Skip to Content

Troubleshooting issues with LDAP user synchronization

While synchronizing LDAP users with TrueSight Server Automation RBAC roles, the synchronization process either fails or or the output is not as expected. For instance, users are not created, deleted, or mapped to RBAC roles as expected.

This topic helps you locate and review to determine why the LDAP user synchronization is not working as expected and either help you identify and resolve the issue or create a BMC Customer Support case.

Related topic

Synchronizing-users-with-LDAP-servers

Issue symptoms

The following symptoms might be observed: 

  • LDAP users are not created in TrueSight Server Automation RBAC.
  • LDAP users are not removed from TrueSight Server Automation RBAC.
  • LDAP users are not being marked as disabled in TrueSight Server Automation RBAC.
  • The users in TrueSight Server Automation RBAC are not mapped to the expected roles.

Issue scope

The issue might affect all or specific LDAP users.

Diagnosing and reporting an issue

Task

Action

Steps

Reference

1

Understand problem scope

  • Check the behavior that is causing this issue. For example:
    • The LDAP user synchronization is failing with an error message.
    • The LDAP user synchronization appears to succeed but without the expected results, such as:
      • LDAP users are not created in TrueSight Server Automation RBAC.
      • LDAP users are not removed from TrueSight Server Automation RBAC.
      • LDAP users are not being marked as disabled in TrueSight Server Automation RBAC.
  • Check whether an error occurs while performing the LDAP user synchronization either from the GUI or using the BLCLI commands.


2

Identify recent changes

Is this the initial setup of LDAP User Synchronization or was it previously working successfully?

If LDAP authentication was previously working in this environment, are there any known changes since the last time it worked? For instance:

  • TrueSight Server Automation upgrade
  • Addition or replacement of the Application Server
  • Modification of LDAP Servers (upgrade, patching, migration, server replacement, and so no)
  • Certificate changes


3

Review the configuration details.

Review the configuration details:


    1. Navigate to RBAC Manager - LDAP Synchronization.
    2. Open the LDAP connection.
    3. Check the host name, port, and certificate information.

LDAPConnection.png

4

Review the configuration details.

Review the details of each LDAP query (role and user):


    1. Navigate to RBAC Manager - LDAP Queries
    2. Open the LDAP query.
    3. Check the values for the Base Distinguished Name, Filter, and Attribute fields.

GroupQuery.png


GroupQuery.png


5

Identify and locate the Application Server log files.

The following Application Server log files can be used to troubleshoot LDAP Authentication issues. These log files are located in the installDirectory/br/ directory on the Application Server: 

  • appserver.log*    
  • console.log*

*If you have multiple Application Server deployments, the specified log file names are the log files of the default Application Server deployment. The names of the log files for other Application Server deployments are prefixed with the name of the deployment, connected with an underscore. For example, jobservera_appserver.log, jobserverb_console.log, and so on.

Collect these Application Server logs from each Application Server host.

Note the exact time of a recent failed LDAP authentication attempt so this time can be cross-referenced with the collected logs.


6

Creating a BMC Support Case

Provide the following information and log files when creating a case with BMC Customer Support:

  • Scope of the issue. Steps 1-3 above
  • Any recent changes to the environment. Step 4 above
  • Configuration Details. Step 5-7 above
  • Appserver Logs. Step 7 above
  • Export of Application Server Details (see link in reference section on right)

Resolutions for common issues

Symptom

Action

Reference

RBAC user synchronization is completed without errors. However, no new users (or fewer than expected) are created in TrueSight Server Automation RBAC.

Follow the steps in the referenced KA to further troubleshoot and resolve.

RBAC user synchronization completes without errors.

The correct number of new users are created in TrueSight Server Automation RBAC, but with an unexpected username format.

Follow the steps in the referenced KA to further troubleshoot and resolve.

RBAC user synchronization is completed without errors.

The correct number of new users are created in TrueSight Server Automation RBAC, but the list of "Selected Roles" assigned to the RBAC users (newly created or existing) is not as expected.

Follow the steps in the referenced KA to further troubleshoot and resolve.

RBAC user synchronization is completed without errors. However, users are not removed from TrueSight Server Automation RBAC roles as expected.

Follow the steps in the referenced KA to further troubleshoot and resolve.

RBAC user synchronization fails with the following error:

"Cannot establish a TLS connection with ldap://myldapserver1.mycompany.com:port."

Check the Application Server log for a more detailed error message which accompanies the "Cannot establish a TLS connection" error.

Depending on the error message details, consult the following Knowledge Articles:

  • KA 000290029
    The ldap://ldapserver1:389 LDAP server does not support the StartTLS protocol extension. Please use LDAPv3 servers. javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

  • KA 000290029
    The ldap://ldapserver1:389 LDAP server does not support the StartTLS protocol extension. Please use LDAPv3 servers.

    Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ldapserver1 found.
  • KA 000273284
    The ldap://ldapserver1:389 LDAP server does not support the StartTLS protocol extension. Please use LDAPv3 servers. javax.naming.ServiceUnavailableException: lab-domain.lab.com:636; socket closed
  • KA 000370809
    The ldap://ldapserver1:389 LDAP server does not support the StartTLS protocol extension. Please use LDAPv3 servers. javax.net    .ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found

  • KA 000329030
    The ldap://ldapserver1:389 LDAP server does not support the StartTLS protocol extension. Please use LDAPv3 servers.

    Cannot establish a TLS connection with ldap://<host_name>:xxxx. Most likely cause is failed certificate validation.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Server Automation 25.4