Authentication issues - some users cannot login sometimes and their AD (Windows Active Directory) group has been added to VOM (Veritas Operations Manager) as a Security Group.

Article:TECH157395  |  Created: 2011-04-04  |  Updated: 2011-05-20  |  Article URL http://www.symantec.com/docs/TECH157395
Article Type
Technical Solution


Issue



When the search scope is set to the top level in the AD hierarchy, a subtree search done by the LDAP plugin resulting in referrals being generated. Currently they are chased by default and there is no way to turn them OFF.


Environment



VOM 3.1 Central Management Server (CMS)

Linux RHEL 5 U3


Cause



This is often unnecessary unless there are sub domains where the users intends to authenticate a user in subdomains.
Most of the production AD (Active Directory) at customer sites do not have such configuration.
While checking a referral, if there is problem with DNS settings for name resolution, it results in failure of the original search.

Currently referrals are chased even if the user to be authenticated is present under the current domain context and LDAP is able to find it. This is unnecessary and has performance overhead.

Referral chasing should be OFF by default. It should be turned ON only if there is a case for it, when the user to be authenticated is present in a sub-domain.


Solution



Changes to the shared object library worked to disable referral chasing.

To replace the libauthldap.so binary on the server to disable referral chasing on the LDAP lookup download and extract the attached file <libauthldap.tar.gz> then follow the steps below:

Linux RHEL 5 U3:
1. On the server stop the daemon sfmsecd
#   ps –ef | grep sfmsecd

note: grab the Process identifier (PID) for the process


#   kill -9 <PID>
2. Replace libauthldap.so
Backup the existing file /opt/VRTSsfmcs/sec/plugins/libauthldap.so  
Replace with the new binary, make sure relevant file permissions (-rwxr-xr-x root/root) are set for the binary
3. Start sfmsecd, run sfmsecd.sh
# /opt/VRTSsfmcs/sec/bin/sfmsecd.sh
4. Now authenticate with domain parent which has userbaseDN set to top level, DC=parent,DC=Domain,DC=com
by logging into the console with a valid user which has been properly assigned to a VOM Security Group.

It is expected the time out will not be reached and the user will be allowed into the VOM console.

If the user fails to authenticate or authorization is refused please see the associated technote below to validate your user security.  


Attachments

The shared object library compressed
libauthldap.tar.gz (876 kBytes)

Supplemental Materials

SourceETrack
Value2330664
Description

The LDAP authentication request from the VOM Console through a load balancer to one of 5 LDAP servers times out returning referrals from AD when the parent scope is selected




Article URL http://www.symantec.com/docs/TECH157395


Terms of use for this information are found in Legal Notices