LDAP-Documentum Configuration & Troubleshooting Tips
http://www.revasolutions.com/ecm-blog/?p=278
LDAP-Documentum Configuration & Troubleshooting Tips
July 12th, 2010 by Zainab Mantri
Configure LDAP with Documentum.
Here are the screen shots of step by step configuration of LDAP with Documentum. It might differ depending on how you want to sync your users and groups in Active Directory with Documentum.
Go to Documentum Administrator (DA) -> Administration -> Basic Configuration -> LDAP Servers. Click on File-> New-> LDAP Server Configuration. More detailed notes can be found in the Documentum Administrator User Guide under the section of Basic Configuration.
After doing the LDAP configuration go to the Server Configuration and enable the correct LDAP server
Run the LDAP job to synchronize the users and groups. Few key points and common errors:
- It is always one way sync. The LDAP job will never update anything in Active Directory.
- If the user enters a wrong password 3 times the account will be locked out as it authenticates the password with AD. The account then needs to be unlocked by the System Administrator.
- The LDAP job checks the user_name & the user_os_name. If the user_name in Documentum does not match exactly with the user_name in AD, it will throw an error. For example; if a user name in AD is Sarah McLaughlin and for some reason the user_name was created as Sarah Mclaughlin in Documentum and their user_os_name is the same the job will not synchronize. The solution for this is to reassign the user’s name to match exactly with AD. The only problem with the reassign tool is that it runs a DQL to update all the objects which are currently owned by the old user_name and reassigns them to the new user_name, hence updating the r_modify_date & r_modifier. You can run the LDAP sync job after running the Reassign User Job and see that it runs through perfectly.
- After you run the LDAP job and on checking the log file and there is an error about a .cnt file not found you should do the following. Go to the path which is given in the log file. It should be E:\Documentum\dba\config\<docbase_name>\ ldap_0800a184802036ef.cnt. There should be older files with a different object id. Recreate a file which the job is asking for and run the job again. It should run fine now. If an older file does not exists just create a blank file with the name and run the job.
- The main attributes to check if a user fails to update through LDAP are: user_login_domain, user_source, user_ldap_dn & user_global_uniue_id. You should check these values with a user that is working correctly.
- If an user’s id fails even though it has the correct user_name and the error says that cannot update user as user is already configured in a separate domain you should do the following.
- Go to IAPI and fetch the user that is failing: retrieve,c,dm_user where user_name = ‘xxx’
- dump,c,l
- check the user_global_unique_id
- It should be testAD:3acb0b81-1dd211b2-80d9af5c-40c9a950.
- If it is not then this is what is causing the error.
- set,c,l,user_global_unique_id = ‘testAD:’
- Run the job again and check if the user has been configured successfully and user_global_unique_id is set correctly.
Here are some of the LDAP tools that can be used for debugging purposes. These can be downloaded easily and installed. They are free
- dsa.msc
- adsiedit.msc
- Softerra LDAP Browser
These 2 tools do not show the Deleted Users folder in AD. When an user is deleted in AD it remains in the Deleted Users folder for a given period of time after which it is permanently deleted. Documentum pools this folder and updates the user state as Inactive.
Other tools:
- ldp.exe
- adexplorer.exe show the Deleted Objects folder.
With certain tools you might have to specify the distinguished name “cn=Deleted Objects,DC=iol,DC=xxx,DC=net” when you connect because default connections usually connect to 1 of the 3 partitions in active directory, the domain, schema or configuration DN’s
Full Refresh
In the event to perform a full refresh of LDAP data, utilize the a_last_run attribute as follows to achieve it.
Note: a_last_run is defined as a string not a datetime field. LDAP Synchronization will not produce the desired results if the word “null” is present in this attribute.
Go to IAPI and run the following commands
retrieve,c,dm_ldap_config
set,c,l,a_last_run
save,c,l
Trace
You can turn on the tracing on the LDAP job by setting the trace level to 10 and viewing the trace file after the job has completed. Right click on the job in DA and click on View Trace File. You can also check the job report for errors or validation.
LDAP Job Through Command Prompt
You can also run the LDAP job through command prompt.
Go to the directory where Documentum is installed (E:\Documentum\product\6.5\bin) and then run the job:
E:\Documentum\product\6.5\bin>java com.documentum.ldap.LDAPSync -docbase_name xxx -user_name xxx -password xxx -full_sync true -method_trace_level 10 -group_save_limit 1000 -rename_user_option true -rename_group_option true -deactivate_user_option true >> C:\ldapsync_MSAD.log
TweetTags: Active Directory, authentication, Documentum 6.5, LDAP, user authentication
2 Responses to “LDAP-Documentum Configuration & Troubleshooting Tips”
Hi Zainab,
I just ran into an issue regarding LDAP configuration, I had migrated my users from the AD through the LDAP configuration I got all of them transferred and able to login and working with no problems. After couple of months all users except DMADMIN (NOT LDAP USER) could not login to Documentum. First, the AD administrator checked that all users’ accounts are active and all passwords have not been reset and they can login to the domain. At the same time those users can not login to Documentum. I asked the AD administrator to reset the password to some of those users to exactly the same current password they have, then they have been able to login with no problem. Now the same problem occurred again, do you have any idea why this keeps happening?
Thanks,
Hi Tarak,
When these users try to login and fail what is the error message generated in the Application Server log?