Technical white paper

HPDM LDAP Troubleshooting Guide HP Device Manager 4.7 SP3

Table of contents Introduction .................................................................................................................................................................................... 2

HPDM LDAP-related context and background ............................................................................................................... 2 LDAP in HPDM ................................................................................................................................................................................ 2 Full-domain-name login .............................................................................................................................................................. 4 Single-domain configuration ...................................................................................................................................................... 5

Multiple-trusted-domains scenario ...................................................................................................................................... 5 Environment ........................................................................................................................................................................... 5

Multiple-trusted-domains support ....................................................................................................................................... 7 User authentication with hpdm.com ................................................................................................................................ 7 Support for HPDM login to test.hpdm.com ..................................................................................................................... 8 Support for HPDM login to Universal Group .................................................................................................................. 10

LDAP subgroup support ........................................................................................................................................................ 11 Multiple-untrusted-domains configuration........................................................................................................................... 13 Troubleshooting steps ............................................................................................................................................................... 14

General configuration ............................................................................................................................................................ 14 For more information ................................................................................................................................................................. 16

2

Introduction

The purpose of this document is to demonstrate the principle of Lightweight Directory Access Protocol (LDAP) used in HP Device Manager (HPDM), some common scenarios and how to troubleshoot issues that might occur while attempting to use user authentication with Active Directory and other LDAP servers.

HPDM LDAP-related context and background Users and groups in an Active Directory, or a different LDAP server, can be used to log in to HPDM. This allows the reuse of existing login accounts and simplifies the management of administrative privileges with HPDM. For more background information, see the Administrator Guide for HP Device Manager.

LDAP in HPDM

Figure 1. HPDM network with an LDAP server

LDAP Server

RouterHPDM Console

HPDM Console

Router

HPDM Server

LDAP Server

Trust

Router

LDAP Server

HPDM Server stores the LDAP Server Configuration and imported User/Group

information

LDAP Server is responsible for Authentication of LDAP user from HPDM Server

The LDAP server configuration information, including User Authentication, needs to be set in HPDM (see Full-domain-name login). HPDM uses the configuration information to connect to the specified LDAP server. The LDAP users and groups need to be imported into HPDM before you log in to HPDM (see Importing a user or group from LDAP).

LDAP server configuration and imported user and group basic information will be stored in the database of HPDM. HPDM does not store the LDAP user’s password. (It is only transported to the LDAP server when the user logs in to HPDM.)

HPDM supports both multiple-domains configuration and single-domain configuration. After the importation is completed, you can log in to HPDM as an LDAP user or group. For each configured single domain, HPDM supports the following:

• Multiple trusted domains

• Universal group

• Subgroup

• Full domain account name login such as “domain\account”

3

For HPDM inner users, HPDM authenticates by itself. When you use LDAP account to log into HPDM, the LDAP server is responsible for authenticating and returns the result to HPDM (see Logging in as an LDAP user). The following chart is the basic flow of logging in to HPDM as an LDAP user.

Figure 2. Logging in to HPDM as an LDAP user flow chart

Login HPDM with LDAP Account

HPDM Console HPDM Server LDAP Server 1 LDAP Server 2

Phas

e

start

Login HPDM with the domain account: HPDM\

Administrator

Get the account dn from database:

cn=administrator,cn=users,dc=hpdm,dc=com

Get the domain configuration of this

account from databse

Check HPDM\Administrator account is imported or not

(existing in database or not)No

Get all imported LDAP groups and its related domain configurations

from database

Yes

Loop each LDAP group to check whether it contains the

login account

One of LDAP group contains login account

Yes

Stop the loop.Authenticate the login account dn and password to specified group’s

domain configuration

Connect to LDAP Server 1

Connect to LDAP Server 2

Authenticating...

Login account dn/password is correctYesOpen Console with

account

Login fail and notice customer

End

No: Then keep looping

Use asynchronous threads to loop which avoids performance problem

4

Full-domain-name login

HPDM supports full-domain-name login, which prevents the duplicate accounts from logging in.

1. To login HPDM with a domain account, you need to input following format username. When your pointer rolls over the username box, a tooltip appears.

2. On HPDM Console, the title of the dialog box displays the full username of the domain account.

In the User Management dialog box, the domain accounts show the new name format.

5

Single-domain configuration

Multiple-trusted-domains scenario If you have parent domain and multiple trusted child domains. How to login HPDM with different child domain accounts while only configure same parent domain as user authentication.

Environment Parent domain • Domain : hpdm.com

• Host: 192.168.231.150

• User Authentication Account: CN=Administrator,CN=Users,DC=hpdm,DC=com

Child domain • Domain: test.hpdm.com

• Host: 192.168.231.152

• User Authentication Account: CN=Administrator,CN=Users,DC=test,DC=hpdm,DC=com

• Imported user: CN=tester,CN=Users,DC=test,DC=hpdm,DC=com

6

HPDM Server • Host: 192.168.231.138

DNS Server You must configure the DNS Server strategy to enable HPDM Server to communicate with both the parent and child domain servers (using the domain name).

For example:

• If the parent and child domain use same DNS Server, the DNS setting of HPDM Server needs to point to that DNS Server.

• If parent and child domain use different DNS Servers, be sure that the parent and child domain DNS Servers point to each other on the Forwarders tap of the Properties dialog box. Then, be sure that the DNS setting of HPDM Server point to the DNS Server of the parent domain.

Figure 3. Child domain DNS Server IP address in Forwarders tab

7

Figure 4. Parent domain DNS Server IP address in Forwarders tab

You can run the ping command line to verify the configuration.

Multiple-trusted-domains support User authentication with hpdm.com To log in HPDM to the child domain account with the parent user authentication:

1. Go to HPDM Console.

2. Select the Tools menu, select Configurations, and then select LDAP Settings.

8

3. Enter the Username and Password for hpdm.com.

Note If you use SSL encryption for LDAP authentication, be sure to get the key for the parent domain and any other trusted domains (that is, domains for all accounts you use to log into HPDM). If you do not use encryption, do nothing.

To get the key for a domain:

A. In the Host box, enter the IP address and hostname of the domain.

B. Select Get Key From Host.

You must repeat this procedure for each domain.

Support for HPDM login to test.hpdm.com 1. In HPDM Console, select the Tools menu, select User Management, and then select Import from LDAP.

2. On the Search tab, select DC=test,DC=hpdm,DC=com for the Base DN.

3. Under Query, select cn = t1.

4. Select Search to add this user to DC=test,DC=hpdm,DC=com.

9

5. Select Add, and then select Import to add this user to HPDM.

6. Log into HPDM using the Test\t1 account.

10

The account logs into HPDM successfully.

Support for HPDM login to Universal Group Universal Group is a group that can contain accounts from the current domain and other trusted domains. The advantage of using this account is that you can import all domains into HPDM. You need only to add accounts from different domains into Universal Group.

For example, you have created Universal Group in domain hpdm.com. This group contains two users:

• jasons is from hpdm.com

• t2 is from test.hpdm.com

1. In HPDM Console, select the Tools menu, select User Management, and then select Import from LDAP.

2. Select the Universal Group and then select Import.

11

3. Verify that you can log into HPDM using both the jasons (from hpdm.com) and t2 (from test.hpdm.com) accounts.

Note: If your configuration supports multiple domains, be sure that the following conditions are met:

• The DNS server of each domain can reach the HPDM Server (and vice versa) using the domain name.

• All domains should trust each other; that is, all domains have the right to communicate with each other.

LDAP subgroup support HPDM supports the ability of accounts in an LDAP subgroup to log into HPDM.

For example, an LDAP server has the following subgroups:

• Group: G1

– It contains group G2.

– It contains user account t1.

• Group: G2

– It contains user account t2.

If you import G1 into HPDM, both user accounts t1 and t2 can log into HPDM.

To import an LDAP subgroup:

12

1. In HPDM Console, select the subgroup and then select Import.

2. View the group properties to verify that all usernames are listed.

3. Log into HPDM with any user in the subgroup.

13

Multiple-untrusted-domains configuration

In single-domain configuration, HPDM supports multiple trusted domains authentication. In addition, HPDM supports multiple-untrusted-domains configuration and authentication.

For example, there are two untrusted domains:

• DC=hpdm,DC=com

• DC=hpdm2,DC=com

1. In HPDM Console, select the Tools menu, select Configurations, and then select LDAP Settings.

2. Select Add, and configure the LDAP settings as necessary.

14

3. Import the domain accounts or groups.

Troubleshooting steps

General configuration • Make sure that the network between the HPDM Server and the LDAP server is working and that the HPDM Server can

access the LDAP server.

– Verify using the ping command. The following example uses 192.168.58.134 as the LDAP server address.

15

• Make sure that the LDAP server firewall does not block the port.

– Verify using the telnet command. The following example uses the default port, 389.

• Make sure that the LDAP User Authentication is configured correctly from the HPDM Console before importing users and groups. See Configuring User Authentication.

– To configure the User Authentication using the FQDN, you must enter the full name in both the Domain and the Username fields, such as dc=magic,dc=com for the domain and cn=Administrator,cn=Users,dc=magic,dc=com for the user named Administrator in the Users folder.

– Verify that the LDAP server works by clicking the Test button during the User Authentication configuration.

• If an HPDM inner user and an imported LDAP user share credentials, HPDM defaults to the inner user.

• If a user or group is modified on the LDAP server, their information is not updated in the HPDM Console until their next login.

– For example, if the imported LDAP user Administrator changes their password on the LDAP Server side, they must log into the HPDM Console again for the new password to take effect.

Sign up for updates hp.com/go/getupdated

© Copyright 2015, 2016 Hewlett-Packard Development Company, L.P.

ARM is a registered trademark of ARM Limited. Java is a registered trademark of Oracle and/or its affiliates. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Pentium is a trademark of Intel Corporation in the U.S. and other countries.

Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license.

The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Second Edition: August 2016

First Edition: October 2015

For more information

To read more about LDAP, go to http://en.wikipedia.org/wiki/LDAP.