LDAP in Agile 932

We have an Active Directory User Group called “All Employees”.  The members of this group is individual employees.  But we don’t add temp workers or other 3rd party users to this group.  In Agile 932, the LDAP config (and Weblogic) have been working fine using the “All Employees” group.  But now, we want to change it.  We created a new AD group called “Agile LDAP Users”.  Inside this group there are only 2 members, and each member is itself a group, “All Employees” and “Contractors”.  I updated the Group Path and Group Filter in the Agile LDAP settings and also in Weblogic, restarted the server, and gave it a test.  When in the Java client > Users, and I click on the refresh LDAP users button, it says “Synchronized Agile database with the directory server successfully.  Created 0 new users, update 0 existing users.”.  I know it should have created some users.  I having groups within a group the problem?  Does Agile expect all members in the User Group to be individual people?

Agile Talent Asked on February 15, 2018 in Agile PLM (v9),   Product Collaboration.

I think the LDAP settings in Agile and Weblogic may need to be defined differently.  Like the group filter should be something other than (CN=Agile LDAP Users).  Suggestions welcome.

on February 15, 2018.
Add Comment
3 Answer(s)

I was able to resolve this and got it to work.  I made some changes to the LDAP search criteria, both in Agile and in WebLogic settings.

Group Path:        OU=Groups,DC=corp,DC=mycompany,DC=com
Group Scope:     SUB_TREE
Group Filter:       (|(CN=All Employees)(CN=Agile Vendor Users)(CN=Contractors))

The “|” pipe symbol in the Group Filter is an “or”.  CN means Common Name.

Agile Talent Answered on February 15, 2018.
Add Comment

I said I resolved this issue.  But not entirely.  When I press the LDAP sync button on the Users screen from the Agile Java client, it did pull in and create users from all 3 groups.  However, when I try to log in to the web client, I think the authentication goes through Weblogic.  It tells me invalid user or password.  So, now I am wondering what is wrong.  Could it be the SecurityRealm LDAP settings in Weblogic?   Here are the 3 AD User Groups that I want.  Notice they are all in different sub-levels, under the OU=Groups level.  Any ideas out there on how to configure this?

distinguishedName: CN=All Employees,OU=Test,OU=Groups,DC=corp,DC=mydomain,DC=com
distinguishedName: CN=Contractors,OU=Managed-Scripted,OU=Distribution Groups,OU=Groups,DC=corp,DC=mydomain,DC=com
distinguishedName: CN=Agile Vendor Users,OU=Security,OU=Groups,DC=corp,DC=mydomain,DC=com

Agile Talent Answered on February 16, 2018.
Add Comment

Okay, here is an update.  I seem to have got it working now.  I went into Weblogic and included that “or” filter in both Group filters.  Now it accepts my LDAP credentials when I login to Agile.  Here are the settings in Weblogic  (sensitive company info was replaced with “mydomain”).

WebLogic > Security Realm > “nameofrealm” > Providers > “nameofprovider” > Provider Specific

Connection

Host: ldapcorp.mydomain.com  (note: do not put ldap:// in front of host)
Port: 389
Principal: agileldap@corp.mydomain.com
Credential:  whatever the pwd is
Confirm Credential:  whatever the pwd is
[ ] SSLEnabled

Users

User Base DN: DC=corp,DC=mydomain,DC=com
All Users Filter: (objectclass=user)
User From Name Filter:   
User Search Scope:  subtree
User Name Attribute: sAMAccountName
User Object Class:  user
[ ] Use Retrieved User Name as Pricipal

Groups

Group Base DN: OU=Groups,DC=corp,DC=mydomain,DC=com
All Groups Filter: (|(CN=All Employees)(CN=Agile Vendor Users)(CN=Contractors))
Group From Name Filter: (|(CN=All Employees)(CN=Agile Vendor Users)(CN=Contractors))
Group Search Scope: subtree
Group Membership Searching: unlimited
Max Group Membership Search Level: 0
[ ] Ignore Duplicate Membership   (not checked)
[ ] Use Token Groups For Group Membership Lookup

Static Groups

Static Group Name Attribute:  cn
Static Group Object Class: group
Static Member DN Attribute: member
Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))

Dynamic Groups

< all fields left blank>

General

Connection Pool Size:  6
Connect Timeout: 0
Connection Retry Limit: 1
Parallel Connect Delay: 0
Results Time Limit: 0
[ ] Keep Alive Enabled
[x] Follow Referrals
[ ] Bind Anonymously On Referrals
[ ] Propagate Cause For Login Exception
[x] Cached Enabled
Cache Size: 32
Cache TTL: 60
GUID Attribute: objectid

Agile Talent Answered on February 16, 2018.
Add Comment

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.