IBM Support

Will LDAP Sync work when using native authentication ?

Technical Blog Post


Abstract

Will LDAP Sync work when using native authentication ?

Body

Will LDAP Sync  work  when using native authentication ?

Re this question, you may be curious if it will work or not.  Also,  you may have a requirement to sync users from a central repository ( such as MS Active Directory ) as a way to setup users even if your Maximo is using native authentication.

As you know, if you are using native authentication,  mxe.useAppServerSecurity = 0 and If you are using LDAP Application Server authentication, mxe.useAppServerSecurity = 1.

Basically, LDAPSync Crontask is working when mxe.useAppServerSecurity = 1.

But,  I'm gonna share a workaround to synchronize users from LDAP(MS Active Directory) when mxe.useAppServerSecurity = 0.

 

- Go to the Crontask Application
- Find 'LDAPSYNC'
- Add a Crontask instance having 2 mins interval.
- In Paramter Tab, need to configure LDAP Server information.-

  Host : max75ad.au.ibm.com

  Port : 389
  Principal : cn=maxadmin,ou=MaxTemp,ou=Service Accounts,ou=Application,ou=Resources,dc=au,dc=ibm,dc=com
  Credential : xxx

- In default UserMapping, need to set basedn accorrdingly.
 <basedn>ou=Users,ou=Service Accounts,ou=Application,ou=Resources,dc=au,dc=ibm,dc=com</basedn>

- save

- Activate LDAPSYNC crontask instance

Then, you can realize that there is error in systemout.log.

[9/18/15 10:01:24:031 KST] 00000057 SystemOut     O 18 Sep 2015 10:01:24:031 [ERROR] [MXServer] [CID-CRON-566] BMXAA6746E - The user synchronization could not be completed because of the following error BMXAA6756E - The user data could not be imported from the LDAP directory into the database. See the associated message. userid = USERF BMXAA3878E - Password is required.. The error count was 2.
psdi.security.ldap.LdapSyncException: BMXAA6756E - The user data could not be imported from the LDAP directory into the database. See the associated message. userid = USERF BMXAA3878E - Password is required.
    at psdi.security.ldap.DefaultLdapSyncAdapter.syncUser(DefaultLdapSyncAdapter.java:201)
    at psdi.security.ldap.AbstractLdapSynchronizer.syncUsers(AbstractLdapSynchronizer.java:755)
    at psdi.security.ldap.AbstractLdapSynchronizer.performSync(AbstractLdapSynchronizer.java:317)
    at psdi.security.ldap.LdapSyncTask.performTask(LdapSyncTask.java:391)
    at psdi.security.ldap.LdapSyncCronTask.cronAction(LdapSyncCronTask.java:259)
    at psdi.server.CronTaskManager.callCronMethod(CronTaskManager.java:1590)
    at psdi.server.CronTaskManager.access$400(CronTaskManager.java:87)
    at psdi.server.CronTaskManager$CronThread.run(CronTaskManager.java:2160)
Caused by: psdi.util.MXApplicationException: BMXAA3878E - Password is required.
    at psdi.app.signature.MaxUser.appValidate(MaxUser.java:785)
    at psdi.mbo.Mbo.validate(Mbo.java:4118)
    at psdi.mbo.MboSet.validate(MboSet.java:5033)
    at psdi.mbo.MboSet.validateTransaction(MboSet.java:7444)
    at psdi.txn.MXTransactionImpl.validateTransaction(MXTransactionImpl.java:375)
    at psdi.txn.MXTransactionImpl.saveTransaction(MXTransactionImpl.java:207)
    at psdi.txn.MXTransactionImpl.save(MXTransactionImpl.java:156)
    at psdi.mbo.MboSet.save(MboSet.java:7119)
    at psdi.mbo.MboSet.save(MboSet.java:7059)
    at psdi.security.ldap.DefaultLdapSyncAdapter.syncUser(DefaultLdapSyncAdapter.java:179)
    ... 7 more

The reason you got this error is because password is required when mxe.useAppServerSecurity = 0 and new user is added.

 

So, in order to avoid this error, need to change usermapping xml.
-Go to the Crontask Application
-Find 'LDAPSYNC'
-Stop LDAPSYNC crontask instance.
-In Paramter Tab, find UserMapping xml.
 need to add below columns into MAXUSER table.
 cf. set password with the value 'ABC' as default and  set forceexpiration as 1. Then, users need to change password at the first login.
 
<column name="emailpswd" type="YORN">{0}</column><column name="forceexpiration" type="YORN">{1}</column><column name="PASSWORD" type="ALN" >{ABC}</column><column name="passwordinput" type="ALN" >{ABC}</column><column name="PASSWORDCHECK" type="ALN">{ABC}</column>

- save

- Activate LDAPSYNC crontask instance.

 

All users (belongging to  ou=Users,ou=Service Accounts,ou=Application,ou=Resources,dc=au,dc=ibm,dc=com ) would be synchronized from LDAP .

Now,  System admin can assign users to adequate security groups.

When users try to log into Maximo,  they need to change password at the first time.

 

[{"Business Unit":{"code":"BU005","label":"IoT"}, "Product":{"code":"SSLKT6","label":"Maximo Asset Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11131693