IDPA ACM fails to update the LDAP password after it was changed in Active Directory with error "Failed to update AD password"

           

   Article Number:     529318                                   Article Version: 2     Article Type:    Break Fix 
   

 


Product:

 

Integrated Data Protection Appliance Family,Data Protection Central

 

Issue:

 

 

ACM is not able to sync the Active Directory LDAP password after it was changed.   

     
ACM UI shows at all times the following message   
        
      LDAP_out_sync   
   
    ACM's log (/usr/local/dataprotection/var/configmgr/server_data/logs/server.log) shows the following error   
        
      ERROR [http-nio-8543-exec-3]-util.RestUtil: Rest execution failed due to authentication failed.         
          ERROR [http-nio-8543-exec-3]-dpcadapter.DPCUtil: checkDPCLDAPConnection --> Unable to execute request on DPC. Exception: com.emc.vcedpa.common.exception.ApplianceException: REST API execution failed. Authentication failed.         
                  at com.emc.vcedpa.common.util.RestUtil.validateResponseStatus(RestUtil.java:184)         
                  at com.emc.vcedpa.common.util.RestUtil.executeRequest(RestUtil.java:130)         
                  at com.emc.vcedpa.common.util.RestUtil.executeRequest(RestUtil.java:88)         
                  at com.emc.vcedpa.dpcadapter.DPCUtil.checkDpcLdapConnection(DPCUtil.java:199)         
                  at com.emc.vcedpa.restadapter.LoginService.changePasswordLdapUser(LoginService.java:882
   
   
   
    DPC's elg log (/var/log/dpc/elg/elg.log) shows   
        
      ERROR localhost-startStop-1 c.e.c.s.a.l.ADLdapAuthenticationProvider Ignoring AD authentication. Verification of ldap settings failed. Failed to connect to LDAP - <active_directory_shortname>:389; nested exception is javax.naming.CommunicationException: <active_directory_shortname>:389 [Root exception is java.net.UnknownHostException: <active_directory_shortname>]         
          WARN localhost-startStop-1 c.e.c.s.a.l.ADLdapAuthenticationProvider Ignoring AD authentication. Verification of ldap settings via test connection failed
   
                                                             

 

 

Cause:

 

 

DPC server is not able to resolve Active Directory short name via DNS and that is causing DPC to fail to connect to the Active Directory.                                                           

 

 

Resolution:

 

 

1- Login to DPC as user admin       
       
        2- su -       
       
        3- cd /var/lib/dpc/elg       
       
        4- vi ldap.properties       
       
        Change the line:
   
        

      elg.ldap.server.urls=ldap://<active_directory_shortname>:389         
         
          to         
         
          elg.ldap.server.urls=ldap://<active_directory_fully_qualified_domain_name>:389
   
   
    5- Save the file       
       
        6- /usr/local/dpc/bin/dpc stop       
       
        7- /usr/local/dpc/bin/dpc start       
       
        Note: Make sure Active Directory Fully Qualified Domain Name can be resolved from DPC via DNS by using nslookup. If nslookup does not resolve the Fully Qualified DOmain Name then the DNS server needs to be fixed.