Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM not Retrieving Authorization Attributes for Some Users

This thread has been viewed 17 times

  • 1.  CPPM not Retrieving Authorization Attributes for Some Users

    Posted Aug 13, 2013 02:30 PM

    I am having a problem with an install where CPPM only retrieves attributes from some AD users, no rhyme or reason that we can find.  Bind account appears to have all correct permissions.   The accounts we are having problems with are in various OUs.    

     

    These are some of the messages we are seeing in Access Tracker.

     

    2013-08-13 13:49:55,496[RequestHandler-1-0x7f7519bed700 h=42252 c=R0000099b-01-520a71c3] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
    2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
    2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
    2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name
    2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))
    2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Onboard:Owner})(objectClass=user)), error=No values for param=Onboard:Owner
    2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Onboard:Owner})(objectClass=user))
    2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{Onboard memberOf}), error=No values for param=Onboard memberOf
    2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{Onboard memberOf})
    2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups, HostName, OSServicePack, Onboard Groups, OperatingSystem, memberOf]


  • 2.  RE: CPPM not Retrieving Authorization Attributes for Some Users

    Posted Aug 13, 2013 11:09 PM

    We have found that by giving the account higher privileges in AD that it can now read the attributes.   I have not had to do this in the past with the Bind account.  Also, the "Effective Permissions" tab of each user in AD show the Bind user to have read access to all attributes already.  

     

    We'll continue to check permissions, but I think that is the root issue here. 



  • 3.  RE: CPPM not Retrieving Authorization Attributes for Some Users

    Posted Mar 05, 2014 05:39 PM

    I'm seeing the same in our logs.  We have a handful of users that are seeing the same issue.  Did you need to do more than use an elevated account?



  • 4.  RE: CPPM not Retrieving Authorization Attributes for Some Users

    EMPLOYEE
    Posted Mar 05, 2014 05:41 PM

    We had this issue with some legacy accounts where read rights were removed for regular users. Check your bind account on a specific user to see if it has permission to read attributes.



  • 5.  RE: CPPM not Retrieving Authorization Attributes for Some Users

    Posted May 06, 2016 06:45 AM

    Can you explain what exact permissions the bind account needs?

     

    Thanks,

    Christian



  • 6.  RE: CPPM not Retrieving Authorization Attributes for Some Users

    EMPLOYEE
    Posted May 06, 2016 07:27 AM
    The bind account needs basic domain user permissions.