's my thought. On Thu, Sep 5, 2013 at 1:40 PM, Frank Caruso caruso.fr...@gmail.com wrote: So if I can do an ldapsearch and find the ID using any format, then the issue is probably not the ID being in mixed case letters. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
I had this problem... I had to set Authentication Chaining Mode to: AREA - ARS. Hope this is helpful. Larry On Thu, Mar 28, 2013 at 5:50 PM, Kapil Banwari kapil.banw...@gmail.comwrote: If you are using CRBP(Cross Ref Blank password)= True, and you have mainly AR groups (not specific AD groups) which you need to use, make sure in AREA LDAP configuration form, in the License Mask and in the Write license (under Defaults and Mapping attributes to user information), you don't have any value mentioned over there. If it is blank, it is going to pick the licenses from User form, and you should get token as per mentioned in user form. If there is no specific reason to use chaining mode, it can be set to off, as by default it is set to first go to ARS and then to AREA. If you are using any sso plugin, then in those cases chaining is usually helpful and enabled. By default, the way it works with chaining disabled is, first it go to user form, it will check if that user exists in user form, and if that user have blank password in user form (with CRBP=true) and then it will authenticate via the password of AD . Hope this helps. Regards Kapil B. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Abdullah Baytops Sent: Friday, March 29, 2013 2:28 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue We have the following: 1. No check box in the Allow Guest Users 2. No check box in the Authenticate Unregistered Users 3. Authentication has AREA - ARS V/R Abdul Baytops From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] on behalf of Andrew Belis [andrew.be...@lmco.com] Sent: Thursday, March 28, 2013 4:33 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue Under Configuration tab do you have Allow Guest Users enabled by chance? What are your settings for Authenticate Unregistered Users under EA tab as well as the Authentication Chaining Mode set to? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AREA LDAP 8.0 Configuration Issue
Could anyone provide any assistance with a problem that we are having in which we have successfully configured our AR users to login using their LDAP password but when they go into Remedy to work a ticket it tells them they have no right license. The users are in the right groups if I turn of LDAP they can access the groups with no problem but once I turn it back on they receive the error. Thanks in Advance V/R Abdul Baytops ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
Could it be case sensitivity? How are they logging in? What is the case they log in with vs. how they are configured? From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Abdullah Baytops Sent: Thursday, March 28, 2013 12:55 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP 8.0 Configuration Issue ** Could anyone provide any assistance with a problem that we are having in which we have successfully configured our AR users to login using their LDAP password but when they go into Remedy to work a ticket it tells them they have no right license. The users are in the right groups if I turn of LDAP they can access the groups with no problem but once I turn it back on they receive the error. Thanks in Advance V/R Abdul Baytops _ARSlist: Where the Answers Are and have been for 20 years_ This message (including any attachments) is confidential and intended for a specific individual and purpose. If you are not the intended recipient, please notify the sender immediately and delete this message. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
The case is all lowercase on both the AR System and LDAP server. I was wondering could it be the form that has the Write License area on the LDAP form? Are there specific values that should be included in that area. V/R Abdul Baytops From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] on behalf of Smerz, Christian [cesm...@eprod.com] Sent: Thursday, March 28, 2013 2:37 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue ** Could it be case sensitivity? How are they logging in? What is the case they log in with vs. how they are configured? From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Abdullah Baytops Sent: Thursday, March 28, 2013 12:55 PM To: arslist@ARSLIST.ORG Subject: AREA LDAP 8.0 Configuration Issue ** Could anyone provide any assistance with a problem that we are having in which we have successfully configured our AR users to login using their LDAP password but when they go into Remedy to work a ticket it tells them they have no right license. The users are in the right groups if I turn of LDAP they can access the groups with no problem but once I turn it back on they receive the error. Thanks in Advance V/R Abdul Baytops _ARSlist: Where the Answers Are and have been for 20 years_ This message (including any attachments) is confidential and intended for a specific individual and purpose. If you are not the intended recipient, please notify the sender immediately and delete this message. _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
Under Configuration tab do you have Allow Guest Users enabled by chance? What are your settings for Authenticate Unregistered Users under EA tab as well as the Authentication Chaining Mode set to? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
We have the following: 1. No check box in the Allow Guest Users 2. No check box in the Authenticate Unregistered Users 3. Authentication has AREA - ARS V/R Abdul Baytops From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] on behalf of Andrew Belis [andrew.be...@lmco.com] Sent: Thursday, March 28, 2013 4:33 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue Under Configuration tab do you have Allow Guest Users enabled by chance? What are your settings for Authenticate Unregistered Users under EA tab as well as the Authentication Chaining Mode set to? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP 8.0 Configuration Issue
If you are using CRBP(Cross Ref Blank password)= True, and you have mainly AR groups (not specific AD groups) which you need to use, make sure in AREA LDAP configuration form, in the License Mask and in the Write license (under Defaults and Mapping attributes to user information), you don't have any value mentioned over there. If it is blank, it is going to pick the licenses from User form, and you should get token as per mentioned in user form. If there is no specific reason to use chaining mode, it can be set to off, as by default it is set to first go to ARS and then to AREA. If you are using any sso plugin, then in those cases chaining is usually helpful and enabled. By default, the way it works with chaining disabled is, first it go to user form, it will check if that user exists in user form, and if that user have blank password in user form (with CRBP=true) and then it will authenticate via the password of AD . Hope this helps. Regards Kapil B. -Original Message- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Abdullah Baytops Sent: Friday, March 29, 2013 2:28 AM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue We have the following: 1. No check box in the Allow Guest Users 2. No check box in the Authenticate Unregistered Users 3. Authentication has AREA - ARS V/R Abdul Baytops From: Action Request System discussion list(ARSList) [arslist@ARSLIST.ORG] on behalf of Andrew Belis [andrew.be...@lmco.com] Sent: Thursday, March 28, 2013 4:33 PM To: arslist@ARSLIST.ORG Subject: Re: AREA LDAP 8.0 Configuration Issue Under Configuration tab do you have Allow Guest Users enabled by chance? What are your settings for Authenticate Unregistered Users under EA tab as well as the Authentication Chaining Mode set to? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Error while getting records from LDAP
We are using 7.6.04 on windows. When i am trying to retrieve specific folder(table)in a Active Directory tree i am getting records but when i changed the Table name in Vendor form to top of the tree its throwing the following error. So i am guessing vendor form can only access only one table at a time not the bunch of tables? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Error while getting records from LDAP
HI I am working on a task to sync LDAP records with People form. So in that process i created a Vendor form to retrieve records from LDAP table and its throwing me following error while doing search for records but when i search for single record its retrieving. I have gone through the Error document but it didn't help me. Can you please give me your valuable suggestion to overcome this problem. 8760 Error Cannot establish a network connection to the AR System Plug-In server. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: Error while getting records from LDAP
Hello Raj, Can you confirm the below ARSystem Version? OS? If it is 7.6.04, it appears that C based ardbcldap.so did not get load with start of C Plugin server? If it is 8.0 or later version, Java plugin server did not started? Also check the Server-Plugin-Alias entry for ARDBC to confirm whether correct server is configured for the plugin to use. Hope this helps. Regards/Vaibhav Regards/Vaibhav On Tue, Mar 26, 2013 at 1:49 PM, rajkiran Alle rajkiran...@yahoo.comwrote: HI I am working on a task to sync LDAP records with People form. So in that process i created a Vendor form to retrieve records from LDAP table and its throwing me following error while doing search for records but when i search for single record its retrieving. I have gone through the Error document but it didn't help me. Can you please give me your valuable suggestion to overcome this problem. 8760 Error Cannot establish a network connection to the AR System Plug-In server. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AR System 8.1: Why is the BMC AREA LDAP plugin not working?
Hello When installing AR System 8.1, you may expect to be able to carry on using the BMC AREA LDAP plugin. It appears BMC have switched on the AtriumSSO AREA plugin by default, and would prefer you ran this product to achieve what the AREA LDAP plugin does without the overhead of extra hardware, load balancers, configuration nightmares, etc. If you're wondering why the BMC AREA LDAP or BMC AREA Hub plugins aren't working (ie why authentication events aren't going to the arplugin log file) search for this line in ar.cfg: Server-Plugin-Alias: AREA and comment it out, ie. #Server-Plugin-Alias: AREA This will send authentication events back to the C plugin server to which you're accustomed. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AR System 8.1: Why is the BMC AREA LDAP plugin not working?
Hi John, In 8.1 the default LDAP plugins are based on Java plugins but they are not the AtriumSSO ones. What you are basically doing here is disabling the newer Java plugin for AREA so that it falls back to the C plugin. The java plugin is actually arealdapplugin81_build001.jar which is supposed to be a like for like re-write of the C plugin and have nothing to do with the AtriumSSO ones (at least that I can see). Once you install/integrate in AtriumSSO this may change though but I don't have it installed so I can't confirm if installing/integration AtriumSSO actually changes anything about this specific plugin but doubt it as I assume it's no longer used since instead you configure everything in AtriumSSO which is a different story all together and I still like your plugin better :) See here for more info: https://docs.bmc.com/docs/display/public/ars81/Troubleshooting+AREA+LDAP+plug-in+issues Because this is now a Java plugin, you won't see anything in the arplugin log files, you need to check the javaplugin logs (and potentially enable the logging itself). Cheers, On Fri, Mar 15, 2013 at 9:59 AM, John Baker jba...@javasystemsolutions.comwrote: Hello When installing AR System 8.1, you may expect to be able to carry on using the BMC AREA LDAP plugin. It appears BMC have switched on the AtriumSSO AREA plugin by default, and would prefer you ran this product to achieve what the AREA LDAP plugin does without the overhead of extra hardware, load balancers, configuration nightmares, etc. If you're wondering why the BMC AREA LDAP or BMC AREA Hub plugins aren't working (ie why authentication events aren't going to the arplugin log file) search for this line in ar.cfg: Server-Plugin-Alias: AREA and comment it out, ie. #Server-Plugin-Alias: AREA This will send authentication events back to the C plugin server to which you're accustomed. John __**__** ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years -- :wq cuga ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AR System 8.1: Why is the BMC AREA LDAP plugin not working?
Curt Yes, it makes perfect sense to move everything over to Java plugins on the Java plugin server. But I guess if one has been staring at the arplugin log for a decade, and has become accustomed to the C plugin, it could be confusing to look elsewhere. I also agree that it's better to look in one place for plugin logging than two. Good of you to correct my understanding though :) John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: SSO / AREA LDAP question
Hello David, As it was explained to me and through reading the SSO integration white paper capturing the user ID should be all that is needed to get the user logged in at that point. I think there is some confusion here. For SSO to work in general with Midtier, there has to be some work done on 2 ends, the Midtier end and the ARServer end. AR Server (either form based or AREA LDAP based) needs username/password combination for authentication by default. You can have some chaining setups where some users will get authenticated against Form and other using LDAP which people typically do when they have AREA LDAP setup and they setup user password as BLANK in user form for users which need to be authenticated against LDAP. But AR Server, by default, will not authenticate a user unless password is supplied. BMC whitepaper says that once you have overridden DefaultAuthenticator on Miditer side, you can bypass login page and as you said, you are getting username somehow. Now this username and some TOKEN has to be passed back to AR Server and you need to write an custom AREA plug-in which will validate username/TOKEN combination, may be talking to some SSO server or in some way. Point is, unless you write a custom AREA plug-in SSO will not work. Also in your case, it sounds like, you are satisfied by just having extracted username from the browser (IE) and you want AR Server to authenticate the user just based on that. Regards, Yogesh From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Lotz, David Sent: Thursday, March 14, 2013 12:37 AM To: arslist@ARSLIST.ORG Subject: SSO / AREA LDAP question ** Hello list, Remedy 7.5 Oracle 10g Mid-Tier is patch 3 3 app servers 3 mid tier servers I am having a peculiar problem and thought I would ask the list if anyone had seen a similar issue. We are attempting to implement SSO with the BMC supplied plugin and appear to be successful but (yes there is probably always a but) users are randomly being locked out of the Domain when in the mid-tier. We have only implemented SSO for the mid-tier and I have a portion of a mid-tier log that I have specific question about. PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER Connecting via SSL(host=FQDN for our ldap server port=636, certPath=c:\ldap_certs) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout previously: -1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout used: 35000 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_simple_bind(cn=ldap user name, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST After the bind PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_search_ext(search path, 2, cn=me in this case) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.2110 */ARSYS.AREA.LDAP FINER ldap_simple_bind(CN=again my correctly formatted credentials, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP SEVERE Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINE Found user but password is bad PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINER LicenseMask=0 LicenseWrite=0 LicenseFTS=0 LicenseReserved1=0 Notification=3 Email=NULL LoginStatus=2 ModificationTime=0 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINER Groups=NULL I know that when LDAP is used for authentication a bind happens for the user defined in the AREA LDAP Configuration form, and when that is successful another bind is done for the actual user logging into the system. As you can see in the log excerpt it does this when using the SSO Plugin as well. We are only using SSO when logging in through the web. As it was explained to me and through reading the SSO integration white paper capturing the user ID should be all that is needed to get the user logged in at that point. We are pulling the user ID from
Re: SSO / AREA LDAP question
Yes, we have the plugin and we can get sso to function. The issue is that we get random lockouts for the users when they are coming in through the mid-tier. It doesn't happen to everyone at the same time. There have been times where it does not affect a given user for several days. Then they log in and they get locked out, like I said it seems pretty random. For instance, I log in and usually don't see the lockout issue whereas my co-developer logs in and almost instantly gets locked out. Then after resetting his domain id he is fine for several hours and then we both start getting locked out. We are troubleshooting with our AD team but it isn't looking promising. I was hoping that someone who is using the BMC supplied SSO code experienced this and was able to solve the issue. Thanks Dave From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Yogesh Ketkar Sent: Thursday, March 14, 2013 12:43 PM To: arslist@ARSLIST.ORG Subject: Re: SSO / AREA LDAP question ** Hello David, As it was explained to me and through reading the SSO integration white paper capturing the user ID should be all that is needed to get the user logged in at that point. I think there is some confusion here. For SSO to work in general with Midtier, there has to be some work done on 2 ends, the Midtier end and the ARServer end. AR Server (either form based or AREA LDAP based) needs username/password combination for authentication by default. You can have some chaining setups where some users will get authenticated against Form and other using LDAP which people typically do when they have AREA LDAP setup and they setup user password as BLANK in user form for users which need to be authenticated against LDAP. But AR Server, by default, will not authenticate a user unless password is supplied. BMC whitepaper says that once you have overridden DefaultAuthenticator on Miditer side, you can bypass login page and as you said, you are getting username somehow. Now this username and some TOKEN has to be passed back to AR Server and you need to write an custom AREA plug-in which will validate username/TOKEN combination, may be talking to some SSO server or in some way. Point is, unless you write a custom AREA plug-in SSO will not work. Also in your case, it sounds like, you are satisfied by just having extracted username from the browser (IE) and you want AR Server to authenticate the user just based on that. Regards, Yogesh From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Lotz, David Sent: Thursday, March 14, 2013 12:37 AM To: arslist@ARSLIST.ORGmailto:arslist@ARSLIST.ORG Subject: SSO / AREA LDAP question ** Hello list, Remedy 7.5 Oracle 10g Mid-Tier is patch 3 3 app servers 3 mid tier servers I am having a peculiar problem and thought I would ask the list if anyone had seen a similar issue. We are attempting to implement SSO with the BMC supplied plugin and appear to be successful but (yes there is probably always a but) users are randomly being locked out of the Domain when in the mid-tier. We have only implemented SSO for the mid-tier and I have a portion of a mid-tier log that I have specific question about. PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER Connecting via SSL(host=FQDN for our ldap server port=636, certPath=c:\ldap_certs) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout previously: -1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout used: 35000 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_simple_bind(cn=ldap user name, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST After the bind PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_search_ext(search path, 2, cn=me in this case) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.2110 */ARSYS.AREA.LDAP FINER ldap_simple_bind(CN=again my correctly formatted credentials, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP SEVERE Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC
Re: SSO / AREA LDAP question
The Bmc OOTB SSO Plugin is very easy to break since it only depends on http header authentication. It has nothing to do with LDAP or AD. the scenario changes if you use the basic SSO with site minder or an external authentication plugin with a hub. The best way you can start troubleshooting the issue is to turn ON debug logging on the plugin and turn ON your plugin logs on the server and identify the API calls when the account gets locked. We use JSS SSO plugin and cannot be happier with the support and the security features of the product. Regards, Roney Samuel Varghese. . Sent from my iPhone On Mar 14, 2013, at 12:32 PM, Lotz, David david.l...@53.com wrote: ** Yes, we have the plugin and we can get sso to function. The issue is that we get random lockouts for the users when they are coming in through the mid-tier. It doesn’t happen to everyone at the same time. There have been times where it does not affect a given user for several days. Then they log in and they get locked out, like I said it seems pretty random. For instance, I log in and usually don’t see the lockout issue whereas my co-developer logs in and almost instantly gets locked out. Then after resetting his domain id he is fine for several hours and then we both start getting locked out. We are troubleshooting with our AD team but it isn’t looking promising. I was hoping that someone who is using the BMC supplied SSO code experienced this and was able to solve the issue. Thanks Dave From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Yogesh Ketkar Sent: Thursday, March 14, 2013 12:43 PM To: arslist@ARSLIST.ORG Subject: Re: SSO / AREA LDAP question ** Hello David, As it was explained to me and through reading the SSO integration white paper capturing the user ID should be all that is needed to get the user logged in at that point. I think there is some confusion here. For SSO to work in general with Midtier, there has to be some work done on 2 ends, the Midtier end and the ARServer end. AR Server (either form based or AREA LDAP based) needs username/password combination for authentication by default. You can have some chaining setups where some users will get authenticated against Form and other using LDAP which people typically do when they have AREA LDAP setup and they setup user password as BLANK in user form for users which need to be authenticated against LDAP. But AR Server, by default, will not authenticate a user unless password is supplied. BMC whitepaper says that once you have overridden DefaultAuthenticator on Miditer side, you can bypass login page and as you said, you are getting username somehow. Now this username and some TOKEN has to be passed back to AR Server and you need to write an custom AREA plug-in which will validate username/TOKEN combination, may be talking to some SSO server or in some way. Point is, unless you write a custom AREA plug-in SSO will not work. Also in your case, it sounds like, you are satisfied by just having extracted username from the browser (IE) and you want AR Server to authenticate the user just based on that. Regards, Yogesh From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Lotz, David Sent: Thursday, March 14, 2013 12:37 AM To: arslist@ARSLIST.ORG Subject: SSO / AREA LDAP question ** Hello list, Remedy 7.5 Oracle 10g Mid-Tier is patch 3 3 app servers 3 mid tier servers I am having a peculiar problem and thought I would ask the list if anyone had seen a similar issue. We are attempting to implement SSO with the BMC supplied plugin and appear to be successful but (yes there is probably always a but) users are randomly being locked out of the Domain when in the mid-tier. We have only implemented SSO for the mid-tier and I have a portion of a mid-tier log that I have specific question about. PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER Connecting via SSL(host=FQDN for our ldap server port=636, certPath=c:\ldap_certs) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout previously: -1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout used: 35000 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_simple_bind(cn=ldap user name, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22
SSO / AREA LDAP question
Hello list, Remedy 7.5 Oracle 10g Mid-Tier is patch 3 3 app servers 3 mid tier servers I am having a peculiar problem and thought I would ask the list if anyone had seen a similar issue. We are attempting to implement SSO with the BMC supplied plugin and appear to be successful but (yes there is probably always a but) users are randomly being locked out of the Domain when in the mid-tier. We have only implemented SSO for the mid-tier and I have a portion of a mid-tier log that I have specific question about. PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER Connecting via SSL(host=FQDN for our ldap server port=636, certPath=c:\ldap_certs) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout previously: -1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER connect timeout used: 35000 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_simple_bind(cn=ldap user name, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINEST After the bind PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.1950 */ARSYS.AREA.LDAP FINER ldap_search_ext(search path, 2, cn=me in this case) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.2110 */ARSYS.AREA.LDAP FINER ldap_simple_bind(CN=again my correctly formatted credentials, hidden) PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP SEVERE Bind: Invalid credentials (LDAPERR Code 49) 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 775, v1db1 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINE Found user but password is bad PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINER LicenseMask=0 LicenseWrite=0 LicenseFTS=0 LicenseReserved1=0 Notification=3 Email=NULL LoginStatus=2 ModificationTime=0 PLGN TID: 004912 RPC ID: 000561 Queue: AREA Client-RPC: 390695 /* Wed Mar 13 2013 09:22:41.3200 */ARSYS.AREA.LDAP FINER Groups=NULL I know that when LDAP is used for authentication a bind happens for the user defined in the AREA LDAP Configuration form, and when that is successful another bind is done for the actual user logging into the system. As you can see in the log excerpt it does this when using the SSO Plugin as well. We are only using SSO when logging in through the web. As it was explained to me and through reading the SSO integration white paper capturing the user ID should be all that is needed to get the user logged in at that point. We are pulling the user ID from the header of the IE page and using it after removing the domain information. My question is if that is all true and we accept that if the user is logged into the network and able to access it through the web page why is AREA LDAP trying to do the bind with the user information instead of just a search and acknowledgement that the user exists on the network? Is there a way to turn off the second bind for Mid-Tier only? Also, has anyone run into a problem like this before? I can be logged into the tool for hours and not be locked out. Then one of my co-workers attempts to login and gets locked out repeatedly. Any help would be greatly appreciated. We use a load balancer before the mid-tier and then again before the application server. The problem doesn't appear to be linked to any server in the pool. I have repeatedly gone through the SSO setup for each server and they are identical and appear to be correct. I have used SSL and non SSL connections and there doesn't appear to be a problem with any of the certificates. David Lotz Fifth Third Bank Enterprise Solutions-Enterprise Applications Remedy Application Team email: david.l...@53.com blocked::mailto:david.l...@53.com P:513.534.3371 F:513.534.3421 MD:1090W2 This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing
AREA LDAP Configuration (Multiple AD Servers)
If we specify multiple AD Servers in AREA LDAP configuration how does authentication works? Does ARS try authenticating the user in the order they appear in the UI? Also is authentication tried out till at least one AD server authenticates the user successfully? ~Nathan ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP Configuration (Multiple AD Servers)
Hi, you could take a look at this in-depth webinar: https://communities.bmc.com/communities/docs/DOC-10142 _ Kind Regards, Carl Wilson http://www.missingpiecessoftware.com/ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Nathan Brandt Sent: 05 March 2013 10:51 To: arslist@ARSLIST.ORG Subject: AREA LDAP Configuration (Multiple AD Servers) ** If we specify multiple AD Servers in AREA LDAP configuration how does authentication works? Does ARS try authenticating the user in the order they appear in the UI? Also is authentication tried out till at least one AD server authenticates the user successfully? ~Nathan _ARSlist: Where the Answers Are and have been for 20 years_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AREA LDAP Configuration (Multiple AD Servers)
The standard deployment of multiple AREA LDAP plugins is fine if the LDAPs all sit within one organisation. It's not a secure solution for a multi-service provider who may configure an instance of AREA LDAP for multiple customers, because it means username/passwords for organisation X are being sent to organisation Y, and so on. John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
AREA LDAP
Well, it's ultimately stored in the ar.cfg file but you need to alter it through the AREA LDAP and ARDBC configuration forms, as the password is encrypted before it's written to the ar.cfg. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP
You just need to make changes in ldap config form and it will update ar.cfg/at.conf respectively. Regards/Vaibhav On Monday, January 28, 2013, rajkiran Alle wrote: Hi, I need to modify the existing Bind User and Bind password for LDAP authentication, Is it enough if i just modify user and password in AREA LDAP Plugin or else in addition to this do i need to modify some where else ? Thanks ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Where the Answers Are, and have been for 20 years
Re: AREA LDAP configuration
Hi Guys, This is what i eventually did. Looking at the plugin logs I could see it is only searching using the first configuration and when the user is not found using that search it fails. I couldn't get a fix to make it do multiple searches so we rearanged the AD tree structure and raised the level of the BaseDN so both OUs were included in the single Search. Not ideal but it will fill the gap until Remedy is upgraded. Thanks Tony ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP configuration
if you have multiple LDAP configuration you have to change your plugin to areahub instead AREA, then it will check for all your entries in the ldap configuration form. 2012/10/30 SUBSCRIBE ARSLIST theReel tony.r...@bt.com: Hi Guys, This is what i eventually did. Looking at the plugin logs I could see it is only searching using the first configuration and when the user is not found using that search it fails. I couldn't get a fix to make it do multiple searches so we rearanged the AD tree structure and raised the level of the BaseDN so both OUs were included in the single Search. Not ideal but it will fill the gap until Remedy is upgraded. Thanks Tony ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
AREA LDAP configuration
Hi Guys, I have inherited support of a 7.0.01 install of Remedy (AR system ITSM on Windows) which has some LDAP configurations setup. I do not have much experience with the LDAP configuration, it seems pretty straightforward but it is not working and I think I am missing something simple. Currently there are 4 Configurations set in the AREA LDAP Configuration. 3 of these seem to be old and reference 3 OU structures in the same AD which no longer exist; I have left them there but decreased their order. 1 of the current configurations searches the correct OU and users successfully authenticate. I want to add a new configuration for a different OU group in the same AD, so I will have two groups of users in the same AD structure being used for authentication. I have copied the entire configuration Detail from the working example and changed only the ‘User Base’ field to the new OU group path. I restarted the AR services and I have looked in the ar.conf file and I can see the new settings. I then moved a user from the original OU to the new OU group but they cannot login. Questions I have: Do you have to restart services after you make changes to the AREA LDAP configurations? Can you authenticate to multiple OU groups in the same AD? Is it ok to have multiple Configurations using the same Port number, username, password etc? Do I need to configure Failover Timeout or Chase Referral. Any advice on what I am doing wrong or how I can troubleshoot this one would be greatly appreciated. Thanks Tony ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
AREA LDAP configuration
Tony, Do you have to restart services after you make changes to the AREA LDAP configurations? Yes, although you can kill the arplugin process and armonitor should restart the plugin server. Given some ITSM installations take 30 minutes to restart, this is the best choice if in doubt, Can you authenticate to multiple OU groups in the same AD? OU groups? Do you mean different sub-trees? I believe you can use a parent base DN and search down. Is it ok to have multiple Configurations using the same Port number, username, password etc? I don't see why not. Multiple configurations is the same plugin loaded X times on the BMC AREA Hub, I think. One of my colleagues wrote the following document that may be of use: http://www.javasystemsolutions.com/documentation/jss-configuring-BMC-AREA-LDAP.pdf John ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Re: AREA LDAP configuration
Thanks for the reply John, I have to wait until I am outside core hours before I can restart anything again but I will try restarting only the arplugin this time, thanks. By OU I mean Organizational Units so yes different sub-trees. Unfortunately I can’t use the parent as the base DN and search down as that would allow access to some groups that should be restricted. Example of what I mean below: Parent - old group - old restricted Users - old Remedy Users - new group - new restricted Users - new Remedy Users Currently we search 'Old Remedy Users' for authentication of the users. Over the next few weeks users are being moved from 'Old Remedy Users' to 'New Remedy Users' in stages. So i need Remedy to be able to authenticate both those groups without including the Restricted users. The document is very good but the only thing that I can see that I can use is to try setting a timeout and Chase refferal settings. I will have another go this evening. Thanks Tony ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
AREA LDAP Configuration
I am having an issue with AREA LDAP authentication on our development system. Everything is working great on production and their configuration looks identical to me. · When logging into dev with AD password authentication passes and the support user only has access to the minimum stuff (Just approval, Request Console, etc). · If the support person logs into dev with the password from the user form, they get everything properly (overview, Incident, etc). · If they log in with a bad password they get an authentication failed message. Like I said in prod using the AD password works and they get access to the objects they should. I have compare the Server Information settings and the AREA LDAP configuration and all looks the same. Any advice? It was all working at one time. I just can't figure out what is different. Thanks, Ken. ARS 7.5 ITSM 7.6 From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Abhay Somani Sent: Wednesday, May 23, 2012 3:38 AM To: arslist@ARSLIST.ORG Subject: Re: I need a help in some scenario ** Verision is 7.6.03 On Wed, May 23, 2012 at 1:02 PM, Jose Huerta jose.hue...@sm2baleares.esmailto:jose.hue...@sm2baleares.es wrote: ** Version, S.O.? What diagnostic have you made? Jose M. Huerta Project Manager Movil: 661 665 088 Telf.: 971 75 03 24 Fax: 971 75 07 94 [cid:image001.jpg@01CDA886.5D79A670]http://www.sm2baleares.es/ SM2 Baleares S.A. C/Rita Levi Edificio SM2 Parc Bit 07121 Palma de Mallorca [cid:image002.jpg@01CDA886.5D79A670] http://es-es.facebook.com/pages/SM2-Baleares/158608627954 [cid:image003.jpg@01CDA886.5D79A670] http://twitter.com/#!/SM2Baleares [cid:image004.jpg@01CDA886.5D79A670] http://www.linkedin.com/company/sm2-baleares La información contenida en este mensaje de correo electrónico es confidencial. La misma, es enviada con la intención de que únicamente sea leída por la persona(s) a la(s) que va dirigida. El acceso a este mensaje por otras personas no está autorizado, por lo que en tal caso, le rogamos que nos lo comunique por la misma vía, se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. P Por favor, no imprima este mensaje ni sus documentos adjuntos si no es necesario. On Wed, May 23, 2012 at 8:00 AM, Abhay Somani remedy.ab...@gmail.commailto:remedy.ab...@gmail.com wrote: ** -- Forwarded message -- From: Abhay Somani remedy.ab...@gmail.commailto:remedy.ab...@gmail.com Date: Fri, May 18, 2012 at 8:55 PM Subject: I need a help in some scenario To: arslist@arslist.orgmailto:arslist@arslist.org Hello All, I need a help in some scenario (List below) ..I want to know that What should we take as 1st step to find the root case ?and What are major cause/reason for these issue in general . Please help me out !! Issue are follows 1) MIdtier is slow or performance issue 2) Remedy Performance Issue, and later users could not login 3)is getting an error as AR System Plug-In server : ARERR 8760 4) Emails were not processed. 5)Users could not login via SSO. Thanks in Advance Abhay Somani _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.comhttp://www.wwrug.com ARSlist: Where the Answers Are_ _attend WWRUG12 www.wwrug.com ARSlist: Where the Answers Are_ *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated** ** This email and any files transmitted with it are confidential and intended solely for the addressee. If you have received this email in error please notify the system manager. Subject to local law, communications (including traffic data) with Hubbell may be monitored by our systems [or a third party's systems on our behalf] for the purposes of security and the assessment of internal compliance with Hubbell policies. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Areinline: image001.jpginline: image002.jpginline: image003.jpginline: image004.jpg
Re: LDAP authentication issue
Hi Fred,
that was the issue. Using
sAMAccountName=$\USER$
helped to solve my problem.
Many thanks
On 10/2/2012 3:35 PM, Grooms, Frederick W wrote:
Serouche,
The Login Name on an Active Directory LDAP search is usually sAMAccountName, so in the
configuration form AREA LDAP Configuration the User Search Filter would be
sAMAccountName=$\USER$
Make sure in your setup that you should be querying for the login in a field
called uid. What Danny said about using Microsoft's LDP tool (as part of the
Windows Support Tools) or another LDAP tool like the Softerra LDAP Browser
(http://www.softerra.com/download.htm) is a great suggestion.
Fred
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Danny Kellett
Sent: Tuesday, October 02, 2012 5:58 AM
To: arslist@ARSLIST.ORG
Subject: Re: LDAP authentication issue
Hi,
Its this line that is the issue:
*/ARSYS.AREA.LDAP FINER ldap_search_ext(dc=ads,dc=domain,dc=org,
2, uid=testman)
So under that baseDn, the query uid=testman could not be found.
Ask your domain admin to check the baseDn and use something like ldp.exe
to search for uid=testman.
Kind regards
Danny
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:arslist@ARSLIST.ORG] On Behalf Of Remedy Maniac
Sent: Tuesday, October 02, 2012 3:50 AM
To: arslist@ARSLIST.ORG
Subject: LDAP authentication issue
hi list,
could not find any previous post with the following issue.
Here is what is in my arplugin.log file
...
1 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:38.7404 */+VL
AREAVerifyLoginCallback -- user testman
2 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:38.7407
*/ARSYS.AREA.LDAP FINEST AREAVerifyLoginCallback
3 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:38.7409
*/ARSYS.AREA.LDAP FINER ldap_init(hqdcc1.domain.org, 389)
4 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:38.7411
*/ARSYS.AREA.LDAP FINER connect timeout previously: -1
5 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:38.7413
*/ARSYS.AREA.LDAP FINER connect timeout used: 4
6 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:38.7415
*/ARSYS.AREA.LDAP FINER ldap_simple_bind(CN=xsldapro,OU=Service
Accounts,OU=Location,OU=New Structure,DC=ads,DC=domain,DC=org, hidden)
7 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:38.7445
*/ARSYS.AREA.LDAP FINEST After the bind
8 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:38.7447
*/ARSYS.AREA.LDAP FINER ldap_search_ext(dc=ads,dc=domain,dc=org,
2, uid=testman)
9 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:43.4920
*/ARSYS.AREA.LDAP FINE We do not know the user
10 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:43.4923
*/ARSYS.AREA.LDAP FINER LicenseMask=1 LicenseWrite=2 LicenseFTS=0
LicenseReserved1=0 Notification=3 Email=NULL LoginStatus=1
ModificationTime=0
11 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:43.4925
*/ARSYS.AREA.LDAP FINER Groups=NULL
12 PLGN TID: 05 RPC ID: 000299 Queue: AREA
Client-RPC: 390695 /* Tue Oct 02 2012 10:40:43.4927
*/-VLFAIL
END OF LOG FILE^@
...
who is this We at line 9?
My config settings are based on what the doc says ('authentication chain
= 'AREA - ARS', cross ref pass is checked also authenticate unregistered
users, RPC port set to 390695)
The logs show the bind being done (line 7) but then something does not
know the user ...
any help/tips on what could be wrong is very much appreciated.
Regards
Serouche
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
___
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
Support of multiple LDAP domains for Analytics Dashboards
Hello all, We are in the process of installing Analytics and Dashboards in our environment and integrating it in with Remedy ITSM. Currently, in our Remedy ARS system we support 4 different domains through LDAP by having 4 different entries within the AREA LDAP Configuration and having a failover timeout. What we are looking to do is to set this same logic up within Analytics and Dashboards by hainvg all 4 domains configured to use LDAP to authenticate in. Does Analytics and Dashboards support this functionality or has others implemented this or a similar solution? Looking at the Admin guides, there isn't much help regarding multiple domains. Thanks for your help! ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: Where the Answers Are
