Security

Reply
Aruba
Posts: 1,635
Registered: ‎04-13-2009

CPPM not Retrieving Authorization Attributes for Some Users

I am having a problem with an install where CPPM only retrieves attributes from some AD users, no rhyme or reason that we can find.  Bind account appears to have all correct permissions.   The accounts we are having problems with are in various OUs.    

 

These are some of the messages we are seeing in Access Tracker.

 

2013-08-13 13:49:55,496[RequestHandler-1-0x7f7519bed700 h=42252 c=R0000099b-01-520a71c3] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{memberOf}), error=No values for param=memberOf
2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{memberOf})
2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Host:Name}$)(objectClass=computer)), error=No values for param=Host:Name
2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Host:Name}$)(objectClass=computer))
2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(&(sAMAccountName=%{Onboard:Owner})(objectClass=user)), error=No values for param=Onboard:Owner
2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Ldap.LdapQuery - execute: Failed to construct filter=(&(sAMAccountName=%{Onboard:Owner})(objectClass=user))
2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =(distinguishedName=%{Onboard memberOf}), error=No values for param=Onboard memberOf
2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Ldap.LdapQuery - execute: Failed to construct filter=(distinguishedName=%{Onboard memberOf})
2013-08-13 13:49:55,497[AuthReqThreadPool-5-0x7f7522da9700 r=R0000099b-01-520a71c3 h=22] WARN Ldap.LdapQuery - Failed to get value for attributes=Groups, HostName, OSServicePack, Onboard Groups, OperatingSystem, memberOf]
------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: CPPM not Retrieving Authorization Attributes for Some Users

We have found that by giving the account higher privileges in AD that it can now read the attributes.   I have not had to do this in the past with the Bind account.  Also, the "Effective Permissions" tab of each user in AD show the Bind user to have read access to all attributes already.  

 

We'll continue to check permissions, but I think that is the root issue here. 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

New Contributor
Posts: 1
Registered: ‎03-05-2014

Re: CPPM not Retrieving Authorization Attributes for Some Users

I'm seeing the same in our logs.  We have a handful of users that are seeing the same issue.  Did you need to do more than use an elevated account?

Guru Elite
Posts: 7,854
Registered: ‎09-08-2010

Re: CPPM not Retrieving Authorization Attributes for Some Users

We had this issue with some legacy accounts where read rights were removed for regular users. Check your bind account on a specific user to see if it has permission to read attributes.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 23
Registered: ‎04-22-2016

Re: CPPM not Retrieving Authorization Attributes for Some Users

Can you explain what exact permissions the bind account needs?

 

Thanks,

Christian

Guru Elite
Posts: 7,854
Registered: ‎09-08-2010

Re: CPPM not Retrieving Authorization Attributes for Some Users

The bind account needs basic domain user permissions. 

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: