LDAP Groups are no longer displayed or selectable after upgrade
Article ID: 132181
Updated On:
Products
DX Unified Infrastructure Management (Nimsoft / UIM)
Issue/Introduction
hub v7.96 / 7.97 LDAP groups are not being displayed/populated in UMP under the Account Admin portlet ACLs. The LDAP Groups do not display and no groups are selectable in the Account Admin portlet interface->ACLs & LDAP->LDAP tab view.
In the UMP Account Admin portlet you could see that the LDAP Groups were no longer displayed/being populated/selectable when selecting one or more of the ACLs. Instead the values were missing/empty. The same result can be seen in the IM 'Set LDAP Group' window (No LDAP Groups listed)
If you proceed to test the hub connection to the LDAP server the connection will fail even though the hub.cfg is still the same and the credentials are correct. Examination of the hub log during the test of the connection shows the error:
hub: ldap_server_login - failed for xxxx.ad.mlp.com: ldap_search_ext_s: 'Size Limit Exceeded' (4) -> '(null)' (1)
For a few customers, this issue has happened with their 2008 domain controllers but not with their 2012 Domain controllers, but note that it is not always possible to keep the hub pointed to a single DC if the LDAP connection is loadbalanced. It is also currently unknown why this would even work with a 2012 Active Directory DC.
In the UMP Account Admin portlet you could see that the LDAP Groups were no longer displayed/being populated/selectable when selecting one or more of the ACLs. Instead the values were missing/empty. The same result can be seen in the IM 'Set LDAP Group' window (No LDAP Groups listed)
If you proceed to test the hub connection to the LDAP server the connection will fail even though the hub.cfg is still the same and the credentials are correct. Examination of the hub log during the test of the connection shows the error:
hub: ldap_server_login - failed for xxxx.ad.mlp.com: ldap_search_ext_s: 'Size Limit Exceeded' (4) -> '(null)' (1)
For a few customers, this issue has happened with their 2008 domain controllers but not with their 2012 Domain controllers, but note that it is not always possible to keep the hub pointed to a single DC if the LDAP connection is loadbalanced. It is also currently unknown why this would even work with a 2012 Active Directory DC.
Environment
- UIM v9.0.2 (upgraded from 8.5.1)
- hub 7.96/7.97/9.10
- hub 7.96/7.97/9.10
Cause
- hub LDAP issue in hub versions 7.96, 7.97, 9.10, 9.10S
Resolution
There are two options available to workaround this issue for now:
Option 1: Use hub & robot v7.93
Downgrade the robot and hub (on the Primary hub) to hub and robot v7.93. Test of the LDAP connection then no longer throws an error about the credentials, e.g.,
LDAP Test
"Login failed. Check login name and credentials."
and instead shows the expected output:
-------------------------------------------------------------
The group container (XXX) contains more than 100 groups.
You should for performance reasons consider to use a Group Container with fewer groups.
-------------------------------------------------------------
Once you deploy hub and robot v7.93 the connection works again without any issues and the LDAP groups are loaded as you can tell from the output in the Infrastructure Manager (IM) 'Set LDAP Group' window, or UMP Account Admin ACLs' "LDAP Groups" which will no longer be missing the LDAP Group name values.
Option 2: Use another hub running v7.93, as a Nimsoft Proxy Hub
Configure another hub with robot running v7.93 to connect to LDAP, then test it to confirm connectivity to the LDAP server, then configure the Primary hub as a 'Nimsoft Proxy hub' (see General->Settings) and point it to the hub v7.93 NimBUS address.
Option 1: Use hub & robot v7.93
Downgrade the robot and hub (on the Primary hub) to hub and robot v7.93. Test of the LDAP connection then no longer throws an error about the credentials, e.g.,
LDAP Test
"Login failed. Check login name and credentials."
and instead shows the expected output:
-------------------------------------------------------------
The group container (XXX) contains more than 100 groups.
You should for performance reasons consider to use a Group Container with fewer groups.
-------------------------------------------------------------
Once you deploy hub and robot v7.93 the connection works again without any issues and the LDAP groups are loaded as you can tell from the output in the Infrastructure Manager (IM) 'Set LDAP Group' window, or UMP Account Admin ACLs' "LDAP Groups" which will no longer be missing the LDAP Group name values.
Option 2: Use another hub running v7.93, as a Nimsoft Proxy Hub
Configure another hub with robot running v7.93 to connect to LDAP, then test it to confirm connectivity to the LDAP server, then configure the Primary hub as a 'Nimsoft Proxy hub' (see General->Settings) and point it to the hub v7.93 NimBUS address.
Attachments
Feedback
Yes
No
Powered by
