Docker: IAM LDAP Configuration - Not able to sync groups
Article ID: 144813
Updated On:
Products
CA Cloud Test Mobile
CA Application Test
Issue/Introduction
IAM container (sv-docker.packages.ca.com/sv/iaam) crash when performing AD Group Sync.
Environment
Release : 10.5.1
Component : CA Service Virtualization
Cause
There are too many AD groups to sync.
IAM is timing out.
The default timeout is 5 minutes.
IAM is timing out.
The default timeout is 5 minutes.
Resolution
1) In the IAM installed/upgraded folder, add/increase the timeouts to 1800 (i.e 30 min) in standalone.xml ((/IdentityAccessManager/standalone/configuration/standalone.xml).
For "jboss.as.management.blocking.timeout"system property, "deployment-scanner"property and JTA transaction timeout limit as shown below.
Set the timeout value depending on the size of users and groups.
Standalone.xml:
...
<system-properties><property name="iam.truststore.password" value="${iam.truststore.password}"/>
<property name="jboss.as.management.blocking.timeout" value="1800"/>
</system-properties>
...
<profile>
...
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0"><deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" deployment-timeout="1800"runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/></subsystem>
...
</profile>
...
<subsystem xmlns="urn:jboss:domain:transactions:4.0"><core-environment><process-id><uuid/></process-id></core-environment><recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/><coordinator-environment default-timeout="1800"/><object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
2) Use the LDAP group filter to target specific AD groups.
For "jboss.as.management.blocking.timeout"system property, "deployment-scanner"property and JTA transaction timeout limit as shown below.
Set the timeout value depending on the size of users and groups.
Standalone.xml:
...
<system-properties><property name="iam.truststore.password" value="${iam.truststore.password}"/>
<property name="jboss.as.management.blocking.timeout" value="1800"/>
</system-properties>
...
<profile>
...
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0"><deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" deployment-timeout="1800"runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/></subsystem>
...
</profile>
...
<subsystem xmlns="urn:jboss:domain:transactions:4.0"><core-environment><process-id><uuid/></process-id></core-environment><recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/><coordinator-environment default-timeout="1800"/><object-store path="tx-object-store" relative-to="jboss.server.data.dir"/>
2) Use the LDAP group filter to target specific AD groups.
Additional Information
For configuring LDAP group filter see:
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=134302
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=134302
Feedback
Yes
No
Powered by
