Technical Blog Post
APM V8 Dashboard RBAC Failed to load user groups for LDAP registry
IBM Application Performance Management V8.x uses Liberty profile server provided security to authenticate users to the APM Dashboard. If LDAP registry is configured to authenticate users for APM, ldapRegistry.xml contains the filters to limit the users and user groups from LDAP. When Role Based Access Control (RBAC) page is accessed from APM dashboard, the number of LDAP users received by the APM server may exceed the default limit of Liberty profile server.
This article discusses the symptoms and troubleshooting of this problem.
IBM Performance Monitoring at version 8.1.x or lower which has LDAP user registry configured for the dashboard.
Application Performance Management (APM V8.1.x)
This product is also known by following names:
IBM Cloud Application Performance Management, Private
IBM Performance Management
You have IBM Performance Management product and have set LDAP user registry for authenticating to the dashboard.
On APM Dashboard, you access System Configuration->Role Based Access Control, and select User Groups. In some cases, you may get error "Failed to load User Groups".
LDAP is configured correctly, because user is able to log into APM Dashboard. Problem occurs when user tries to access User Groups in Role Based Access Control (RBAC) widget.
System Configuration -> Role Based Access Control -> User Groups
This produces the following error:
"Failed to load User Groups. RequestError: Unable to load /1.0/monitoring/authzn/usergroups?dogo.preventCache=1469040765417 status: 500"
More users are being returned by the LDAP server to APM than the number that apmui Liberty server is configured to handle. The ldapRegistry.xml settings need to be modified to process all of the rows returned by ldap server.
Note that even if you have specified userFilter and groupFilter to return a small subset of the total LDAP users, following APAR (defect) in Liberty will bypass the user filters and cause all users to be processed, resulting in the problem.
Liberty APAR link is below, and it is resolved in Liberty version 22.214.171.124 or higher.:
NOTE: APM Server 8.1.3 Interim Fix 11 (higher when available), and APM 8.1.4 release upgrades the Liberty server to 126.96.36.199, which includes this fix. This reduces the chance of encountering this problem if the baseDN, userFilter and groupFilter are set to filter few LDAP users which can be handled by the Liberty default setting.
Diagnosing the problem
Check messages.log of apmui server (default location /opt/ibm/wlp/usr/servers/apmui/logs) for following message:
[7/20/16 14:03:08:569 EDT] 0000051d
CWIML1018E: The user registry operation could not be completed. 5000 search results exceeds the specified maximum search limit 4500. No search results will be returned. Increase the maximum search limit or change the search expression to retrieve lesser number of records.
If you see this message, then apply steps in resolution section below.
1) Reduce number of users returned to APM server by setting the baseDN to most specific value to retrieve all users who need access. This will reduce the total number of users, and also prevent the issue of slow response when accessing RBAC on the APM dashboard. When very large number of users are returned by LDAP Server, the response of RBAC dashboard widget may be slow.
For example, use: baseDN="OU=hawaii,DC=abc,DC=ibm,DC=com" instead of baseDN="DC=abc,DC=ibm,DC=com" - this will fetch fewer users.
2) Edit ldapRegistry.xml file (default location /opt/ibm/wlp/usr/shared/config) to add following entries:
searchTimeout="3m" - this entry may already be there and set to 1m.
This is illustrated in the example below. In place of 50000, you can use a number which applies to the users in LDAP server in your environment.
<ldapRegistry id="ldap" realm="LDAPIBM"
host="-----------------------" port="389" ignoreCase="true"
ldapType="Microsoft Active Directory"
<federatedRepository maxSearchResults="50000" />
3) Restart server1 and apmui servers.
Subscribe and follow us for all the latest information directly on your social feeds:
|Academy Twitter :||https://goo.gl/AhR8CL|