Topic
  • 11 replies
  • Latest Post - ‏2013-07-26T14:39:29Z by Pati_Gall
Federico.Vietti
Federico.Vietti
21 Posts

Pinned topic TRC Authentication LDAP

‏2013-07-18T15:54:39Z |

Dear All,

 

I'm trying to use LDAP to authenticate user in TRC server of TEM.

I've configured LDAP through web console and it correctly works and get user from LDAP. After LDAP sync I can see all the users in the user list but if I try to authenticate to the web console with a domain user I cannot do it.

I receive a "Nome utente non valido/password errata. Accesso non riuscito." error, that in english is "User non valid/wrong password. Access denid".

 

The problem is that in the log I cannot see any help.

Any idea?

How can I debug this error?

 

regards

  • Pati_Gall
    Pati_Gall
    9 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-19T09:25:12Z  

    Hi Federico,

    I am assuming you have already verified the password you are using is correct, here you have a couple of things to look for:

    - Make sure that the authentication.LDAP property is set to true in common.properties. If it was not, set it to true, click on submit, and then Admin/reset application
    - Make sure that the id you are using to authenticate matches the value imported into RC as "userid". You can check by going to users/all users, and check the userid value in that table. If you were using a different value to login, try with the userid value to verify the password is OK and you are able to authenticate. Once you have confirmed this, if you want to use a different value as userid (sAMAccountName, userPrincipalName, etc) than the one that is currently in use, you can change it by modifying the ldap.userid value in ldap.properties. However, whichever value you choose as userid, must also be used in the ldap.userSearch query (ie. (&(objectClass=user)(sAMAccountName={0})))

    Regards,
    Pati

  • Federico.Vietti
    Federico.Vietti
    21 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-19T12:43:16Z  
    • Pati_Gall
    • ‏2013-07-19T09:25:12Z

    Hi Federico,

    I am assuming you have already verified the password you are using is correct, here you have a couple of things to look for:

    - Make sure that the authentication.LDAP property is set to true in common.properties. If it was not, set it to true, click on submit, and then Admin/reset application
    - Make sure that the id you are using to authenticate matches the value imported into RC as "userid". You can check by going to users/all users, and check the userid value in that table. If you were using a different value to login, try with the userid value to verify the password is OK and you are able to authenticate. Once you have confirmed this, if you want to use a different value as userid (sAMAccountName, userPrincipalName, etc) than the one that is currently in use, you can change it by modifying the ldap.userid value in ldap.properties. However, whichever value you choose as userid, must also be used in the ldap.userSearch query (ie. (&(objectClass=user)(sAMAccountName={0})))

    Regards,
    Pati

    before all, thank you Pati.

    - the authentication.LDAP is set to true

    - the user ID is the same (in all users under "userid" I see 05401AA that is the sAMAccountName on LDAP

    Is there any log where I can verify what is happening?

     

    thank you again

  • Pati_Gall
    Pati_Gall
    9 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-19T13:32:53Z  

    before all, thank you Pati.

    - the authentication.LDAP is set to true

    - the user ID is the same (in all users under "userid" I see 05401AA that is the sAMAccountName on LDAP

    Is there any log where I can verify what is happening?

     

    thank you again

    Hi Federico,

    You are welcome!

    Yes, you should be able to get more information from the server log (trc.log) .. You can look at it from the web interface (Admin/View log) but I would advice you to increase the logging level (admin/edit properties/log4j.properties and change the value from INFO to DEBUG). The server needs to be restarted for the debug level to change.

    You should be able to search for the userid that you are trying and see the error generated in more detail.

    If you want, paste the error here, and I'll have a look.


    Regards,
    Pati

  • Federico.Vietti
    Federico.Vietti
    21 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-19T14:01:59Z  
    • Pati_Gall
    • ‏2013-07-19T13:32:53Z

    Hi Federico,

    You are welcome!

    Yes, you should be able to get more information from the server log (trc.log) .. You can look at it from the web interface (Admin/View log) but I would advice you to increase the logging level (admin/edit properties/log4j.properties and change the value from INFO to DEBUG). The server needs to be restarted for the debug level to change.

    You should be able to search for the userid that you are trying and see the error generated in more detail.

    If you want, paste the error here, and I'll have a look.


    Regards,
    Pati

    In admin/edit properties/log4j.properties I've not loggillevel property, but only log4j.rootLogger and log4j.logger.com.ibm.

    I've set it at DEBUG level and restarted the server. the log file is /opt/IBM/Tivoli/TRC/server/trc.log and I'm in tail on it.

    I cannot find the username and o info about login, also staying in tail and making the login action.

     

  • Pati_Gall
    Pati_Gall
    9 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-19T14:24:53Z  

    In admin/edit properties/log4j.properties I've not loggillevel property, but only log4j.rootLogger and log4j.logger.com.ibm.

    I've set it at DEBUG level and restarted the server. the log file is /opt/IBM/Tivoli/TRC/server/trc.log and I'm in tail on it.

    I cannot find the username and o info about login, also staying in tail and making the login action.

     

    Hi,

    You should be able to find something like: - LogonAction: User [admin]  ... but instead of admin, whatever user you are trying to log on with. This is logged always, regardless of the debug level ..

  • Federico.Vietti
    Federico.Vietti
    21 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-19T15:43:15Z  

    In admin/edit properties/log4j.properties I've not loggillevel property, but only log4j.rootLogger and log4j.logger.com.ibm.

    I've set it at DEBUG level and restarted the server. the log file is /opt/IBM/Tivoli/TRC/server/trc.log and I'm in tail on it.

    I cannot find the username and o info about login, also staying in tail and making the login action.

     

    There some problem on logging.

    The log file is up to date to 11 July.

    I've take a look to the log4j.properties and I've 3 of this file on my server:

    /opt/IBM/Tivoli/TRC/server/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties
    /opt/IBM/Tivoli/TRC/server/wlp/usr/servers/trcserver/apps/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties
    /opt/IBM/Tivoli/TRC/server/trcserver.bak/apps/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties

     

    this is the configuration of the 3 files:

    /opt/IBM/Tivoli/TRC/server/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties:

    log4j.rootLogger=WARN, A1,Rolling
    log4j.logger.com.ibm=INFO
    log4j.appender.A1=org.apache.log4j.ConsoleAppender
    log4j.appender.A1.layout=org.apache.log4j.PatternLayout
    log4j.appender.A1.encoding=UTF-8
    log4j.appender.A1.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n
    log4j.appender.Rolling=org.apache.log4j.RollingFileAppender
    log4j.appender.Rolling.File=trc.log
    log4j.appender.Rolling.encoding=UTF-8
    log4j.appender.Rolling.MaxFileSize=2MB
    log4j.appender.Rolling.MaxBackupIndex=7
    log4j.appender.Rolling.layout=org.apache.log4j.PatternLayout
    log4j.appender.Rolling.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n

    /opt/IBM/Tivoli/TRC/server/wlp/usr/servers/trcserver/apps/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties:

    log4j.rootLogger=INFO
    log4j.logger.com.ibm=INFO
    log4j.appender.A1=org.apache.log4j.ConsoleAppender
    log4j.appender.A1.layout=org.apache.log4j.PatternLayout
    log4j.appender.A1.encoding=UTF-8
    log4j.appender.A1.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n
    log4j.appender.Rolling=org.apache.log4j.RollingFileAppender
    log4j.appender.Rolling.File=/opt/IBM/Tivoli/TRC/server/trc.log
    log4j.appender.Rolling.encoding=UTF-8
    log4j.appender.Rolling.MaxFileSize=2MB
    log4j.appender.Rolling.MaxBackupIndex=7
    log4j.appender.Rolling.layout=org.apache.log4j.PatternLayout
    log4j.appender.Rolling.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n
     
    /opt/IBM/Tivoli/TRC/server/trcserver.bak/apps/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties:
    log4j.rootLogger=WARN, A1,Rolling
    log4j.logger.com.ibm=INFO
    log4j.appender.A1=org.apache.log4j.ConsoleAppender
    log4j.appender.A1.layout=org.apache.log4j.PatternLayout
    log4j.appender.A1.encoding=UTF-8
    log4j.appender.A1.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n
    log4j.appender.Rolling=org.apache.log4j.RollingFileAppender
    log4j.appender.Rolling.File=/opt/IBM/Tivoli/TRC/server/trc.log
    log4j.appender.Rolling.encoding=UTF-8
    log4j.appender.Rolling.MaxFileSize=2MB
    log4j.appender.Rolling.MaxBackupIndex=7
    log4j.appender.Rolling.layout=org.apache.log4j.PatternLayout
    log4j.appender.Rolling.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n
     
    what is missing?

    which is the file used by TRC?

     

    thank you

  • Pati_Gall
    Pati_Gall
    9 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-22T08:41:50Z  

    There some problem on logging.

    The log file is up to date to 11 July.

    I've take a look to the log4j.properties and I've 3 of this file on my server:

    /opt/IBM/Tivoli/TRC/server/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties
    /opt/IBM/Tivoli/TRC/server/wlp/usr/servers/trcserver/apps/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties
    /opt/IBM/Tivoli/TRC/server/trcserver.bak/apps/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties

     

    this is the configuration of the 3 files:

    /opt/IBM/Tivoli/TRC/server/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties:

    log4j.rootLogger=WARN, A1,Rolling
    log4j.logger.com.ibm=INFO
    log4j.appender.A1=org.apache.log4j.ConsoleAppender
    log4j.appender.A1.layout=org.apache.log4j.PatternLayout
    log4j.appender.A1.encoding=UTF-8
    log4j.appender.A1.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n
    log4j.appender.Rolling=org.apache.log4j.RollingFileAppender
    log4j.appender.Rolling.File=trc.log
    log4j.appender.Rolling.encoding=UTF-8
    log4j.appender.Rolling.MaxFileSize=2MB
    log4j.appender.Rolling.MaxBackupIndex=7
    log4j.appender.Rolling.layout=org.apache.log4j.PatternLayout
    log4j.appender.Rolling.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n

    /opt/IBM/Tivoli/TRC/server/wlp/usr/servers/trcserver/apps/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties:

    log4j.rootLogger=INFO
    log4j.logger.com.ibm=INFO
    log4j.appender.A1=org.apache.log4j.ConsoleAppender
    log4j.appender.A1.layout=org.apache.log4j.PatternLayout
    log4j.appender.A1.encoding=UTF-8
    log4j.appender.A1.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n
    log4j.appender.Rolling=org.apache.log4j.RollingFileAppender
    log4j.appender.Rolling.File=/opt/IBM/Tivoli/TRC/server/trc.log
    log4j.appender.Rolling.encoding=UTF-8
    log4j.appender.Rolling.MaxFileSize=2MB
    log4j.appender.Rolling.MaxBackupIndex=7
    log4j.appender.Rolling.layout=org.apache.log4j.PatternLayout
    log4j.appender.Rolling.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n
     
    /opt/IBM/Tivoli/TRC/server/trcserver.bak/apps/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties:
    log4j.rootLogger=WARN, A1,Rolling
    log4j.logger.com.ibm=INFO
    log4j.appender.A1=org.apache.log4j.ConsoleAppender
    log4j.appender.A1.layout=org.apache.log4j.PatternLayout
    log4j.appender.A1.encoding=UTF-8
    log4j.appender.A1.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n
    log4j.appender.Rolling=org.apache.log4j.RollingFileAppender
    log4j.appender.Rolling.File=/opt/IBM/Tivoli/TRC/server/trc.log
    log4j.appender.Rolling.encoding=UTF-8
    log4j.appender.Rolling.MaxFileSize=2MB
    log4j.appender.Rolling.MaxBackupIndex=7
    log4j.appender.Rolling.layout=org.apache.log4j.PatternLayout
    log4j.appender.Rolling.layout.ConversionPattern=%d{dd-MMM-yyyy,HH:mm:ss} [%t] [%-5p] - %m%n
     
    what is missing?

    which is the file used by TRC?

     

    thank you

    Hi,
    That's normal ... the one you want to edit is /opt/IBM/Tivoli/TRC/server/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties. And the property to change to increase the debug level is log4j.logger.com.ibm, as mentioned in a previous post, change it from INFO to debug. Remember that the server needs to be restarted ....

    Regards,
    Pati

  • Federico.Vietti
    Federico.Vietti
    21 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-24T12:25:11Z  
    • Pati_Gall
    • ‏2013-07-22T08:41:50Z

    Hi,
    That's normal ... the one you want to edit is /opt/IBM/Tivoli/TRC/server/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties. And the property to change to increase the debug level is log4j.logger.com.ibm, as mentioned in a previous post, change it from INFO to debug. Remember that the server needs to be restarted ....

    Regards,
    Pati

    Ok, I've restored the logging information.

     

    In the trc.log now I have:

     

    24-Jul-2013,14:21:30 [Default Executor-thread-251] [INFO ] - Authenticating with LDAP server
    24-Jul-2013,14:21:31 [Default Executor-thread-251] [ERROR] - LDAP: Authentication Failure : 05401AA
    24-Jul-2013,14:21:31 [Default Executor-thread-251] [INFO ] - Invalid username/wrong password.  Login failed.
     

    05401AA is the right value in the user id of user search.

  • Pati_Gall
    Pati_Gall
    9 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-24T15:23:39Z  

    Ok, I've restored the logging information.

     

    In the trc.log now I have:

     

    24-Jul-2013,14:21:30 [Default Executor-thread-251] [INFO ] - Authenticating with LDAP server
    24-Jul-2013,14:21:31 [Default Executor-thread-251] [ERROR] - LDAP: Authentication Failure : 05401AA
    24-Jul-2013,14:21:31 [Default Executor-thread-251] [INFO ] - Invalid username/wrong password.  Login failed.
     

    05401AA is the right value in the user id of user search.

    Hi Federico,
    We still don't have the correct debug level in the server. My mistake, I think I pointed to the wrong log4j.properties, the correct one is this:
    /opt/IBM/Tivoli/TRC/server/wlp/usr/servers/trcserver/apps/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties

    However, if you use the web interface (Admin/Edit properties) you will be certain that you have used the correct one. Remember that you need to restart the server for it to take effect.

    I would also like to mention that the only way I can get this error in my system is by entering an incorrect password. If I enter the wrong userid, I specifically get this message:

    24-Jul-2013,16:03:47 [Default Executor-thread-494] [INFO ] - Authenticating with LDAP server
    24-Jul-2013,16:03:47 [Default Executor-thread-494] [ERROR] -
    
    LDAP: No Entry found for pati
    24-Jul-2013,16:03:47 [Default Executor-thread-494] [INFO ] - Invalid username/wrong password.  Login failed.
    
    

    Regards,
    Pati

  • Federico.Vietti
    Federico.Vietti
    21 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-24T15:28:51Z  
    • Pati_Gall
    • ‏2013-07-24T15:23:39Z

    Hi Federico,
    We still don't have the correct debug level in the server. My mistake, I think I pointed to the wrong log4j.properties, the correct one is this:
    /opt/IBM/Tivoli/TRC/server/wlp/usr/servers/trcserver/apps/TRCAPP.ear/trc.war/WEB-INF/classes/log4j.properties

    However, if you use the web interface (Admin/Edit properties) you will be certain that you have used the correct one. Remember that you need to restart the server for it to take effect.

    I would also like to mention that the only way I can get this error in my system is by entering an incorrect password. If I enter the wrong userid, I specifically get this message:

    <pre dir="ltr">24-Jul-2013,16:03:47 [Default Executor-thread-494] [INFO ] - Authenticating with LDAP server 24-Jul-2013,16:03:47 [Default Executor-thread-494] [ERROR] - LDAP: No Entry found for pati 24-Jul-2013,16:03:47 [Default Executor-thread-494] [INFO ] - Invalid username/wrong password. Login failed. </pre>

    Regards,
    Pati

    Hi Pati,

     

    thank you for all. I've resolved the problem.

    I've set te log level to ALL and I've seen that the problem was on the filter used to find the user.

    I've put only (objectClass=person), intead of (&(objectClass=person)(sAMAaccontName={0})

     

    Now it works!

    thanks for all the answers!

    regards

  • Pati_Gall
    Pati_Gall
    9 Posts

    Re: TRC Authentication LDAP

    ‏2013-07-26T14:39:29Z  

    Hi Pati,

     

    thank you for all. I've resolved the problem.

    I've set te log level to ALL and I've seen that the problem was on the filter used to find the user.

    I've put only (objectClass=person), intead of (&(objectClass=person)(sAMAaccontName={0})

     

    Now it works!

    thanks for all the answers!

    regards

    Excellent!
    Thank you for letting me know.

    Regards,
    Pati