Authentication issues - some users cannot login sometimes and their AD (Windows Active Directory) group has been added to VOM (Veritas Operations Manager) as a Security Group.
| Article:TECH157395 | | | Created: 2011-04-04 | | | Updated: 2011-05-20 | | | Article URL http://www.symantec.com/docs/TECH157395 |
Problem
When the search scope is set to the top level in the AD hierarchy, a subtree search done by the LDAP plugin resulting in referrals being generated. Currently they are chased by default and there is no way to turn them OFF.
Environment
VOM 3.1 Central Management Server (CMS)
Linux RHEL 5 U3
Cause
This is often unnecessary unless there are sub domains where the users intends to authenticate a user in subdomains.
Most of the production AD (Active Directory) at customer sites do not have such configuration.
While checking a referral, if there is problem with DNS settings for name resolution, it results in failure of the original search.
Currently referrals are chased even if the user to be authenticated is present under the current domain context and LDAP is able to find it. This is unnecessary and has performance overhead.
Referral chasing should be OFF by default. It should be turned ON only if there is a case for it, when the user to be authenticated is present in a sub-domain.
Solution
Changes to the shared object library worked to disable referral chasing.
To replace the libauthldap.so binary on the server to disable referral chasing on the LDAP lookup download and extract the attached file <libauthldap.tar.gz> then follow the steps below:
Linux RHEL 5 U3:
1. On the server stop the daemon sfmsecd
# ps –ef | grep sfmsecd
note: grab the Process identifier (PID) for the process
# kill -9 <PID>
2. Replace libauthldap.so
Backup the existing file /opt/VRTSsfmcs/sec/plugins/libauthldap.so
Replace with the new binary, make sure relevant file permissions (-rwxr-xr-x root/root) are set for the binary
3. Start sfmsecd, run sfmsecd.sh
# /opt/VRTSsfmcs/sec/bin/sfmsecd.sh
4. Now authenticate with domain parent which has userbaseDN set to top level, DC=parent,DC=Domain,DC=com by logging into the console with a valid user which has been properly assigned to a VOM Security Group.
It is expected the time out will not be reached and the user will be allowed into the VOM console.
If the user fails to authenticate or authorization is refused please see the associated technote below to validate your user security.
Attachments
|
|
| Source | ETrack |
| Value | 2330664 |
| Description | The LDAP authentication request from the VOM Console through a load balancer to one of 5 LDAP servers times out returning referrals from AD when the parent scope is selected |
Article URL http://www.symantec.com/docs/TECH157395
Terms of use for this information are found in Legal Notices
Thank you.