OnDemand User Group

Support Forums => MP Server => Topic started by: Andreas Baaserud Hauge on November 08, 2022, 06:57:24 AM

Title: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 08, 2022, 06:57:24 AM
Hi,

OD version: 10.1.0.5

I am currently facing a problem where Group Memberships are not adding users, only deleting both existing and not existing users.

I have a few test cases I'd like to show, which might explain my problem
Test casePrerequisitsStatus
User created in ODUser created in ADOK
User deleted in ODUser deleted from ADOK
Group created in ODGroup created in ADOK
Group deleted in ODGroup deleted from ADOK
Group membership addedUser added to group in ADNOT OK, no entry in log
Group membership deletedUser removed from group in ADNOT OK, user deleted from OD group even when AD group has membership of that user

For test case "Group membership added", the user has been added to the group in AD. Group is synchronized to OD, but no users added to that group in OD.
For test case "Group membership deleted", users are deleted, but users that exist on that group in AD are also deleted. The users with membership to that same AD group, I would expect to still be part of that group in OD.

Help wanted <3
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: rjrussel on November 08, 2022, 07:29:24 AM
What directory server are you connecting to?

You should turn on server trace with LDAP=15

That will give you more information as to what is happening. BTW: 10.1.0.5 is very old (and out of support). You might want to consider upgrading.

-RR
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 08, 2022, 10:57:59 AM
Directory server: AD

What would I look for in the trace log?

it shows for instance
Code: [Select]
INFO arsldap.c(2173)ArcLDAPP_LDAPQuery:Current state filter=(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=groupA,OU=...))
OU=... is just me removing info.

is that where the members of that group would come from?
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: rjrussel on November 08, 2022, 11:02:52 AM
Yes, that is the query that should pull the users from the groups. 

You can place the search in any LDAP Client to see if it works. For windows I have openLDAP install which gives me access to the ldapsearch.exe client tool.
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 08, 2022, 11:37:47 AM
Code: [Select]
21365044:2314 11/08/2022 15:56:37:305810 INFO arsldap.c(2241)ArcLDAPP_LDAPQuery:ldap_create_page_control ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307173 INFO arsldap.c(2275)ArcLDAPP_LDAPQuery:ldap_search_ext_s ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307183 INFO arsldap.c(2305)ArcLDAPP_LDAPQuery:ldap_parse_result ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307188 INFO arsldap.c(2340)ArcLDAPP_LDAPQuery:ldap_parse_page_control ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307192 INFO arsldap.c(2355)ArcLDAPP_LDAPQuery:Current state total_cnt=0 done=1
21365044:2314 11/08/2022 15:56:37:307197 INFO arsldap.c(2380)ArcLDAPP_LDAPQuery:ldap_count_entries ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307204 INFO arsldap.c(2656)ArcLDAPP_LDAPQuery:Current state group->cnt=0
Current state group->cnt=0

believe that means it did not find members.

performing the ldap search with the same query, I receive expected members.

in tracelog, at the end of the query i see the following "�<8B><80>))". could be missing UTF-8 encoding. or if its just my terminal thats shows different encoding.

Code: [Select]
Current state filter=(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=...OU...DC=�<8B><80>))
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: rjrussel on November 08, 2022, 11:45:11 AM
If there are garbage characters in the trace, I am thinking there is a problem somewhere. I have never seen a scenario where the output in trace showed something like that.

Is ARS_LDAP_GROUP_MAPPED_ATTRIBUTE  set to CN?

-RR
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 08, 2022, 11:48:57 AM
set to ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: rjrussel on November 08, 2022, 12:04:36 PM
Would there happen to be any special characters in the particular Group Name?
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 08, 2022, 12:12:17 PM
unfortunately not  :(
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: rjrussel on November 08, 2022, 12:19:11 PM
One thing you can try is choosing a different group filter. One that finds a different group and see if you are seeing the same garbage characters... 

A thought just popped into my head. There may have been a bug in logging back then (not 100% sure). You might want to upgrade to the latest 10.1 fixpack and then try with that.   

Title: Re: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 08, 2022, 12:28:31 PM
I see the same garbage character for multiple search filters in the trace log.
But it differs a bit..

FYI: I'm reading this as UTF-8.. but I have not ran the arslsync with UTF-8 yet, cant install the locale today.

Search 1
Code: [Select]
(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=...,OU=...,DC))
Search 2
Code: [Select]
(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=...,OU=...,
Search 3
Code: [Select]
(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=...,OU=...,DC=test
Ye well as you say, it could look like log bug
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 09, 2022, 06:11:40 AM
unfortunately changing locale to UTF-8 had no change.

Question: Synchronization of group membership, does that only work when the user does not exist in OD before running synchronization? or should the synchronization also add existing OD users to member of a group?
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: rjrussel on November 09, 2022, 07:18:28 AM
The users that are added to the group must exist exit in OnDemand as part of either the current sync or a previous sync.

If you run your userFilter query it should contain the users that will also be synced to groups. If the users are NOT part of your userFilter, they will not only not end up in CMOD and not end up in your group either.
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 09, 2022, 01:58:30 PM
Quote from: rjrussel on November 09, 2022, 07:18:28 AM
The users that are added to the group must exist exit in OnDemand as part of either the current sync or a previous sync.
User exist in OnDemand, user were manually created for some reason.

Quote from: rjrussel on November 09, 2022, 07:18:28 AM
If you run your userFilter query it should contain the users that will also be synced to groups. If the users are NOT part of your userFilter, they will not only not end up in CMOD and not end up in your group either.
userFilter query contain the user.

Example
As an example lets say we have User123 that already exist in OnDemand - manually created in OnDemand.
User123 also exist in AD.
Then we have a group called Group456, this group exist in both OnDemand and AD.
User123 is a member of Group456 in both OnDemand and AD before running synchronization.

arslsync -tv says
Code: [Select]
2022-11-08 12:59:24.713383: ARS1215I User Exists: Userid >User123<
2022-11-08 12:59:24.762684: ARS1224I Group Member Delete Preview: Name >Group456<  Userid >User123<
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 09, 2022, 02:28:38 PM
Now I deleted User123 from OnDemand.
Started the synchronization preview.

Code: [Select]
arslsync -tv
2022-11-09 22:24:49.106304: ARS1212I User Add Preview: Userid >User123<

No records of Group456
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 10, 2022, 07:43:06 AM
In the tracelog, I notide that the garbage character is always on character number 206

Is there a limit for how long the Distinguished Name can be?
It looks like the query is taking the value from a field u_dn
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: rjrussel on November 10, 2022, 07:52:51 AM
Can you upgrade to the latest fixpack for your release and try again?
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: Andreas Baaserud Hauge on November 15, 2022, 06:41:39 AM
Upgrading from CMOD 10.1.0.5 to 10.1.0.11 seems to have fixed the issue where group members where not added to the group
Instead of existing group members being removed from the group, they now are left in the group.
Code: [Select]
2022-11-15 14:36:07.340313: ARS1225I Group Member Exists: Name >Group456<  Userid >User123<
Also group members are being added to groups
Code: [Select]
2022-11-15 14:36:07.340818: ARS1222I Group Member Add Preview: Name >Group456<  Userid >User789<
PS: I noticed, you need to run ARSLSYNC twice if the group you are synchronizing does not already exist in OD.
First run of ARSLSYNC will create the group
Second run of ARSLSYNC will add users to that group.

Thanks for you help rjrussel!
Title: Re: Group membership not adding user during synchronization with LDAP
Post by: rjrussel on November 15, 2022, 06:59:43 AM
I wish I could remember exactly, but I think we extended the length of the GROUP DN earlier on with ARSLSYNC. Which is why upgrading worked.

"PS: I noticed, you need to run ARSLOAD twice if the group you are synchronizing does not already exist in OD." - I think you mean ARSLSYNC here.

As much as I want to pretend I didn't read this :) .... That doesn't make any sense. ARSLYNC should create the users and populate them in a single run.