After enabling LDAP integration of Control-M when a user logs in with their LDAP credentials it fails and issues a message

User not authorized in EM.

LDAP was enabled via the Control-M Configuration Manager and one of the groups in Control-M Authorizations was mapped to an LDAP group. However when a user who is part of one of the groups logs in it fails to log in. After enabling debug (see instructions at the end) we find the following lines in the GUI Server or CMS log located in the <EM-HOME>/log directory of the Control-M/EM Server.

07/11/2011 12:50:01.240 [5] ldapclient ldap_diag_f(thread 4005677968) ldap_chase_referrals
07/11/2011 12:50:01.240 [5] ldapclient ldap_diag_f(thread 4005677968) read1msg: V2 referral chased, mark request completed, id = 1
07/11/2011 12:50:01.240 [5] ldapclient ldap_diag_f(thread 4005677968) new result: res_errno: 49, res_error: <80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772>, res_matched: <>
07/11/2011 12:50:01.240 [5] ldapclient ldap_diag_f(thread 4005677968) read1msg: ld 0xee82fa40 0 new referrals
07/11/2011 12:50:01.240 [5] ldapclient ldap_diag_f(thread 4005677968) read1msg: mark request completed, ld 0xee82fa40 msgid 1

The above output shows that the LDAP server issued a referral to another domain server.

Currently, Control-M is unable to handle referrals to other LDAP Server.

CAR00044166 has been resolved in Control-M/Enterprise Manager 7.0.00 Fix Pack 4.  Apply the latest available Fix Pack to resolve this issue.

The following video demonstrates this workaround:

Steps

1. Login to CCM
2. Go to Tools > System Parameters > System Configuration > Control-M/EM System Parameters > Advanced.
3. In the list of parameters highlight one of them and then click the plus sign in the top left corner.
4. In the Window that opens after clicking the plus sign enter the following

Type: general
Name: DirectoryServerChaseRef
Value: 0
Last Updated: Take default value that is already present in this field

Under the Component section enter the following
Type: *
Name: *
Host: Enter hostname of machine where Control-M/Enterprise Manager Server is running.

5. After saving the new system parameter recycle CONTROL-M Configuration Server
6. If Control-M/Enterprise Manager Server is running on Unix, Go to the account under which the Control-M/Enterprise Manager Server is installed and from root_menu and restart the CONTROL-M Configuration Server
7. If Control-M/Enterprise Manager Server is running on Windows, go to the Services Panel in Windows and restart the Control-M Configuration Server Service. 
8. Recycle all the Control-M/Enterprise Manager components in the CCM.
9. Attempt a login again to see if this resolves the issue.


Technical Information:
Included below are the instructions on how to enable debug to capture LDAP related information in the logs.
1. Go to <EM-HOME>/etc and edit the file ldap.conf and add the line below to this file.
LDAP_DEBUG ON

2. Recycle the CMS and GUI Server after this.

3. Go to the CCM and right click the GUI Server to select Control Shell . In the Control Shell enter command below to activate debug.
DIAGL MinimumDbgLvl 5 5

4. Attempt a login to the EM GUI using an LDAP user.

5. Turn off debug on the GUI Server. Go to the CCM and right click the GUI Server to select Control Shell . In the Control Shell enter command below to activate debug.
DIAGL MinimumDbgLvl 2 4.

6. From the EM Server please run the data collector

em_data_collector -U <DBO user> -P <DBO password> -max_size 50