Highlighted

Av 6.1 - LDAP maps configured but user gets 'login failed'

Hi all,

I have Avamar 6.1.0-333 installed and have configured LDAP maps to allow me to add administrators via AD groups rather than directly to Avamar (great improvement EMC!!)

Prior to the 6.1 upgrade my grid was configured with LDAP authentication and this worked without issue. I have since removed my 'custom defined' user from the Avamar system and trying to authenticate via the LDAP map.

This is not working too well and I think I just need to understand the limitations of the Avamar LDAP system, for example:

     Can it work with both 'domain local' and 'global' security groups

     Is there a limit to the number of groups it can enumerate from the user account (like a 'token size')

     Are there any characters that are allowed in Windows group names that Avamar / Unix LDAP does not understand (e.g. '&')

     Is there any shell commands I can use to troubleshoot this further, e.g. to see a list of the groups it 'is' enumerating?

If I can't get any luck on here I will raise an SR for offical support.

Thanks all

0 Kudos
7 Replies
ionthegeek
4 Beryllium

Re: Av 6.1 - LDAP maps configured but user gets 'login failed'

I've brought your questions to the attention of the developers but we'd like to make sure standard process is followed so we get the answers documented appropriately along the way. Could you please open a service request for this and send me the SR# in a private message? You can send me a PM from my profile.

Thanks!

0 Kudos
hkniep
1 Copper

Re: Av 6.1 - LDAP maps configured but user gets 'login failed'

I am having the same issue.  Any update with this?

0 Kudos
hkniep
1 Copper

Re: Av 6.1 - LDAP maps configured but user gets 'login failed'

I am having the same issue.  Any update with this?

0 Kudos

Re: Av 6.1 - LDAP maps configured but user gets 'login failed'

Hi

To close the loop on this one, after much assistance from support and the dev team, the issue that causes this is being a member of 1 or more groups that do not have a certain attribute set in AD (I think 'SAMAccountName') one example of this possibly being the 'Administrators' group.

To resolve, there is an official hotfix - 38439 which can be installed by the Avamar support team.

By all accounts this may be wrapped up in the SP1 software update as well but if you just want the fix, ask for the number above.

Also if you do update to a future version and this has not been included, the hotfix will need to be re-applied following the software update so be sure to mention it.

Have a good day, hope this helps.

ionthegeek
4 Beryllium

Re: Av 6.1 - LDAP maps configured but user gets 'login failed'

By all accounts this may be wrapped up in the SP1 software update as well but if you just want the fix, ask for the number above.

I can confirm that the fix was checked into the 6.1 SP1 branch.

0 Kudos
hkniep
1 Copper

Re: Av 6.1 - LDAP maps configured but user gets 'login failed'

Opened a SR and needed new avldap_win and user-authentication files.  Also need to add ldap.query.domain= domain into the ldap.properties file.

Thanks for all your help.

mtg82814
2 Bronze

Re: Av 6.1 - LDAP maps configured but user gets 'login failed'

We seem to be having this issue on SP1 as well.  Can you confirm this should be fixed or other steps that need to be done for users in multiple groups?

0 Kudos