Problem
Multiple issues were encountered:
1) A certificate file was supplied in a .cer file format.
2) The "Verify Server" button in the wizard failed while configuring broker.
3) The "Group Lookup" button in the wizard failed.
Error Message
1) VOM requires an X509 certificate (.pem file) for SSL connection to an LDAP server
2) GUI error when verifying connection to LDAP server
(in this case, it was safely ignored)
3) GUI error when performing group lookup while configuring permissions
ERROR SEEN AT UNIX PROMPT
DURING TROUBLESHOOTING
# export EAT_HOME_DIR=/opt/VRTSsfmcs/sec
# export EAT_DATA_DIR=//var/opt/VRTSsfmcs
# cd /opt/VRTSsfmcs/sec/bin
## This command is used to validate the configured domains
# ./vssat listldapdomains
(output abbreviated)
...
Domain Name : ldap_1389_defbase
Server URL : ldap://xxxxx:1389
SSL Enabled : No
User Base DN : ou=users,ou=test,dc=corp,DC=XXXXXXX,DC=COM
User Object Class : person
User Attribute : uid
User GID Attribute : gidNumber
Group Base DN : DC=XXXXXXX,DC=COM
Group Object Class : groupOfNames
Group Attribute : cn
Group GID Attribute : member
Group GID Attribute Type:
Auth Type : BOB
Admin User : uid=_ldap_VOM,ou=users,ou=test,dc=corp,DC=XXXXXXX,DC=COM
Admin User Password :
Search Scope : SUB
NOTE: The bolded portion of the "Domain Name" field above will be used in commands below as "<ldap_server>".
## authenticate affected user
./vssat authenticate -b localhost:14545 -d ldap:<ldap_server> -p <user_name>
<prompt for password>
where <user_name> is the name of the user contained in the LDAP schema that will be entered at the VOM login
## after authenticating user, look at credential
./vssat showcred -d ldap:<ldap_server> -p <user_name>
showcred
----------------------
----------------------
Found: 1
*************************************
User Name: uvwt
Domain Name: ldap_1389_defbase
Domain Type: ldap
Issued By: /CN=broker/OU=root@SMCVOMPRD00.corp.xxxxxxx.com/O=vx
Issued To: /CN=uvwt/OU=ldap_1389_defbase/O=ldap
Friendly Name:
Serial Number: 0x19
Root Credential: 0
Trusted Credential: 0
Expiry Interval: Mar 19 15:02:46 2014 GMT
Group Information:
Group Count: 0
Certificate Hash: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
UUID: {bf3c358c-787b-11e3-955b-d91cbc13734b}
----------------------
NOTE: the "User Name" field displayed in the example above is used in these commands as <user_name>
NOTE: the Group Count above (0) will cause VOM not to authorize the user during authentication.
Cause
IBM Tivoli Directory Server user template not configured as posix compliant
(see unconfirmed solution below for detail)
Some external references:
Lightweight Directory Access Protocol
http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
Solution
1) The customer generated another certificate in the .pem file format.
2) The "Verify Server" button error was safely ignored.
3) Editing attributes in the underlying AT confiuration file was implemented to enable the "Group Check" button to work as designed.
WORKAROUND
# export EAT_HOME_DIR=/opt/VRTSsfmcs/sec
# export EAT_DATA_DIR=/var/opt/VRTSsfmcs/sec
# /opt/VRTSsfmcs/sec/bin/sfmsecdctrl stop
- edit /var/opt/VRTSsfmcs/sec/root/.VRTSat/profile/VRTSatlocal.conf - change the following:
"GroupGIDAttrType”=“DN”
"UserGIDAttr"="uid"
# /opt/VRTSsfmcs/sec/bin/sfmsecdctrl start
Procedure to validate: (substitute the user-friendly name for the broker as defined in VOM)
# /opt/VRTSsfmcs/sec/bin/vssat showcred -d ldap:<ldap_server>
(Group Count will be 0 until cached credential is deleted and recreated)
# /opt/VRTSsfmcs/sec/bin/vssat deletecred -p <user_name> -d ldap:<ldap_server>
# /opt/VRTSsfmcs/sec/bin/vssat authenticate -p <user_name> -d ldap:<ldap_server> -b localhost:14545
# /opt/VRTSsfmcs/sec/bin/vssat showcred -p <user_name>
Group Count will be non-zero per LDAP schema
It was determined that the user template was not configured as having posix compliant attributes on the IBM Tivoli LDAP server; for non-posix compliance, this work-around was necessary
SOLUTION (unconfirmed but logical)
When creating user template in the IBM Tivoli Directory Server, choose the object class attribute of posixAccount
Applies To
VOM ver 6.0
VRTSsfmh-6.0.0.0-0.x86_64
VRTSsfmcs-6.0.0.0-0.x86_64
Linux RedHat 6.3
IBM Tivoli Directory Server 6.3
(while this issue is seen in this environment, it appears to be related to the user template configured not being posix compliant and may be seen in other VOM versions, OS platforms and/or LDAP servers)
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.