Authentication issues - some users cannot login sometimes and their AD (Windows Active Directory) group has been added to VOM (Veritas Operations Manager) as a Security Group.

Problem

When the search scope is set to the top level in the AD hierarchy, a subtree search done by the LDAP plugin resulting in referrals being generated. Currently they are chased by default and there is no way to turn them OFF.

Cause

This is often unnecessary unless there are sub domains where the users intends to authenticate a user in subdomains.
Most of the production AD (Active Directory) at customer sites do not have such configuration.
While checking a referral, if there is problem with DNS settings for name resolution, it results in failure of the original search.

Currently referrals are chased even if the user to be authenticated is present under the current domain context and LDAP is able to find it. This is unnecessary and has performance overhead.

Referral chasing should be OFF by default. It should be turned ON only if there is a case for it, when the user to be authenticated is present in a sub-domain.

Solution

Changes to the shared object library worked to disable referral chasing.

To replace the libauthldap.so binary on the server to disable referral chasing on the LDAP lookup download and extract the attached file <libauthldap.tar.gz> then follow the steps below:

Linux RHEL 5 U3:
1. On the server stop the daemon sfmsecd
#   ps –ef | grep sfmsecd

note: grab the Process identifier (PID) for the process


#   kill -9 <PID>
2. Replace libauthldap.so
Backup the existing file /opt/VRTSsfmcs/sec/plugins/libauthldap.so  
Replace with the new binary, make sure relevant file permissions (-rwxr-xr-x root/root) are set for the binary
3. Start sfmsecd, run sfmsecd.sh
# /opt/VRTSsfmcs/sec/bin/sfmsecd.sh
4. Now authenticate with domain parent which has userbaseDN set to top level, DC=parent,DC=Domain,DC=com
by logging into the console with a valid user which has been properly assigned to a VOM Security Group.

It is expected the time out will not be reached and the user will be allowed into the VOM console.

If the user fails to authenticate or authorization is refused please see the associated technote below to validate your user security.  


Applies To

VOM 3.1 Central Management Server (CMS)

Linux RHEL 5 U3

Terms of use for this information are found in Legal Notices.

Search

Survey

Did this article answer your question or resolve your issue?

No
Yes

Did this article save you the trouble of contacting technical support?

No
Yes

How can we make this article more helpful?

Email Address (Optional)