Testing Lightweight Directory Access Protocol/Secure (LDAP/LDAPS) in eDP Clearwell

Description

Testing LDAP/LDAPS Configuration to be used in eDP Clearwell

Note:  All images in this document are from a Veritas lab.  All user names are ficticious.  Server names are veritas eDP Clearwell lab names.

First, check that the minimum requirements are configured.  If any of the following properties are missing, LDAP/LDAPS will not work as expected.

List of Required LDAP Configuration Properties

• esa.ldap.connectionName
• esa.ldap.connectionPassword
• esa.ldap.connectionURL
• esa.ldap.enabled
• esa.ldap.userBase
• esa.ldap.userSubtree
• esa.ldap.userSearch
• esa.ldap.referrals

The above property/values can be reviewed within eDP Clearwell at System->Support Features->Property Browser and using esa.ldap* for Pattern to match:

Take note of esa.ldap.userBase and esa.ldap.userSubtree.  dc=edp,dc=lab is the main root of LDAP/Active directory objects and with a setting esa.ldap.userSubtree=true, all objects will be searched including sublevels like ou=TestUsers.  For large environments this could be slow and therefore recommended to use a more precise userBase if possible.  All user accounts in the Veritas lab belong to an organizational unit called TestUsers, therefore the following configuration would be preferred:
esa.ldap.userBase=ou=TestUsers,dc=edp,dc=lab

Go to System->Support Features->LDAP Configuration Tester:

Note: This tool will output the ldap configuration and then begin testing all aspects of the LDAP configuration as configured within Clearwell.  Such as testing the user credentials, create the account in eDP, assigning roles, and assigning cases.  The active directory accounts Adam.Coleman and Jordan.Evans will be used in the following steps.  Adam.Coleman already has an account in Clearwell, and Jordan.Evans does not.

In the LDAP Configuration Tool, supply a user account and password for an account that already has eDiscovery Clearwell account configured, password and select the Submit button:

Notice the warning at bottom.  esa.ldap.createUnknownUsers is not a minimum requirement for LDAP to work.  However, for this tool to test the user account, this configuration must be set to either true or false.  Go back to System->Support Features->Property Browser and set property esa.ldap.createUnknownUsers to false.  Now repeat the last LDAP Configuration Tool test to reveal these results:

Now repeat the last LDAP Configuration Tool test for Jordan.Evans who does not have an eDiscovery Clearwell account to reveal these results:

------------------------------
--- All LDAP Config Values ---
------------------------------
esa.ldap.connectionName: edp\edpadmin1
esa.ldap.connectionPassword: CWG32di7vjZuog0wvO9J7NPWqB7yGBUsAod+lvfOLepxM1Psw7BYsW3svu/6zg==
esa.ldap.connectionURL: ldap://edp-ad.edp.lab:389
esa.ldap.createUnknownUsers: false
esa.ldap.enabled: true
esa.ldap.newUserCaseList:
esa.ldap.referrals: follow
esa.ldap.user.distinguishedName: distinguishedName
esa.ldap.user.email: mail
esa.ldap.user.fullName: displayName
esa.ldap.user.username: sAMAccountName
esa.ldap.userBase: ou=TestUsers,dc=edp,dc=lab
esa.ldap.userPrefixSearch: (&(objectClass=user)(|(sAMAccountName={0}*)(displayName={0}*)(mail={0}*)))
esa.ldap.userSearch: (&(objectClass=user) (sAMAccountName={0}))
esa.ldap.userSubtree: true
-----------------------------------
--- Validation of Config Values ---
-----------------------------------
LDAP config params OK!
----------------------------------
--- Results of test connection ---
----------------------------------
Failed to authenticate via LDAP: [#320006] null
com.teneo.esa.common.exception.TeneoException: [#320006] null
 at com.teneo.esa.ui.auth.LDAP.authenticate(LDAP.java:337)
 at com.teneo.esa.system.support.ldap.LdapConfig.runFeature(LdapConfig.java:149)
 at com.teneo.esa.system.support.ProviderSupport._runFeature(ProviderSupport.java:274)
 at com.teneo.esa.system.support.ProviderSupport.runFeature(ProviderSupport.java:218)
 at com.teneo.esa.system.support.Support.runService(Support.java:322)
 at com.teneo.esa.admin.service.AbstractService.doRun(AbstractService.java:1178)
 at com.teneo.esa.admin.service.AbstractService.run(AbstractService.java:1098)
 at java.lang.Thread.run(Thread.java:750)
-----------------------------
--- Troubleshooting tips: ---
-----------------------------
The ldp.exe tool can help troubleshoot LDAP connection problems.
This tool can be found on the appliance in the C:\Program Files\Support Tools directory.

For information on the ldp.exe tool, please see:
http://technet.microsoft.com/en-us/library/cc772839%28WS.10%29.aspx

Steps:
* From the "Connection" menu, choose "Connect".
 * Enter the server name click OK (e.g. myserver.teneo-test.local).
  * For the config values above, you would enter: "edp-ad.edp.lab"
 * Enter the port number (e.g. 389).
  * For the config values above, you would enter: "389"

* From the "Connection" menu, choose "Bind".
 * Enter the username
  * For the built-in user, you could enter: "edp\edpadmin1"
 * Enter the password
  * For the built-in user, you could enter: "password"

* From the "View" menu, choose "Tree".
 * Enter the base DN. If you have "esa.ldap.userBase" set, you can specify that value.
  * For the config values above, you would enter: ou=TestUsers,dc=edp,dc=lab
* If you have "esa.ldap.userPattern" set, you can specify the OU and DC values.
--------------------------
--- Common Error Codes ---
--------------------------
If you have issues authenticating, you will find "Realm" API errors in the catalina log.
It's common to see an error code 49, which has several sub-codes that aid in debugging:
525 user not found
52e invalid credentials
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
701 account expired
773 user must reset password
775 user account locked

The resulting error above is failing because the user account Jordan.Evans being tested does not have an account in eDiscovery Clearwell.

Go back to System->Support Features->Property Browser and set property esa.ldap.createUnknownUsers to true.  Now repeat the last LDAP Configuration Tool test for Jordan.Evans account to reveal these results:

------------------------------
--- All LDAP Config Values ---
------------------------------
esa.ldap.connectionName: edp\edpadmin1
esa.ldap.connectionPassword: CWG32di7vjZuog0wvO9J7NPWqB7yGBUsAod+lvfOLepxM1Psw7BYsW3svu/6zg==
esa.ldap.connectionURL: ldap://edp-ad.edp.lab:389
esa.ldap.createUnknownUsers: true
esa.ldap.enabled: true
esa.ldap.newUserCaseList:
esa.ldap.referrals: follow
esa.ldap.user.distinguishedName: distinguishedName
esa.ldap.user.email: mail
esa.ldap.user.fullName: displayName
esa.ldap.user.username: sAMAccountName
esa.ldap.userBase: ou=TestUsers,dc=edp,dc=lab
esa.ldap.userPrefixSearch: (&(objectClass=user)(|(sAMAccountName={0}*)(displayName={0}*)(mail={0}*)))
esa.ldap.userSearch: (&(objectClass=user) (sAMAccountName={0}))
esa.ldap.userSubtree: true
-----------------------------------
--- Validation of Config Values ---
-----------------------------------
LDAP config params OK
!Note: new users will be created without access to any cases.
----------------------------------
--- Results of test connection ---
----------------------------------
Failed to authenticate via LDAP: [#320003] No assigned role.
com.teneo.esa.common.exception.TeneoException: [#320003] No assigned role.
at com.teneo.esa.ui.auth.LDAP.authenticate(LDAP.java:332)
at com.teneo.esa.system.support.ldap.LdapConfig.runFeature(LdapConfig.java:149)
at com.teneo.esa.system.support.ProviderSupport._runFeature(ProviderSupport.java:274)
at com.teneo.esa.system.support.ProviderSupport.runFeature(ProviderSupport.java:218)
at com.teneo.esa.system.support.Support.runService(Support.java:322)
at com.teneo.esa.admin.service.AbstractService.doRun(AbstractService.java:1178)
at com.teneo.esa.admin.service.AbstractService.run(AbstractService.java:1098)
at java.lang.Thread.run(Thread.java:750)
-----------------------------
--- Troubleshooting tips: ---
-----------------------------
The ldp.exe tool can help troubleshoot LDAP connection problems.
This tool can be found on the appliance in the C:\Program Files\Support Tools directory.

For information on the ldp.exe tool, please see:
http://technet.microsoft.com/en-us/library/cc772839%28WS.10%29.aspx

Steps:
* From the "Connection" menu, choose "Connect".
 * Enter the server name click OK (e.g. myserver.teneo-test.local).
  * For the config values above, you would enter: "edp-ad.edp.lab"
 * Enter the port number (e.g. 389).
  * For the config values above, you would enter: "389"

* From the "Connection" menu, choose "Bind".
 * Enter the username
  * For the built-in user, you could enter: "edp\edpadmin1"
 * Enter the password
  * For the built-in user, you could enter: "password"

* From the "View" menu, choose "Tree".
 * Enter the base DN. If you have "esa.ldap.userBase" set, you can specify that value.
  * For the config values above, you would enter: ou=TestUsers,dc=edp,dc=lab
* If you have "esa.ldap.userPattern" set, you can specify the OU and DC values.
--------------------------
--- Common Error Codes ---
--------------------------
If you have issues authenticating, you will find "Realm" API errors in the catalina log.
It's common to see an error code 49, which has several sub-codes that aid in debugging:
525 user not found
52e invalid credentials
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
701 account expired
773 user must reset password
775 user account locked

Notice the difference in the error this time stating "No assigned role".  Automatically creating user accounts with eDiscovery Clearwell requires minimally a default role defined using property esa.ldap.defaultRole.  Go back to System->Support Features->Property Browser and set property esa.ldap.defaultRole to Case User.  Now repeat the last LDAP Configuration Tool test for Jordan.Evans account to reveal these results:

------------------------------
--- All LDAP Config Values ---
------------------------------
esa.ldap.connectionName: edp\edpadmin1
esa.ldap.connectionPassword: CWG32di7vjZuog0wvO9J7NPWqB7yGBUsAod+lvfOLepxM1Psw7BYsW3svu/6zg==
esa.ldap.connectionURL: ldap://edp-ad.edp.lab:389
esa.ldap.createUnknownUsers: true
esa.ldap.defaultRole: Case User
esa.ldap.enabled: true
esa.ldap.newUserCaseList:
esa.ldap.referrals: follow
esa.ldap.user.distinguishedName: distinguishedName
esa.ldap.user.email: mail
esa.ldap.user.fullName: displayName
esa.ldap.user.username: sAMAccountName
esa.ldap.userBase: ou=TestUsers,dc=edp,dc=lab
esa.ldap.userPrefixSearch: (&(objectClass=user)(|(sAMAccountName={0}*)(displayName={0}*)(mail={0}*)))
esa.ldap.userSearch: (&(objectClass=user) (sAMAccountName={0}))
esa.ldap.userSubtree: true
-----------------------------------
--- Validation of Config Values ---
-----------------------------------
LDAP config params OK!
Note: new users will be created without access to any cases.
----------------------------------
--- Results of test connection ---
----------------------------------
Authentication successful

If automatic role assignment is required, See KB article 100059394 (Users in a OU) or 100059510 (Users in a group).