APM V8 Dashboard RBAC Failed to load user groups for LDAP registry
sushk 1100006DS0 Comment (1) Visits (5485)
IBM Application Performance Management V8.x uses Liberty profile server provided security to authenticate users to the APM Dashboard. If LDAP registry is configured to authenticate users for APM, ldapRegistry.xml contains the filters to limit the users and user groups from LDAP. When Role Based Access Control (RBAC) page is accessed from APM dashboard, the number of LDAP users received by the APM server may exceed the default limit of Liberty profile server.
IBM Performance Monitoring at version 8.1.x or lower which has LDAP user registry configured for the dashboard.
Application Performance Management (APM V8.1.x)
This product is also known by following names:
IBM Cloud Application Performance Management, Private
IBM Performance Management
You have IBM Performance Management product and have set LDAP user registry for authenticating to the dashboard.
On APM Dashboard, you access System Configuration->Role Based Access Control, and select User Groups. In some cases, you may get error "Failed to load User Groups".
LDAP is configured correctly, because user is able to log into APM Dashboard. Problem occurs when user tries to access User Groups in Role Based Access Control (RBAC) widget.
More users are being returned by the LDAP server to APM than the number that apmui Liberty server is configured to handle. The ldapRegistry.xml settings need to be modified to process all of the rows returned by ldap server.
Note that even if you have specified userFilter and groupFilter to return a small subset of the total LDAP users, following APAR (defect) in Liberty will bypass the user filters and cause all users to be processed, resulting in the problem.
NOTE: APM Server 8.1.3 Interim Fix 11 (higher when available), and APM 8.1.4 release upgrades the Liberty server to 126.96.36.199, which includes this fix. This reduces the chance of encountering this problem if the baseDN, userFilter and groupFilter are set to filter few LDAP users which can be handled by the Liberty default setting.
Diagnosing the problem
Check messages.log of apmui server (default location /opt
[7/20/16 14:03:08:569 EDT] 0000
If you see this message, then apply steps in resolution section below.
1) Reduce number of users returned to APM server by setting the baseDN to most specific value to retrieve all users who need access. This will reduce the total number of users, and also prevent the issue of slow response when accessing RBAC on the APM dashboard. When very large number of users are returned by LDAP Server, the response of RBAC dashboard widget may be slow.
2) Edit ldapRegistry.xml file (default location /opt
This is illustrated in the example below. In place of 50000, you can use a number which applies to the users in LDAP server in your environment.
3) Restart server1 and apmui servers.
Subscribe and follow us for all the latest information directly on your social feeds: