IDPA:在停用 ACM LDAP 匿名查詢後,ACM 無法變更 UI 上的密碼
Summary: 在 IDPA 2.7.3 版或之前,按照 Dell 文章196092停用 ACM LDAP 匿名查詢後,ACM 在從 UI 變更密碼時回報錯誤「ACM Secure openLDAP-無法驗證 idpauser 使用者的連線」。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
在遵循 Dell 文章 196092, PowerProtect DP 系列裝置和 IDPA 之後:Appliance Configuration Manager 上允許 LDAP 匿名目錄存取,若要停用 ACM LDAP 匿名查詢,在嘗試從 UI 變更裝置密碼時,ACM 會回報錯誤「ACM Secure openLDAP-無法驗證 idpauser 使用者的連線」:
圖 1:DP 系列錯誤訊息的螢幕擷取畫面,無法驗證與 idpauser 使用者的連線
Cause
ACM server.log在密碼驗證期間顯示下列錯誤:
2023-05-01 06:59:28,768 INFO [https-openssl-apr-8543-exec-1]-util.SSHUtil: Remote command using SSH execution status: Host : [ACM IP] User : [root] Password : [**********] Command : [ldapsearch -x -b "dc=idpa,dc=local" -h <ACM FQDN> "(&(objectClass=posixGroup)(cn=idpagroup)(gidNumber=1000))"] STATUS : [48] 2023-05-01 06:59:28,768 INFO [https-openssl-apr-8543-exec-1]-util.SSHUtil: STDOUT : [ldap_bind: Inappropriate authentication (48)^M additional info: anonymous bind disallowed^M] 2023-05-01 06:59:28,769 INFO [https-openssl-apr-8543-exec-1]-util.SSHUtil: STDERR : [] 2023-05-01 06:59:28,769 ERROR [https-openssl-apr-8543-exec-1]-util.SSHUtil: Failed to executed remote command using SSH. 2023-05-01 06:59:28,769 ERROR [https-openssl-apr-8543-exec-1]-ldapintegration.LDAPIntegrationService: validatePosixGroup --> Failed to execute command - ldapsearch -x -b "dc=idpa,dc=local" -h <ACM FQDN> "(&(objectClass=posixGroup)(cn=idpagroup)(gidNumber=1000))" 2023-05-01 06:59:28,769 INFO [https-openssl-apr-8543-exec-1]-ldapintegration.LDAPIntegrationService: validatePosixGroup --> Failed to validate posix group name. com.emc.vcedpa.common.exception.ApplianceException: Failed to validate posix group.
2023-05-01 06:59:58,298 INFO [https-openssl-apr-8543-exec-1]-appliancecredentialsmanager.ApplianceCredentialsManager: ACM test connection is successful for root 2023-05-01 06:59:58,298 INFO [https-openssl-apr-8543-exec-1]-appliancecredentialsmanager.ApplianceCredentialsManager: Change password validation status: ApplianceCredentialsConnectionStatus [productCredentialsStatusList=[ProductCredentialsStatus [productName=ACM Secure OpenLDAP, failedCredentialsStatusList=[ACM Secure OpenLDAP - Failed to validate connection for idpauser user.], sameCredentialsStatusList=[]], ProductCredentialsStatus [productName=Protection Storage, failedCredentialsStatusList=[], sameCredentialsStatusList=[]], ProductCredentialsStatus [productName=Protection Software, failedCredentialsStatusList=[], sameCredentialsStatusList=[]], ProductCredentialsStatus [productName=Data Protection Central, failedCredentialsStatusList=[], sameCredentialsStatusList=[]], ProductCredentialsStatus [productName=Reporting & Analytics, failedCredentialsStatusList=[], sameCredentialsStatusList=[]], ProductCredentialsStatus [productName=Search, failedCredentialsStatusList=[], sameCredentialsStatusList=[]], ProductCredentialsStatus [productName=Hypervisor Manager, failedCredentialsStatusList=[], sameCredentialsStatusList=[]], ProductCredentialsStatus [productName=Hypervisor, failedCredentialsStatusList=[], sameCredentialsStatusList=[]], ProductCredentialsStatus [productName=Appliance Configuration Manager, failedCredentialsStatusList=[], sameCredentialsStatusList=[]]], resultStatus=false, sameCredentialStatus=false]
server.log顯示嘗試執行命令時,LDAP 匿名查詢已停用:
acm-:/ # ldapsearch -x -b "dc=idpa,dc=local" -h <ACM FQDN> "(&(objectClass=posixGroup)(cn=idpagroup)(gidNumber=1000))"
ldap_bind: Inappropriate authentication (48)
additional info: anonymous bind disallowed
acm-: #
在目前的 ACM 變更裝置密碼工作流程中,在 IDPA 版本 2.7.3 或之前,會使用匿名 LDAP 查詢來驗證密碼。在 ACM 中停用 LDAP 匿名查詢時,密碼驗證會失敗。
已提交工程呈報,預計在即將推出的軟體版本中將提供永久解決方案。請遵循以下因應措施變更應用裝置密碼,直到有永久解決方案為止。
Resolution
因應措施:
請按照以下步驟在 ACM 中啟用匿名 LDAP 查找:
- 使用根使用者 SSH 連線至 ACM
- 前往「/etc/openldap」資料夾
cd /etc/openldap
- 使用下列命令建立「ldif」檔案:
vi ldap_enable_bind_anon.ldif
使用「i」進入 vi 插入模式,然後將以下內容粘貼到檔中:
dn: cn=config
changetype: modify
delete: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
delete: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcRequires
olcRequires: authc
- 儲存 檔案。按下鍵盤上的「Esc」以返回 vi 命令模式。按下「:wq!」以儲存檔案。
- 使用以下命令確認檔案內容:
cat ldap_enable_bind_anon.ldif
範例輸出:
acm:/etc/openldap # cat ldap_enable_bind_anon.ldif
dn: cn=config
changetype: modify
delete: olcDisallows
olcDisallows: bind_anon
dn: cn=config
changetype: modify
delete: olcRequires
olcRequires: authc
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcRequires
olcRequires: authc
acm:/etc/openldap #
- 使用下列命令啟用匿名 LDAP 查詢:
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldap_enable_bind_anon.ldif
範例輸出:
acm:/etc/openldap # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ldap_enable_bind_anon.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={-1}frontend,cn=config"
acm-:/etc/openldap #
- 重新啟動 LDPA 伺服器:
systemctl restart slapd
- 執行下列命令,以確認是否已啟用匿名 LDAP 查詢:
ldapsearch -x -b "dc=idpa,dc=local" -h <ACM FQDN> "(&(objectClass=posixGroup)(cn=idpagroup)(gidNumber=1000))" or ldapsearch -x -b "dc=idpa,dc=local" -h `hostname -f` "(&(objectClass=posixGroup)(cn=idpagroup)(gidNumber=1000))"
範例輸出:
acm:/etc/openldap # ldapsearch -x -b "dc=idpa,dc=local" -h `hostname -f` "(&(objectClass=posixGroup)(cn=idpagroup)(gidNumber=1000))" # extended LDIF # # LDAPv3 # base <dc=idpa,dc=local> with scope subtree # filter: (&(objectClass=posixGroup)(cn=idpagroup)(gidNumber=1000)) # requesting: ALL # # idpagroup, Group, idpa.local dn: cn=idpagroup,ou=Group,dc=idpa,dc=local objectClass: top objectClass: posixGroup cn: idpagroup memberUid: idpauser gidNumber: 1000 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 acm:/etc/openldap #
- 登入 ACM UI,並再次變更裝置密碼。應可順利完成:
圖 2:DP 系列密碼變更進行中的螢幕擷取畫面
- 查看是否必須禁用 ACM 匿名 LDAP 查找。如果是,請依照 Dell 文章 196092,PowerProtect DP 系列裝置和 IDPA:在 Appliance Configuration Manager 上允許 LDAP 匿名目錄存取,以再次停用匿名查詢。
Affected Products
PowerProtect DP4400, PowerProtect DP5300, PowerProtect DP5800, PowerProtect DP8300, PowerProtect DP8800, PowerProtect Data Protection Software, Integrated Data Protection Appliance Family, Integrated Data Protection Appliance Software
, PowerProtect DP5900, PowerProtect DP8400, PowerProtect DP8900
...
Article Properties
Article Number: 000212941
Article Type: Solution
Last Modified: 01 Aug 2025
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.