Maximo Open Forum

I have a weird configuration that I'm struggling with and hoping someone here can help.

We authenticate maximo users with AD for normal logins but we have a team that is not part of our AD that needs an account to authenticate for the broker to process orders/tickets in maximo.

We have created a AD LDS instance with a different domain and created accounts in ADSI edit
We create matching accounts in maximo in people and in users.

We then create a JAAS LDAP login module in Websphere and install certificates that match the server running the AD LDS instance.

We can connect to the AD LDS instance and simple bind with the accounts we created using ldp.exe

But when we login to maximo it fails.

We are getting SECJ0118E and SECJ0369E errors in websphere

We can see that the account is getting to websphere in the logs but can't find the AD LDS instance to get the account and bind/login

I know this is a long shot as not many people would be using this configuration but if anybody has any insight that would awesome.
#Administration
#Analytics
#Architecture
#Assets
#CivilInfrastructure
#Customizations
#EndUser
#EverythingMaximo
#HSE/OilandGas
#Infrastructure
#Integrations
#Inventory
#IoT
#LifeScience/Calibration
#Linear
#MaximoApplicationSuite
#MaximoForAviation
#MaximoUserGroups
#Mobility
#Nuclear
#Procurement
#Reporting
#Scheduling
#Security
#ServiceProvider
#Spatial
#Transportation
#Utilities
#WorkCenters
#WorkManagement

------------------------------
Matt Walmsley
Kyndryl
------------------------------

Can you clarify this part "we have a team that is not part of our AD that needs an account to authenticate for the broker to process orders/tickets in maximo."

This sounds like an integration to me, but I might be misunderstanding. If it is an integration utilizing our REST API and you're using a recent version of Maximo (>7.6.0.9), I would switch the integration to utilize API keys instead of authentication. That would be significantly easier than trying to manage a separate AD for an integration. 

On your errors in the logs, what are you seeing with the SECJ0369E error? Normally at the end you'll get an LDAP error code that can be useful in troubleshooting why it failed. 

------------------------------
Steven Shull
IBM
------------------------------

Hey Steven

Thanks for responding. Sorry I was away on Fri.

Think of them as contractors. It's a desk that manages the ITIC bridge that moves data from the maximo front end to the maximo database.
Because they are contractors the customer would not provide them an AD account to authenticate between the two.
To get around this we created a separate ADAM/AD LDS instance and created an account in there then created a separate LDAP login module in websphere
 

We are using an old version of maximo 7.1

Here is a screenshot of the errors in websphere. I erased the user name and the names of the login modules and any server names

The error indicates that it's an incorrect user name or password but I can connect to this AD LDS instance port 636 with SSL with LDP.exe using the same credentials.

A little more background. We are using a federated repository in Websphere and then adding JAAS LDAP login modules

This setup works fine for our Prod environment but it's the UAT environment I'm trying to sort out.

This setup was created well before my time and unfortunately was not documented
One thing that was suggested to me was that the server needs to be in an IBM bluegroup to allow it to authenticate but I could not find any reference to an IBM bluegroup in Prod.

Let me know if this answers your questions and thanks again for looking

------------------------------
Matt Walmsley
Kyndryl
------------------------------

Original Message:
Sent: 12-02-2022 11:21
From: Steven Shull
Subject: maximo authenticating to AD LDS instance LDAP

Can you clarify this part "we have a team that is not part of our AD that needs an account to authenticate for the broker to process orders/tickets in maximo."

This sounds like an integration to me, but I might be misunderstanding. If it is an integration utilizing our REST API and you're using a recent version of Maximo (>7.6.0.9), I would switch the integration to utilize API keys instead of authentication. That would be significantly easier than trying to manage a separate AD for an integration. 

On your errors in the logs, what are you seeing with the SECJ0369E error? Normally at the end you'll get an LDAP error code that can be useful in troubleshooting why it failed. 

------------------------------
Steven Shull
IBM
------------------------------