It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×42,884

question asked: Aug 09 '11, 11:09 p.m.
question was seen: 6,642 times
last updated: Aug 09 '11, 11:09 p.m.

Related questions

LDAP, Build Account gets (Invalid user ID or password)

0
Boris Kivshar (8686) | asked Aug 09 '11, 11:09 p.m.
Hi Guys,
I needs some assistance with troubleshooting my JAZZ setup, running all version 3.0.1. (JTS/CCM/RM/QM)

Initial Question:
How do I enable LDAP logging, so that when I log in via the WebUI it tell me success or failure, and possibly why. And in which of the dozens of log files would this be in?

Problem Statement:
All general LDAP logins are fine, and are already configured with the 5x AD groups. I had our helpdesk create a build account with some limitations such as specific machine loggon and no internet etc.. Upon loggin into via the WebUI I get "Invalid user ID or password"

Some facts:
- BuildAcc is within the AD with the JAZZ Users group.
- BuildAcc can login to all the JAZZ servers via RDP
- I can see in the logs that the BuildAcc gets synced nightly
- BuildAcc is visible from within JTS and has been imported and assigned licences within JTS User Administration
- BuildAcc seems to have all appropriate details filled in within the AD object (email, name etc)

My problem is very very similar to Alan's unresolved question here:
https://jazz.net/forums/viewtopic.php?t=10810

Any help in troubleshooting this issue will help me greatly!
Thanks
Boris

5 answers

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Ralph Schoon (63.6k33646) | answered Aug 10 '11, 3:25 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Hi Guys,
I needs some assistance with troubleshooting my JAZZ setup, running all version 3.0.1. (JTS/CCM/RM/QM)

Initial Question:
How do I enable LDAP logging, so that when I log in via the WebUI it tell me success or failure, and possibly why. And in which of the dozens of log files would this be in?

Problem Statement:
All general LDAP logins are fine, and are already configured with the 5x AD groups. I had our helpdesk create a build account with some limitations such as specific machine loggon and no internet etc.. Upon loggin into via the WebUI I get "Invalid user ID or password"

Some facts:
- BuildAcc is within the AD with the JAZZ Users group.
- BuildAcc can login to all the JAZZ servers via RDP
- I can see in the logs that the BuildAcc gets synced nightly
- BuildAcc is visible from within JTS and has been imported and assigned licences within JTS User Administration
- BuildAcc seems to have all appropriate details filled in within the AD object (email, name etc)

My problem is very very similar to Alan's unresolved question here:
https://jazz.net/forums/viewtopic.php?t=10810

Any help in troubleshooting this issue will help me greatly!
Thanks
Boris


Hi Boris, there are options for logging LDAP related issues in the log4j.properties file of each application. You can try to enable those in the conf/<application> folder of the application you are interested. That would be CCM or JAZZ if you migrated from 2.x. The logging goes into a <application>.log on that server. in WAS it is going into the profiles folder in tomcat it is located in server/tomcat/logs.

More options to track this down could be provided by suppot if you open a PMR or you could try to open a work item where the right people could look into it (please subscribe Alan from the other post if you create one).
0
permanent link
Boris Kivshar (8686) | answered Aug 10 '11, 9:13 p.m.
Thanks for the reply.

I enabled the LDAP Debugging within the log4j.propoerties file: 
log4j.logger.com.ibm.team.repository.service.jts.internal.userregistry.ldap.LDAPUserRegistry=DEBUG


In both the CCM & JTS applications: 
C:\IBM\JazzTeamServer_3.0.1\server\conf\jts\log4j.properties

C:\IBM\JazzTeamServer_3.0.1\server\conf\ccm\log4j.properties


After clearing all logs, and restarting, this is what i get:
- When I log in as myself no log entries appear
- When I attempt to log in as myself with an incorrect password I get "Invalid user ID or password.", and no log entries.
- When I attempt to log in with the Build account I get "Invalid user ID or password.", and no log entries.

The logs that I am refering to are: 
C:\IBM\JazzTeamServer_3.0.1\server\logs\ccm.log

C:\IBM\JazzTeamServer_3.0.1\server\logs\jts.log



The only ldap error I get that I cannot work out what it is below. However there are no indication that user authentication is not working anywhere else, and all other users are fine.

This is from 
C:\IBM\JazzTeamServer_3.0.1\server\tomcat\logs\catalina.2011-08-11.log


11/08/2011 10:54:26 org.apache.catalina.realm.JNDIRealm authenticate

WARNING: Exception performing authentication

javax.naming.CommunicationException: connection closed [Root exception is java.io.IOException: connection closed]; remaining name 'DC={name4},DC={name3},DC={name2},DC={name1}'

	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2002)

	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)

	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)

	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:383)

	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:353)

	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:336)

	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:259)

	at org.apache.catalina.realm.JNDIRealm.getUserBySearch(JNDIRealm.java:1069)

	at org.apache.catalina.realm.JNDIRealm.getUser(JNDIRealm.java:977)

	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:926)

	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:812)

	at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259)

	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:454)

	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)

	at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:420)

	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)

	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)

	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)

	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)

	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)

	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)

	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)

	at java.lang.Thread.run(Thread.java:811)

Caused by: java.io.IOException: connection closed

	at com.sun.jndi.ldap.LdapClient.ensureOpen(LdapClient.java:1590)

	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:536)

	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)

	... 23 more


I also found an old article: https://jazz.net/library/article/479/
I realized that the JAZZ Validation tool mentioned in it is for for V2. I did try it but it did not work. Is there an updated version for V3, i could not find anything?

So, is there a way to enable even deeper ldap logging where it can output results on everything?

Alternatively, how do I create a PMR? I can create a WI, which ever is best...
0
permanent link
Ralph Schoon (63.6k33646) | answered Aug 11 '11, 5:42 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Hi,

I am not sure, I am missing information about your environment. Since you mention RDP and the build user as you say can log in using RDP (Also over the web?) could this be an issue on the server?

The error message on the other hand seems to indicate that the user ID or password are not matching. Could it be an issue on the host or maybe based on case sensitivity?

You can create a work item any time. For a PMR you need to have support . You can create a PMR here http://www-947.ibm.com/support/entry/portal/Open_service_request/Software/Rational/Rational_brand_support_%28general%29
0
permanent link
Boris Kivshar (8686) | answered Aug 23 '11, 2:04 a.m.
I have found the problem in my configuration. Just though I would share it for anyone else that might be experiencing the same thing.

Essentially the base LDAP logging withing RTC/CCM did not really help. So I had my helpdesk AD guys investigage the logs on the regional controller and found the following error:

Logon Failure:
Reason: User not allowed to logon at this computer
User Name: <BuildAccount>
Domain: <Domain>
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: <DC>
Caller User Name: <DC>$
Caller Domain: <Domain>
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 440
Transited Services: -
Source Network Address: <IP>
Source Port: 62195

Please note. As originally stated the helpdesk created a limited network account, the actual build account did not have appropriate permissions to login/authenticate into the domain controller.

After this was fixed my build accoutn was able to login perfectly.
0
permanent link
Ralph Schoon (63.6k33646) | answered Aug 23 '11, 3:08 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Thanks for sharing Boris!

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.