Unsolved
1 Rookie
•
2 Posts
0
72
Unable to connect Openmanage Entreprise to LDAP because the service is making and anonymous bind instead of using bind_dn
Hello,
I'm trying to connect our Openmanage Enterprise to our ldap cluster (based on openldap) and I'm getting an error saying that the auth information are incorrect (spoiler, they are not).
After searching around in openmanage's logs, I've found the following traces :
[WARN ] 2024-01-26 16:58:31.254 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] OMENetworkResolutionImpl - Entered resolveFQDNByResolveConf() - host name: example.com
[WARN ] 2024-01-26 16:58:31.714 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] OMENetworkResolutionImpl - List of IP addresses: [1.2.3.4]
[WARN ] 2024-01-26 16:58:31.714 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] OMENetworkResolutionImpl - Exiting getAllIPsByName()
[ERROR] 2024-01-26 16:58:31.746 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] DirectroyServerManagerImpl - Exception while getting bind DN - null, javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
[ERROR] 2024-01-26 16:58:31.808 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] BusinessMethodExecutor - Failure executing Business method:: com.dell.enterprise.core.business.ldapmgr.dirservice.DirectroyServerManagerImpl.testLDAPAccountProvider
[ERROR] 2024-01-26 16:58:31.808 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] BusinessMethodExecutor - null
[...] (java stack trace)
[ERROR] 2024-01-26 16:58:31.814 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] MCSIActionProcessor - javax.naming.AuthenticationNotSupportedException: [LDAP: error code 48 - anonymous bind disallowed]
[...] (java stack trace)
[ERROR] 2024-01-26 16:58:31.823 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] ADController - UIC - ADController.testAdConnections(): org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 401: "{"error":{"code":"Base.1.0.GeneralError","message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CSEC5002","RelatedProperties":[],"Message":"Impossible de se connecter au serveur LDAP ou AD, car les informations dauthentification saisies ne sont pas valides.","MessageArgs":[],"Severity":"Critique","Resolution":"Vérifiez que la configuration d'entrée saisie pour le serveur est valide, puis réessayez."}]}}"org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 401: "{"error":{"code":"Base.1.0.GeneralError","message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CSEC5002","RelatedProperties":[],"Message":"Impossible de se connecter au serveur LDAP ou AD, car les informations dauthentification saisies ne sont pas valides.","MessageArgs":[],"Severity":"Critique","Resolution":"Vérifiez que la configuration d'entrée saisie pour le serveur est valide, puis réessayez."}]}}"
[...] (java stack trace)
And indeed, in my ldaps logs I've found connection attemps from openmanage's ip without bind_dn.
It looks like the console either :
- do not use the value from the configuration
- is doing a first connection as anonimous to check if the bind_dn exist
For security reasons, we do not wish to enable anonymous bind on our cluster. How can we get the ldap bind working with the provided bind_dn ?
Regards,
Jean-François
DELL-Chris H
Moderator
Moderator
•
8.8K Posts
0
January 26th, 2024 21:16
Jean-Francois.GUILAUME
1 Rookie
1 Rookie
•
2 Posts
0
January 29th, 2024 13:47
Hello,
I'm getting this error both on "Test connection" and when I try to import users from openldap.
I'm testing with both the bind_dn and my account.
Regards,
Jeff
DELL-Chris H
Moderator
Moderator
•
8.8K Posts
0
January 29th, 2024 20:00
Jeff,
Sorry for the delay, but upon extensive testing we can't get it to fail in the way you have it. So there is something either uniquely broken with your appliance or there is a config thing separate from this that triggers it. So what I would recommend is that you call in to the OpenManage team, so that you can show them the issue, and they would have access to review the logs.
Yvan Vanrossomme
1 Rookie
1 Rookie
•
1 Message
0
July 9th, 2024 17:14
Hello,
Same issue here : https://www.dell.com/community/en/conversations/dell-openmanage-enterprise/unable-to-connect-ldap-without-allowing-anonymous-bind/64d4953bb52334366782912b
I contact the support and the OME product team say that indeed the LDAP integration is not working when anonymous binding is disabled on the LDAP server.
The request to correct this issue has been added in their to-do list. But its not gonna be for the next OME release.
Best regards,
Yvan.