Troubleshoot > Troubleshooting Hardening > Troubleshooting Hybrid User Management

Troubleshooting Hybrid User Management - LDAP authentication

Problem: After upgrading UCMDB from version 10.30 (or earlier) to 10.31 (or later), LDAP authentication fails and users cannot log in to UCMDB. For example, a scenario like the following:

  • You had UCMDB version 10.30 (or earlier)
  • You configured LDAP server, and the UCMDB UI login is performed with multiple LDAP accounts
  • You upgraded UCMDB to version 11.0

Cause: As a part of Hybrid User Management, each user will be assigned a repository (UCMDB or a configured LDAP repository). If, during the upgrade, there are some connection issues related to the LDAP Server, then the existing LDAP users that were already synchronized to UCMDB cannot be authenticated on that LDAP repository, as a result, those users will be assigned to UCMDB repository.

To check if it is the case with your environment, in UCMDB UI, go to Security > Users and Groups, in the Users tab check the existing users. All the users are listed there with the corresponding repositories. If the repository set for an external user is UCMDB instead of the corresponding LDAP server repository, then there was a connection error to the LDAP server when the upgrade was performed.

Solution: In this case, the users will not be able to log in anymore to UCMDB UI only by using the username. To fix the issue, do either of the following:

  • Perform the login by specifying the repository at login time.

    For details, see How the hybrid user management authentication mechanism works (check “The repository is specified as an email address or Windows domain user” section).

    In this way, the user will be authenticated against the repository specified, not on the UCMDB repository. As a result, in UCMDB there will be 2 users with the same username but on different repositories: the one on UCMDB repository that will not be able to log in and the one on the LDAP repository which will be able to login when the repository is also entered at login time.

  • Delete from database all the external users that have been wrongly associated to UCMDB repository at upgrade.

    An example of such an SQL statement that selects the users who should be deleted is:

    select * from urm_resources where type='Auth_USER' and resource_id like '%###UCMDB' and text_data like '%isExternal="true"%'

    After deleting these users, the login is performed properly and the users are re-synchronized to UCMDB.

    Note There could be other external users synchronized to UCMDB that are not LDAP-related, so double check which external users are deleted.