CUCM 10.5.2, CCMAadmin Login with LDAP problem

Pascal Blumenthal · ‎10-13-2015

Hello everybody

I have a small but important problem...

We have a CUCM Cluster with Version 10.5.2.12901-1. I did the last SU2a Update so before we were using Version 10.5.2.10000-5.

We have two LDAP Directory. The first for all Admins and the second one for Standard End User. Before I did the SU1a Update, we
could Login to the CCMAdmin Page with our AD User and Password. Since I have updated the CUCM, it doesn't work anymore.

We didn't change anything about cerificates or something else. Just installed the new version, that all.

Has somebody an idea? Any suggestions?

Thank you.

Have a good time.

Regards,

Pascal

Jaime Valencia · ‎10-13-2015

What's the exact error??

If you change the config does it say it can connect??

FYI, this forum is for Jabber related questions, not general CUCM questions, you might want to move this.

HTH

java

if this helps, please rate

Pascal Blumenthal · ‎10-13-2015

Hello Jaime

Thats the error message:

Log on failed - Invalid User ID or Password

We have 3 AD Server and I just configured two in our Test Environment. If I change something in "LDAP Authentication", it's ok. => Update successful.

If I change one IP in LDAP Directory and save the config => it works. I also can start the Sync Process as well.

When I try the Self Service Portal, then the Error is: An LDAP error has occurred. Contact your system administrator.

What I'm not understand is, that apparently, I can sync with the LDAP, but the Login for Admin and User doesn't work.

Yes please move it. Sorry.

Regards,

Pascal

Jaime Valencia · ‎10-13-2015

It's YOUR thread, YOU need to move it, I can't do that.

Try bouncing the LDAP service, if that still doesn't work, then look at LDAP traces to find out what's wrong and have more info.

HTH

java

if this helps, please rate

Pascal Blumenthal · ‎10-13-2015

Yes, of course...sorry.

I did a restart of DirSync already twice. Also a completet reboot of the Publisher and even the whole Cluster...nothing helps.

How can I get those traces? Where I have to looking for?

Thanks for your help.

Jaime Valencia · ‎10-13-2015

Same as CUCM traces, simply this time for the DirSync service.

HTH

java

if this helps, please rate

Pascal Blumenthal · ‎10-13-2015

I can delete User and ReSync and they appear again. The Sync with the LDAP Directory seemt to work but when I want to Login, that doesn't work.

Traces from RTMT:

2015-10-13 15:45:45,916 ERROR [DSLDAPSyncImpl(aaccd709-cd11-a005-c6cf-7cc2e1f895aa)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:883) - LDAPSync(aaccd709-cd11-a005-c6cf-7cc2e1f895aa)[checkLDAP] Failed to check LDAP - javax.naming.InterruptedNamingException: Interrupted during LDAP operation
2015-10-13 15:45:45,933 ERROR [DSLDAPSyncImpl(aaccd709-cd11-a005-c6cf-7cc2e1f895aa)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:884) - LDAPSync(aaccd709-cd11-a005-c6cf-7cc2e1f895aa)[checkLDAP] javax.naming.InterruptedNamingException: Interrupted during LDAP operation
MESSAGE Interrupted during LDAP operation
com.sun.jndi.ldap.Connection.readReply(Connection.java:476)
com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:364)
com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
javax.naming.InitialContext.init(InitialContext.java:242)
javax.naming.InitialContext.<init>(InitialContext.java:216)
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.makeConnection(DSLDAPSyncImpl.java:1064)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.checkLDAP(DSLDAPSyncImpl.java:763)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run(DSLDAPSyncImpl.java:368)

2015-10-13 15:45:45,935 ERROR [DSLDAPSyncImpl(aaccd709-cd11-a005-c6cf-7cc2e1f895aa)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:669) - LDAPSync(aaccd709-cd11-a005-c6cf-7cc2e1f895aa)[Run] javax.naming.InterruptedNamingException: Interrupted during LDAP operation
MESSAGE Interrupted during LDAP operation
com.sun.jndi.ldap.Connection.readReply(Connection.java:476)
com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:364)
com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213)
com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740)
com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
javax.naming.InitialContext.init(InitialContext.java:242)
javax.naming.InitialContext.<init>(InitialContext.java:216)
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.makeConnection(DSLDAPSyncImpl.java:1064)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.checkLDAP(DSLDAPSyncImpl.java:763)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run(DSLDAPSyncImpl.java:368)

2015-10-13 15:45:46,446 ERROR [DSLDAPSyncImpl(aaccd709-cd11-a005-c6cf-7cc2e1f895aa)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1663) - LDAPSync(aaccd709-cd11-a005-c6cf-7cc2e1f895aa)[searchInternalExact] com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'dc=mydomain,dc=com'
MESSAGE Continuation Reference
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:351)
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:226)
com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:189)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.searchInternalExact(DSLDAPSyncImpl.java:1644)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync(DSLDAPSyncImpl.java:1233)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run(DSLDAPSyncImpl.java:406)

2015-10-13 15:45:46,503 ERROR [DSLDAPSyncImpl(f18b8896-3389-08d5-27a4-136f98a339b7)] ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:1663) - LDAPSync(f18b8896-3389-08d5-27a4-136f98a339b7)[searchInternalExact] com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'dc=mydomain,dc=com'
MESSAGE Continuation Reference
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreReferrals(LdapNamingEnumeration.java:351)
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:226)
com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:189)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.searchInternalExact(DSLDAPSyncImpl.java:1644)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync(DSLDAPSyncImpl.java:1233)
com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run(DSLDAPSyncImpl.java:406)

2015-10-13 15:46:45,905 ERROR [DirSync-DBInterface] common.DSDBInterface (DSDBInterface.java:530) - DSDBInterface.updateUserInfo LDAP data discarded: Missing LDAP attribute: Attribute Count=4 AgreementId=f18b8896-3389-08d5-27a4-136f98a339b7
[userid, firstname, uniqueidentifier, discoveryuseridentity]

Pascal Blumenthal · ‎10-14-2015

Hello Jaime

Some news from my side...

I did a switch version, back to the previous version and with this version still works the LDAP Login.

After that, I updated the System with SU1 and it works as well. Then I tried the SU2 update and now it doesn't work.

I guess there must be a change or something...it's strange.

Maybe you have now another idea where the problem could be.

Thank you for your help.

Kind regards,

Pascal

Jaime Valencia · ‎10-14-2015

I have 10.5.2.12901-1 working in my lab just fine, I suggest you also take a look at your LDAP, or open a TAC for further assistance.

I couldn't find this to be a common issue

HTH

java

if this helps, please rate

Pascal Blumenthal · ‎10-14-2015

Did you have just one IP configured for the LDAP configuration or do you have two or more IP's entered for the LDAP servers?

I just found the following Bug: CSCuu57807

Next step is to check if all LDAP servers are still available. I have to contact other people to get this information.

Thank you for your big effort to help me.

Kind regards,

Pascal

Jaime Valencia · ‎10-15-2015

I only have one LDAP in my lab, that bug won't affect me, but that bug says it should only fail if you actually failover, is that your scenario??

HTH

java

if this helps, please rate

Pascal Blumenthal · ‎10-16-2015

Hello Jaime

Problem, more or less, resolved.

We had our CUCM configured with the IP Address and not with the Name with FQDN. The Point is that in the Original 10.5.2 Version, as well in the SU1 Update, there is a Security Bug (CSCun63825).

To resolve the "issue", until we will install Jabber, we entered the following command: utils ldap config ipaddr

Our certificates are done with the IP and not with the name. Of course, we will change all this later, when we start to configure the system for Jabber.

I guess your config in your Lab was with servernames and not with the IP's.

Thank you very much for your help and I wish you a nice weekend.

Best regards,

Pascal