Group membership not adding user during synchronization with LDAP

[Andreas Baaserud Hauge]

Hi,

OD version: 10.1.0.5

I am currently facing a problem where Group Memberships are not adding users, only deleting both existing and not existing users.

I have a few test cases I'd like to show, which might explain my problem

Test case	Prerequisits	Status
User created in OD	User created in AD	OK
User deleted in OD	User deleted from AD	OK
Group created in OD	Group created in AD	OK
Group deleted in OD	Group deleted from AD	OK
Group membership added	User added to group in AD	NOT OK, no entry in log
Group membership deleted	User removed from group in AD	NOT OK, user deleted from OD group even when AD group has membership of that user

For test case "Group membership added", the user has been added to the group in AD. Group is synchronized to OD, but no users added to that group in OD.
For test case "Group membership deleted", users are deleted, but users that exist on that group in AD are also deleted. The users with membership to that same AD group, I would expect to still be part of that group in OD.

Help wanted <3

[rjrussel]

What directory server are you connecting to?

You should turn on server trace with LDAP=15

That will give you more information as to what is happening. BTW: 10.1.0.5 is very old (and out of support). You might want to consider upgrading.

-RR

[Andreas Baaserud Hauge]

Directory server: AD

What would I look for in the trace log?

it shows for instance

Code: [Select]

INFO arsldap.c(2173)ArcLDAPP_LDAPQuery:Current state filter=(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=groupA,OU=...))
OU=... is just me removing info.

is that where the members of that group would come from?

[rjrussel]

Yes, that is the query that should pull the users from the groups. 

You can place the search in any LDAP Client to see if it works. For windows I have openLDAP install which gives me access to the ldapsearch.exe client tool.

[Andreas Baaserud Hauge]

Code: [Select]

21365044:2314 11/08/2022 15:56:37:305810 INFO arsldap.c(2241)ArcLDAPP_LDAPQuery:ldap_create_page_control ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307173 INFO arsldap.c(2275)ArcLDAPP_LDAPQuery:ldap_search_ext_s ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307183 INFO arsldap.c(2305)ArcLDAPP_LDAPQuery:ldap_parse_result ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307188 INFO arsldap.c(2340)ArcLDAPP_LDAPQuery:ldap_parse_page_control ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307192 INFO arsldap.c(2355)ArcLDAPP_LDAPQuery:Current state total_cnt=0 done=1
21365044:2314 11/08/2022 15:56:37:307197 INFO arsldap.c(2380)ArcLDAPP_LDAPQuery:ldap_count_entries ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307204 INFO arsldap.c(2656)ArcLDAPP_LDAPQuery:Current state group->cnt=0
Current state group->cnt=0

believe that means it did not find members.

performing the ldap search with the same query, I receive expected members.

in tracelog, at the end of the query i see the following "�<8B><80>))". could be missing UTF-8 encoding. or if its just my terminal thats shows different encoding.

Code: [Select]

Current state filter=(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=...OU...DC=�<8B><80>))

[rjrussel]

If there are garbage characters in the trace, I am thinking there is a problem somewhere. I have never seen a scenario where the output in trace showed something like that.

Is ARS_LDAP_GROUP_MAPPED_ATTRIBUTE  set to CN?

-RR

[Andreas Baaserud Hauge]

set to ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn

[rjrussel]

Would there happen to be any special characters in the particular Group Name?

[Andreas Baaserud Hauge]

unfortunately not 

[rjrussel]

One thing you can try is choosing a different group filter. One that finds a different group and see if you are seeing the same garbage characters... 

A thought just popped into my head. There may have been a bug in logging back then (not 100% sure). You might want to upgrade to the latest 10.1 fixpack and then try with that.   

[Andreas Baaserud Hauge]

I see the same garbage character for multiple search filters in the trace log.
But it differs a bit..

FYI: I'm reading this as UTF-8.. but I have not ran the arslsync with UTF-8 yet, cant install the locale today.

Search 1

Code: [Select]

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=...,OU=...,DC))
Search 2

Code: [Select]

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=...,OU=...,
Search 3

Code: [Select]

(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=...,OU=...,DC=test
Ye well as you say, it could look like log bug

[Andreas Baaserud Hauge]

unfortunately changing locale to UTF-8 had no change.

Question: Synchronization of group membership, does that only work when the user does not exist in OD before running synchronization? or should the synchronization also add existing OD users to member of a group?

[rjrussel]

The users that are added to the group must exist exit in OnDemand as part of either the current sync or a previous sync.

If you run your userFilter query it should contain the users that will also be synced to groups. If the users are NOT part of your userFilter, they will not only not end up in CMOD and not end up in your group either.

[Andreas Baaserud Hauge]

The users that are added to the group must exist exit in OnDemand as part of either the current sync or a previous sync.

User exist in OnDemand, user were manually created for some reason.

If you run your userFilter query it should contain the users that will also be synced to groups. If the users are NOT part of your userFilter, they will not only not end up in CMOD and not end up in your group either.

userFilter query contain the user.

Example
As an example lets say we have User123 that already exist in OnDemand - manually created in OnDemand.
User123 also exist in AD.
Then we have a group called Group456, this group exist in both OnDemand and AD.
User123 is a member of Group456 in both OnDemand and AD before running synchronization.

arslsync -tv says

Code: [Select]

2022-11-08 12:59:24.713383: ARS1215I User Exists: Userid >User123<
2022-11-08 12:59:24.762684: ARS1224I Group Member Delete Preview: Name >Group456<  Userid >User123<

[Andreas Baaserud Hauge]

Now I deleted User123 from OnDemand.
Started the synchronization preview.

Code: [Select]

arslsync -tv
2022-11-09 22:24:49.106304: ARS1212I User Add Preview: Userid >User123<

No records of Group456