OS Authentication with Linux and LDAP

[emaddocks]

Hi,

We're trying to setup OS Auth in WinCC OA 3.17 P009. We are running on Redhat Linux 8 with a 389-DS LDAP server.

I'm able to successfully login to WinCC OA with my LDAP credentials. We have the winccoa file in the pam.d directory with the following entry:

• auth include password-auth

However when I log in my LDAP User Groups don't come through and I get the following entry in the log:

• WCCOActrl (1), 2021.04.27 13:16:32.310, CTRL, WARNING, 0, , onLogIn_updateUserGroups :Lost connection to external authentication system

Is there further configuration we need to do for WinCC OA to pull the User Groups through from the Domain?


Cheers
Eric

[leoknipp]

I have seen that you have asked several times similar topics.
You can possibly get in contact with your common WinCC OA support to clarify how it works.

Does the problem everytime occur when you try to do a login?

Best Regards
Leopold Knipp
Senior Support Specialist

[emaddocks]

My apologies Leopold. I should have continued the original thread (viewtopic.php?f=15&t=11336) now that we have it connected to the LDAP domain. As you mentioned the help documentation details how to connect to a Windows Domain Controller, do you know of any documentation for connecting a Linux client to LDAP?

To answer your question. The WARNING does come through every time I try to login.

I will try find out who is our WinCC OA support in Melbourne, Australia.

Cheers
Eric

[leoknipp]

In the documentation the information is written that the example is for Red Hat Enterprise Linux Server 7.4.
Possibly in RedHat 8 you have to do something different.
I have not found any additional information for the configuration.

Best Regards
Leopold Knipp
Senior Support Specialist

[emaddocks]

Thanks Leopold,

I've logged a ticket with Siemens Support also to determine what may be required.

As RHEL 8 is a supported operating system I would have hoped that the documentation included all necesary information to configure OS Authentication using RHEL 8.

Cheers
Eric

[yalvactop]

Hi,

I am facing the same issue with RHEL8 and WinCC OA 3.18 P001.

I modified /etc/nsswitch.conf and /etc/pam.d/other files as stated in the security guideline.
I also created /etc/pam.d/wincc_oa with the entry: auth include password-auth
Additionally, I appended the following entry in /etc/sssd/sssd.conf: enumerate = true

- [x] The OS authentication using AD users is working both via browser or UI.

- [ ] Users and user groups are not automatically synchronized with AD:

Code: Select all

CTRL, INFO,        0, , Cyclic updateUserGroups cannot reach the server. Trying again in 60 minutes.

- [ ] After the first login of a user, it is visible that the user is created and assigned to its user group defined in AD only if the user group is loaded beforehand as a group manually through: system management -> permission -> user administration -> Groups -> administrate -> add -> load groups -> check the group you want
Otherwise the "groups" column is empty:

Code: Select all

CTRL, WARNING,     0, , onLogIn_updateUserGroups :Lost connection to external authentication system

- [ ] When the user is assigned to another group in AD, this change is not synchronized in WOA once a user performs login

- [ ] When a user is deleted in AD, this change is not synchronized in WOA user store (the user is still in the user list). However the deleted user cannot login to WOA:

Code: Select all

authentication error

Has anybody found a solution for this update/sync problem?

Any help is greatly appreciated, thank you in advance!

Best Regards,
Yalvac

[emaddocks]

Hi Yalvac,

Have you been able to resolve your OS Auth issues with the latest 3.18 Patches? We were able to half resolve ours with 3.17 Patch 13 but it only brings in the Users Primary Group. Meaning that if a User is a member of multiple groups WinCC OA doesn't import them

Siemens / ETM are currently working on a solution to a separate issue that 3.17 Patch 13 introduced that broke redundant links between servers (viewtopic.php?f=15&t=11504). As a result we are thinking to upgrade to 3.18 but if we have the same issues on 3.18 there's obviously no rush to upgrade.

Your feedback would be greatly appriciated.


Cheers
Eric

[emaddocks]

It seems 3.18 P004 has introduced another OS Auth issue, however this time it doesn't seem to be causing OS Auth not to work it just displays these warnings every 60 minutes:

Code: Select all

WCCOActrl    (1), 2021.12.08 22:34:07.249, CTRL, INFO,        0, , Cyclic updateUserGroups running every 60 minutes.
WCCOActrl    (1), 2021.12.08 22:34:07.301, CTRL, WARNING,     5/ctrl, Location of the following log entry: /opt/WinCC_OA/3.18/scripts/updateUserGroups.ctl    Library: /opt/WinCC_OA/3.18/scripts/libs/classes/auth/OaAuthMethodAD.ctl
    Line: 272
WCCOActrl    (1), 2021.12.08 22:34:07.301, SYS,  WARNING,    54, Unexpected state, /opt/WinCC_OA/3.18/scripts/updateUserGroups.ctl    Library: /opt/WinCC_OA/3.18/scripts/libs/classes/auth/OaAuthMethodAD.ctl
    Line: 272, Invalid argument (22)
WCCOActrl    (1), 2021.12.08 22:34:07.301, CTRL, WARNING,     0, , doUpdateUsers :Lost connection to external authentication system

Has anyone else seen these errors come up in recent patches?

[Yogesh_Gaikwad]

Dear All,

The issues has been resolved with WinCC-OA v3.18 P0006.
Please validate.

[Yogesh_Gaikwad]

Dear All,

The problem arises with WinCC-OA v3.18 P0015. Event the password of LDAP is correct it shows Password Expired,
The same settings were worked with P0006 in past..

Any remedy to resolve it?
We are using OS_AUTH method for integrating LDAP logins in WinCC-OA.