|

McAfee ePolicy allows the integration to LDAP servers.

There is an option of 3 LDAP server types that one can select:-
– Active Directory
– eDirectory
– OpenLDAP

While setting up OpenLDAP integration in a new installation we came across an issue where when trying to register an LDAP server and performing a connection test we were getting an error:

“Query returned no group records. Verify the server has at least one group and the user has the required permissions”

 

So based on the error presented we started to carry out troubleshooting steps by checking the account to ensure it had the relevant permissions (we also tried to use the administrator account and still got the same error), checking that we had existing groups on the OpenLDAP server.

We also used an OpenLDAP browser tool from the EPO server itself to confirm it can communicate with the OpenLDAP server and run a query, which was successful.

We started digging a bit deeper and enabled debug logging for ePolicy by modifying the registry value for the Log Level to 8.

Debugging McAfee ePolicy

Instructions from the McAfee Knowledge Base

After changing the registry entry, we had to restart the ePolicy services in order for the change to take effect.
1) Application Server
2) Server
3) Event Parser

 

This then created the log files in the ePolicy installation folder “\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Logs\” , the one that we are interested in is the orion.log file.
On inspecting the log file we found it contained 2 entries for every connection test we attempted as below:-
244 WARN [http-bio-8443-exec-6] internal.LdapConnectionImpl – Unable to retrieve any records using query ‘(objectClass=groupOfNames)’.
244 WARN [http-bio-8443-exec-6] ldap.LdapAction – Query returned no group records. Verify the server has at least one group and the user has required permissions.

Based on that we took a closer look at the OpenLDAP server and noticed the groups that existed were not of the objectClass: groupOfUniqueNames rather than objectClass: groupOfNames.
Although both the object types are still groups which can contain members and be used to apply permissions and so on, they are rather different in their own respect. This article explains the difference between the two types.

When creating a group on OpenLDAP you get two choices.

We created a new group with the objectclass: groupOfNames and attempted to register the LDAP server in ePolicy and voila!