Bug 1575831 - Retrieval of LDAP group failing after configuring IBM Directory Server as LDAP server
Summary: Retrieval of LDAP group failing after configuring IBM Directory Server as LD...
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.9.0
Hardware: All
OS: All
Target Milestone: GA
: 5.9.3
Assignee: Joe Vlcek
QA Contact: Matt Pusateri
Whiteboard: auth:miqldap
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-08 04:32 UTC by Neha Chugh
Modified: 2018-05-15 13:37 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-05-15 13:37:55 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:

Attachments (Terms of Use)

Description Neha Chugh 2018-05-08 04:32:30 UTC
Description of problem:

LDAP group retrieval is failing without any exception after configuring IBM directory server as LDAP

Version-Release number of selected component (if applicable):
Cloudforms 4.6

How reproducible:
Always at customer's environment

Steps to Reproduce:

1.LDAP authentication in Settings > Authentication is tested to work fine, Validate button says LDAP Settings validation was successful.

2.Issue is in Access Control > Groups > Add a new Group., when you do an LDAP Group lookup, enter a user to lookup, then a system account username and password. When you hit retrieve, nothing comes back. No group selection options, no error messages, nothing.  If you hit save and then go back into the group, it's empty as if it was a generic internal group without LDAP

Actual results:
LDAP Group retrieval is failing.

Expected results:
Group retrieval should be successful.

Additional info:

Comment 4 Joe Vlcek 2018-05-10 18:58:38 UTC
From the provided logs and ldapsearch output it appears that the memberOf
overly, which is required for authentication "mode: LDAP", is not setup on
the LDAP server.

If the memberof overlay can not be configured converting to external
authentication would be a possible avenue to explore.
As stated in comment 3 doing this did not work:

    > http://manageiq.org/docs/reference/latest/auth/ldap
    Response: As previously tried, this does not work this is the same
    link as before.

Perhaps it would be good to explore why this did not work. 

In summary there are 2 options to pursue:
  1. Configure the memberof overlay. To prove it is correctly configured
     the ldapsearch command should return lines that being with "memberOf:"

    If ldapsearh output is passed through " | grep -i memberof" you should see results.:

    ldapsearch -x -H ldap://<LDAP server>:389 -LLL  -b "<your base dn>" -s sub -D "<your bind dn>" -w <your pw> | grep -i memberof

  2. Convert to external auth following these instructions:
     and diagnose why it did not work, as reported: 

I'd be glad to get on a video conf. call with the customer to help resolve this, 
if that can be arranged.

Comment 5 Neha Chugh 2018-05-11 04:51:53 UTC
Thanks Joe for the update. I have updated the same with the customer and looking for their response and If required, will arrange the remote session for further troubleshooting purpose.

Neha Chugh

Note You need to log in before you can comment on or make changes to this bug.