Pega AD authentication using LDAP error
Hi,
I faced issue while setting up LDAP in Pega 7.2. The configuration was fine. When I test connectivity in LDAP configuration page it was successful and no error. but when I test login using AD credential in PRWebLdap page I faced authentication error. below is the log generated. Need assistance urgently.
Hi,
I faced issue while setting up LDAP in Pega 7.2. The configuration was fine. When I test connectivity in LDAP configuration page it was successful and no error. but when I test login using AD credential in PRWebLdap page I faced authentication error. below is the log generated. Need assistance urgently.
2017-11-22 09:49:32,079 [ WebContainer : 1] [ STANDARD] [ ] [ PegaRULES:07.10] (edentials.Code_Security.Action) ERROR localhost| Proprietary information hidden - External authentication failed:
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310021B, problem 2001 (NO_OBJECT), data 0, best match of:
''
]; remaining name ''
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3173)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3094)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2900)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1858)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1781)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:404)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:370)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:353)
at org.apache.aries.jndi.DelegateContext.search(DelegateContext.java:365)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:278)
at com.pegarules.generated.activity.ra_action_authenticationldapwebverifycredentials_292bd2682e2aa72f2cde118452a56d53.step2_circum0(ra_action_authenticationldapwebverifycredentials_292bd2682e2aa72f2cde118452a56d53.java:641)
at com.pegarules.generated.activity.ra_action_authenticationldapwebverifycredentials_292bd2682e2aa72f2cde118452a56d53.perform(ra_action_authenticationldapwebverifycredentials_292bd2682e2aa72f2cde118452a56d53.java:87)
Pegasystems Inc.
IN
Have you created model user? and have you enabled the use ExternalAuthentication check box on model user operator ID?
Attach the configuration doc to find the exact issue.
Updated: 22 Nov 2017 4:45 EST
Accenture Pte Ltd
SG
Hi Narasimha, do you mean creating operators? I have done that. I have created operators in the Organization Unit matching the Attributes which I mapped in the LDAP configuration. The organizational chart was created by me manually though. Attached is the guide I followed but not using open ldap. I used Windows AD instead. Any thing I missed out?
JPMorgan Chase & Company
US
Hi,
Have you followed the organisation structure in windows AD while creating the operators. Please find below screenshot of open LDAP.
My organisation structure in pega is Org -> Demo, Division -> Div, Unit -> Unit
Ldap configuration screenshot :-
Accenture Pte Ltd
SG
Hi SudharkarReddy, thanks for your reply. I have done that. Please see below screenshot for reference.
In AD Attributes, I have manually input o, l and ou attributes to match the mapping in Pega
In Pega WebLDAP2 properties
Pega Organizational Chart
Any other this which I missed out or any of the steps went wrong? Appreciate your kind assistance.
JPMorgan Chase & Company
US
Hi,
You are adding organisation attributes and unit attributes in AD manually I hope this is causing the issue. I haven't configured in AD but I am familiar with Open LDAP. Please check is there any option to add organisation and organisation unit as below
JPMorgan Chase & Company
US
And also please refer below article related to this issue.
https://confluence.atlassian.com/stashkb/ldap-error-code-32-659785640.html
Virgin Media
GB
Hi All,
I'm experiencing an issue with this also. I have the LDAP authentication service configured and the test works just fine. When I attempt to logon with a windows user that's been configured to be the same in Pega I get an error in the log
External authentication will fail: Couldn't retrieve the Data-Admin-AuthService instance: WebStandardLDAP1
java.lang.Exception: Unable to open AuthService definition
So I did some digging and found SA-21646 https://pdn.pega.com/support-articles/exception-couldnt-retrieve-data-admin-authservice-instance
But having changed the AccessGroup associated with the Requestor Type:BROWSER which was PRPC:Unauthenticated I am still getting this error.
Can I also ask, what's the significance of the Custom Authentication Activity? It makes no difference if populated or not as this point.
Also is there a more up to date document than this one https://pdn.pega.com/documents/authentication-pegarules-process-commander-prpcv52. We are running 7.2 and that document is rather old and not quite relevant.
Thanks
Craig
Virgin Media
GB
Hi All,
I've now managed to get this working, needed to use an Access Group that was associated with a ruleset.
Anyways, I'm now trying to get this to work using a different attribute for the User Name than what is used in the Search filter. Where by the search filter takes the user input on the login form (sAMAccountName=%V) and finds the username specified but I want to use a different AD attribute for the Pega login name (pyUserIdentifier) so I specified employeeID in the "User name attribute" field. However it doesn't work and keeps returning the entered user name from the form.
How do I get it to recognise the employeeID returned attribute as the pyUserIdentifier field?
Thanks
Craig
Virgin Media
GB
UPDATE
Seems the activity AuthenticationLDAPWebVerifyCredentials doesn't even use the property pyUserNameAttribute and is therefore ignored.
Funny considering it has a description of "User Name attribute name from directory server." and the title when you hover over it says "This is the attribute name used to specify the user ID."
Seems this is a bug if you ask me.
Cheers
Craig
Pegasystems Inc.
US
Hi Greg,
I believe that is set in the Authentication Service Mappings tab you can map the Attribute to the property there. That is then iterated in the activity in the java step 2 to get it on the clipboard....
Virgin Media
GB
Hi Jim,
Sorry but my name is Craig not Greg.
Anyways I have already tried this, .pyUserIdentifier is overwritten with param.UserIdentifier in step 3 and again in step 9. So no matter what is in the Service mapping for .pyUserIdentifier it is always getting overwritten with the forms user input.
Only way I can see to get this to work is to change the activity which I am less inclined to do.
Cheers
Craig