Re: How to perform LDAP configuration sanity? (625 Views)
Reply
Honored Contributor
Yossi_Gutin
Posts: 209
Registered: ‎04-04-2013
Message 1 of 4 (630 Views)
Accepted Solution

How to perform LDAP configuration sanity?

The procedure of moving HPA user repository from the default (DB) to LDAP is explained in details in the HPA Installation and Configuration GuideIs there a way to perform a sanity for the HPA LDAP configuration before actually moving the HPA to work with LDAP?

--------------------------------------------------------------------------------------
If some answer solves your problem, please mark it as a solution.
Honored Contributor
Yossi_Gutin
Posts: 209
Registered: ‎04-04-2013
Message 2 of 4 (625 Views)

Re: How to perform LDAP configuration sanity?

[ Edited ]

Use hpa-ldap-sanity (attached) utility in order to test LDAP connectivity and configuration (external-ldap.properties) before actual moving HPA to work with LDAP. It’s advised to run the utility before moving HPA to LDAP, since if you mis-configure external-ldap.properties, you can’t login to HPA and need to either re-install it or change HPA settings via DB (change user repository from LDAP back to DB).

 

  1. Download the hpa-ldap-sanity utility (attached)
  2. Extract the ZIP into some folder
  3. Edit external-ldap.properties and provide all the connectivity and filters data
  4. Run sanity-ldap.bat giving it the unique user ID you would like to find in LDAP
    Spoiler
    Example: 
    sanity-ldap.bat joseph.gutin@hp.com
  5. In case the LDAP configuration you provided is valid and the user is found, you'll see the output like:
    Spoiler
    C:\SVN\trunk\uum\uum\target\sanity-ldap>sanity-ldap.bat idan@hp.com
    0 [main] DEBUG com.hp.sw.bto.security.uum.UserManagementLDAP  - <<< Entering findUser with the following parameters: uid = idan@hp.com
    13 [main] DEBUG com.hp.sw.bto.security.uum.LDAPTools  - <<< Entering createConnectionAndConnect with the following parameters: com.hp.sw.bto.security.uum.UserManagementLDAPConfiguration$ConnectionConfiguration@bd4e3c
    732 [main] DEBUG com.hp.sw.bto.security.uum.LDAPTools  - >>> Exiting createConnectionAndConnect with the connection
    733 [main] DEBUG com.hp.sw.bto.security.uum.LDAPTools  - Calling LDAP search with the following parameters: base = ou=People,o=hp.com, scope2, filter = (&(&(uid=*)(objectclass=hpPerson))(&(objectClass = hpPerson)(uid = idan@hp.com))), searchAttributes = [notused, uid, uid, uid, objectclass], attrsOnly = false searchConstraints\+ null
    910 [main] DEBUG com.hp.sw.bto.security.uum.LDAPTools  - Received the LDAP result set of the size = 2
    910 [main] DEBUG com.hp.sw.bto.security.uum.LDAPTools  - LDAP entry from result set (will be ignored if not of user type): LDAPEntry: uid=idan@hp.com,ou=People,o=hp.com; LDAPAttributeSet: LDAPAttribute {type='objectClass', values='top,person,organizationalPerson,inetOrgPerson,hpPerson,hpEmployee,ntUser'} LDAPAttribute {type='uid', values='idan@hp.com'}
    915 [main] DEBUG com.hp.sw.bto.security.uum.UserManagementLDAP  - >>> Exiting findUser with the following result: PrincipalImpl{uniqueId='idan@hp.com', attributes={usersUniqueIDAttribute=[], objectClass=[top, person, organizationalPerson, inetOrgPerson, hpPerson, hpEmployee, ntUser], usersDisplayNameAttribute=[], usersLoginNameAttribute=[]}}
    Function findUser tested with the parameters uid = idan@hp.com, userAttributeNames = [notused]
    Result: PrincipalImpl{uniqueId='idan@hp.com', attributes={usersUniqueIDAttribute=[], objectClass=[top, person, organizationalPerson, inetOrgPerson, hpPerson, hpEmployee, ntUser], usersDisplayNameAttribute=[], usersLoginNameAttribute=[]}}
  6. In case there is some problem, either in the configuration or in the uid you provided and nothing is found in LDAP, you'll see the output like:
    Spoiler
    C:\SVN\trunk\uum\uum\target>sanity-ldap.bat idan@hp.comaaa
    1 [main] DEBUG com.hp.sw.bto.security.uum.UserManagementLDAP  - <<< Entering findUser with the following parameters: uid = idan@hp.comaaa
    11 [main] DEBUG com.hp.sw.bto.security.uum.LDAPTools  - <<< Entering createConnectionAndConnect with the following parameters: com.hp.sw.bto.security.uum.UserManagementLDAPConfiguration$ConnectionConfiguration@5b78cf
    789 [main] DEBUG com.hp.sw.bto.security.uum.LDAPTools  - >>> Exiting createConnectionAndConnect with the connection
    790 [main] DEBUG com.hp.sw.bto.security.uum.LDAPTools  - Calling LDAP search with the following parameters: base = ou=People,o=hp.com, scope2, filter = (&(&(uid=*)(objectclass=hpPerson))(&(objectClass = hpPerson)(uid = idan@hp.comaaa))), searchAttributes = [notused, uid, uid, uid, objectclass], attrsOnly = false searchConstraints\+ null
    986 [main] DEBUG com.hp.sw.bto.security.uum.LDAPTools  - Received the LDAP result set of the size = 0 com.hp.sw.bto.security.BSFNotFoundException: User was not found in LDAP. Search was performed with the following parameters, uid = idan@hp.comaaa, configuration parameters: com.hp.sw.bto.security.uum.UserManagementLDAPConfiguration@3508c0,userAttributeNames = [notused]
       at com.hp.sw.bto.security.uum.UserManagementLDAP.findUser(UserManagementLDAP.java:112)
       at com.hp.sw.bto.security.uum.UUMTest.main(UUMTest.java:116)
    Caused by: com.hp.sw.bto.security.BSFNotFoundException: UserID idan@hp.comaaa not found in LDAP
       at com.hp.sw.bto.security.uum.LDAPTools.searchUserByName(LDAPTools.java:701)
       at com.hp.sw.bto.security.uum.UserManagementLDAP.findUser(UserManagementLDAP.java:110)
       ... 1 more
  7. In case there is a problem to retrieve a profile from LDAP, check and fix your external-ldap.properties and repeat the sanity. After the sanity works, you can proceed with moving HPA to LDAP, while using the external-ldap.properties file you created for the sanity.

P.S. In case you changed HP Anywhere user repository to LDAP without performing the sanity explained above, made a mistake in the external-dlap.configuration and now stuck, you need to change the user repository from LDAP back to DB. For this, in the table SETTINGS_MANAGEMENT, change the value of entry "diamond/fnd.uum.type" to be "DB".

--------------------------------------------------------------------------------------
If some answer solves your problem, please mark it as a solution.
Occasional Contributor
Alex Ryals
Posts: 4
Registered: ‎04-09-2010
Message 3 of 4 (593 Views)

Re: How to perform LDAP configuration sanity?

I hope I'm not missing it, but I don't see the file attachment with the sanity check tool.  However, it sounds like exactly what I need.

Honored Contributor
Yossi_Gutin
Posts: 209
Registered: ‎04-04-2013
Message 4 of 4 (587 Views)

Re: How to perform LDAP configuration sanity?

Thanks - now it successfully uploaded. You can use the utility to fix the configuration and then try to use it from HPA. If the problem in the configuration, this solution will work and you don't need to re-install the server.

Please update us about the result.
--------------------------------------------------------------------------------------
If some answer solves your problem, please mark it as a solution.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.