DX NetOps

Hi,

I am trying to configure LDAP in CA Spectrum. I have a doubt on one thing, what is "Login Name Pattern"  in User name lookup option in spectrum administration page. 

Thanks,

Geetika

Hi Geetika,

The "Login Name Pattern"  field is where you set the expression to use when searching for a users directory entry, with null marking where the actual login user name should be inserted.

- Specify the search expression pattern

- Insert the login user name at {0}

The example shown is used by Active Directory:

Thanks,

Silvio

Hi,

Whenever I am trying to test the connection of ldap server it give the error like:

"SPC-OCA-10494: Could not connect with the specified connection name/password: SPC-OCA-10488: Either the user name does not exist in the external authentication database or the entered password is Invalid."  

In ldap server setting I gave the server ip,port and time out period of ldap server.

In user name lookup option I choose user by search radio button.

Here geetika is login user name that's why I put that name.

Here I gave connection name and password for ldap server.

Here geetika is login user name and its password.

Please tell me what was the wrong ?Any help is accepted.

Thanks,

Geetika

Hi Geetika,

Complete the fields as follows:

Login Name Pattern: sAMAccountName={0}
Base User Directory: OU=SPEC,OU=SPTEST,DC=xxxxx1,DC=com
Connection Name: CN=Administrator,OU=SPEC,OU=SPTEST,DC=xxxxx1,DC=com
Connection Password: **********

Thanks,

Silvio

Hi Silvio,

I followed the above details and tried many times to connect with the LDAP server but the same error was occured each time.

What would be the wrong?

Thanks,

Geetika

Hi Geetika,

Both Administrator and geetika accounts must be in the OU=SPEC,OU=SPTEST,DC=xxxxx1,DC=com "container".

The sAMAccountName attribute is a single-valued attribute that is the logon name used to support clients and servers.

If this is a Microsoft's LDAP-based Active Directory, you can use the ADSI Edit to validate the value of sAMAccountName attribute for the Administrator account.

The Administrator account is in the  CN=Users,DC=xxxx03,DC=com "container".

So I will fill in as follows:

Login Name Pattern: sAMAccountName={0}
Base User Directory: CN=Users,DC=xxxx03,DC=com
Connection Name: CN=Administrator,CN=Users,DC=xxxx03,DC=com
Connection Password: **********

Test user: Administrator

Test password: **********

Thanks,

Silvio

Hi Silvio,

Thanks and it is working now.

Thanks,

Geetika

Hi,

After LDAP configuration I am able login with Administrator user only, it couldn't show the users which are built in LDAP and LDAP server couldn't logged with other users in LDAP server.

Is there any further step CA Spectrum to sync up with LDAP users??

Any help is acceptable.

Thanks,

Geetika

Hi,

After LDAP configuration I am able login with Administrator user only, it couldn't show the users which are built in LDAP and Spectrum server couldn't logged with other users in LDAP server.

Is there any further step CA Spectrum to sync up with LDAP users??

Any help is acceptable.

Thanks,

Geetika

Hi Geetika,

• Are the others accounts in the same user's container as the Administrator account? All accounts (including the Administrator account) should be in OU=SPEC,OU=SPTEST,DC=xxxxx1,DC=com.
• Did you also create all LDAP accounts in the CA Spectrum database? If the users are not modeled in the CA Spectrum, they cannot login, regardless of LDAP accounts. 
• In case the accounts were created in CA Spectrum, but not yet created in LDAP, you can use this workaround.

• If the problem was not yet identified, you can enable the the SSORB module in debug mode on the OneClick web server machine, bounce the Tomcat service, reproduce the issue and review the Tomcat's log file.

Add the following entry (in yellow) in the $SPECROOT/tomcat/webapps/spectrum/WEB-INF/web.xml file (in the spectrum.debug.modules section):

<init-param>
<param-name>com.aprisma.spectrum.debug.modules</param-name>
<param-value>

SecuritySpSSORB@SecuritySP@SSORB Security SP@on; 

</param-value>
</init-param>

Thanks,

Silvio

I understand that user should be in same OU using which integration is done. We have integrated CA Spectrum 10.2.2 with Microsoft AD. 

Can CA Spectrum search for multiple OUs and lock the user? For eg, integration is done using ca_nms user which is part of OU=Common Accounts however, Employees are part of OU=Employee Accounts. Need to give access to the employee who is part of OU=Employee Accounts.

Resolved this issue by giving access to users by setting OU in Base Directory and used different OU for Connection.