IBM Support

APM V8 Dashboard RBAC Failed to load user groups for LDAP registry

Technical Blog Post


Abstract

APM V8 Dashboard RBAC Failed to load user groups for LDAP registry

Body

IBM Application Performance Management V8.x uses Liberty profile server provided security to authenticate users to the APM Dashboard. If LDAP registry is configured to authenticate users for APM, ldapRegistry.xml contains the filters to limit the users and user groups from LDAP. When Role Based Access Control (RBAC) page is accessed from APM dashboard, the number of LDAP users received by the APM server may exceed the default limit of Liberty profile server.
This article discusses the symptoms and troubleshooting of this problem.

Environment:

IBM Performance Monitoring at version 8.1.x or lower which has LDAP user registry configured for the dashboard.

Application Performance Management (APM V8.1.x)

This product is also known by following names:

IBM Cloud Application Performance Management, Private

IBM Performance Management

Problem

You have IBM Performance Management product and have set LDAP user registry for authenticating to the dashboard.

On APM Dashboard, you access System Configuration->Role Based Access Control, and select User Groups. In some cases, you may get error "Failed to load User Groups".

Symptom

LDAP is configured correctly, because user is able to log into APM Dashboard. Problem occurs when user tries to access User Groups in Role Based Access Control (RBAC) widget.
System Configuration -> Role Based Access Control -> User Groups     
                                                  
This produces the following error:                                            
"Failed to load User Groups. RequestError: Unable to load /1.0/monitoring/authzn/usergroups?dogo.preventCache=1469040765417 status: 500"        

Cause

More users are being returned by the LDAP server to APM than the number that apmui Liberty server is configured to handle. The ldapRegistry.xml settings need to be modified to process all of the rows returned by ldap server.

Note that even if you have specified userFilter and groupFilter to return a small subset of the total LDAP users, following APAR (defect) in Liberty will bypass the user filters and cause all users to be processed, resulting in the problem.
Liberty APAR link is below, and it is resolved in Liberty version 8.5.5.7 or higher.:
http://www-01.ibm.com/support/docview.wss?uid=swg1PI46454

NOTE:  APM Server 8.1.3 Interim Fix 11 (higher when available), and APM 8.1.4 release upgrades the Liberty server to 17.0.0.2, which includes this fix. This reduces the chance of encountering this problem if the baseDN, userFilter and groupFilter are set to filter few LDAP users which can be handled by the Liberty default setting.

Diagnosing the problem

Check messages.log of apmui server (default location /opt/ibm/wlp/usr/servers/apmui/logs) for following message:

[7/20/16 14:03:08:569 EDT] 0000051d                                     
com.ibm.ws.security.wim.registry.util.SearchBridge           E          
CWIML1018E: The user registry operation could not be completed. 5000 search results exceeds the specified maximum search limit 4500. No search results will be returned. Increase the maximum search limit or change the search expression to retrieve lesser number of records.      

If you see this message, then apply steps in resolution section below.

Resolution

1) Reduce number of users returned to APM server by setting the baseDN to most specific value to retrieve all users who need access. This will reduce the total number of users, and also prevent the issue of slow response when accessing RBAC on the APM dashboard. When very large number of users are returned by LDAP Server, the response of RBAC dashboard widget may be slow.
For example, use: baseDN="OU=hawaii,DC=abc,DC=ibm,DC=com" instead of baseDN="DC=abc,DC=ibm,DC=com" - this will fetch fewer users.

 

2) Edit ldapRegistry.xml file (default location /opt/ibm/wlp/usr/shared/config) to add following entries:


searchTimeout="3m"  - this entry may already be there and set to 1m.
and
<federatedRepository maxSearchResults="50000">

This is illustrated in the example below. In place of 50000, you can use a number which applies to the users in LDAP server in your environment.

<server>
 <ldapRegistry id="ldap" realm="LDAPIBM"
               host="-----------------------" port="389" ignoreCase="true"
               baseDN="DC=abc,DC=ibm,DC=com"
               bindDN="-----------------------"
               bindPassword="-----------------------"
               ldapType="Microsoft Active Directory"
               searchTimeout="3m">
   <activedFilters
      userFilter="(&amp;(cn=%v)(objectClass=user)(|(memberof=CN=...,OU=Groups,OU=hawaii,DC=...)))"
      groupFilter="(&amp;(cn=%v)(objectClass=group)(|(CN=...)))"
      userIdMap="user:..."
      groupIdMap="*:cn"
      groupMemberIdMap="memberOf:member" >
   </activedFilters>
 </ldapRegistry>
   <federatedRepository maxSearchResults="50000" />
</server>

3) Restart server1 and apmui servers.

 

 

Tutorials Point

 

Subscribe and follow us for all the latest information directly on your social feeds:

 

 

image

 

image

 

image

 

 

  

Check out all our other posts and updates:

Academy Blogs:https://goo.gl/U7cYYY
Academy Videos:https://goo.gl/TLfMoF
Academy Google+:https://goo.gl/HnTs0w
Academy Twitter :https://goo.gl/AhR8CL


 

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

UID

ibm11082877