How to troubleshoot LDAP authentication issues in RMS

Products	Versions
TIBCO BusinessEvents Enterprise Edition	6.1 and later

Description

We are trying to configure LDAP authentication for RMS users, but it is not working properly. How can we troubleshoot and resolve this?

Issue/Introduction

Discusses how to use debug-level RMS logging to troubleshoot issues with LDAP authentication

Environment

All Supported Environments

Resolution

When a requesting WebStudio user attempts to login to RMS from a web browser, the RMS server will reach out to the company LDAP server and perform two searches in-order:

1. First, RMS will search the LDAP system for the requesting WebStudio username, and verify the user's full Distinguished Name (DN) in the LDAP system.

ldapsearch -vvv -x 
                -h <be.auth.ldap.host>
                -p <be.auth.ldap.port> 
                -D "<be.auth.ldap.adminDN>" 
                -w <be.auth.ldap.adminPassword> 
                -b "<be.auth.ldap.baseDN>" 
                "(&(objectclass=<be.auth.ldap.objectClass>)(<be.auth.ldap.uidattr>=<username to search>))"

2. The requesting user's Distinguished Name is then used to perform a second search, to verify what LDAP groups the requesting user is a member of.

ldapsearch -vvv -x 
                -h <be.auth.ldap.host>
                -p <be.auth.ldap.port> 
                -D "<be.auth.ldap.adminDN>" 
                -w <be.auth.ldap.adminPassword> 
                -b "<be.auth.ldap.baseDN>"  
                "(&(<be.auth.ldap.roleAttr>=<LDAP User's DN returned in the first ldapsearch>)(objectclass=<be.auth.ldap.objectClass>))"

These searches are constructed based on the values you've set in the RMS.cdd LDAP settings, as shown above. The searches may be performed manually using the ldapsearch command-line tool to assist in troubleshooting RMS LDAP configuration issues.

For example, the search..

ldapsearch -vvv -x 
                -h ldapserver 
                -p 389 
                -D "CN=MyAdminUser,OU=Users,DC=region,DC=yourdomain,DC=com" 
                -w MyPassword 
                -b "DC=region,DC=yourdomain,DC=com" 
                "(&(objectclass=*)(CN=WebStudioUsername))"

..would return WebStudioUsername's full Distinguished Name in the LDAP system:

CN=WebStudioUsername,OU=Users,DC=region,DC=yourdomain,DC=com

This value would then be used in the second search..

ldapsearch -vvv -x 
                -h ldapserver
                -p 389 
                -D "CN=MyAdminUser,OU=Users,DC=region,DC=yourdomain,DC=com" 
                -w MyPassword 
                -b "DC=region,DC=yourdomain,DC=com"
                "(&(member=CN=WebStudioUsername,OU=Users,DC=region,DC=yourdomain,DC=com)(objectclass=*))"

..which would return a list of groups that WebStudioUsername is a member of:

CN=Group1,OU=Groups,DC=region,DC=yourdomain,DC=com
CN=Group2,OU=Groups,DC=region,DC=yourdomain,DC=com

These group names may used in the RMS Access Control files (*.ac) to assign specific RMS roles to users.

To confirm the LDAP search filters being performed by RMS, stop the RMS server if it is currently running, and edit the configuration file under $BE_HOME/rms/bin/RMS.cdd to enable DEBUG level logging:

<log-configs>
     <log-config id="logConfig1">
         <enabled>true</enabled>
         <roles>*:debug</roles>

Then restart the RMS server, and search the resulting RMS logs (under $BE_HOME/rms/bin/logs/*.log) for the [security.dataprovider] entries. Here, you can see the LDAP search filter that RMS uses to locate the user in the LDAP system:

<time_stamp> <engine_name> DEBUG [$default.be.mt$.Worker.5] - [security.dataprovider] 
[WS-Inference-class] Search Filter is (&(CN=WebStudioUsername)(objectclass=*))

These messages, along with the ldapsearch commands shown above, should help lead you to the correct set of LDAP configuration options.

Welcome to "KB Articles"