LDAP job not syncing new users until deleting from CMN_DIRECTORY_SERVERS

book

Article ID: 193792

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

Issue noticed while running LDAP sync job (Synchronize New and Changed Users) where new users from AD aren't being synced unless the sync is forced by deleting the record from the last synced run on the table CMN_DIRECTORY_SERVERS.

The usage scenario is:

  • New users are added into AD.
  • Run the LDAP sync users job but new users are not coming to PPM.
  • Delete the record from the CMN_DIRECTORY_SERVERS and run the job again. 
  • New users are synced.

Environment

Release : 15.8

Component : CLARITY PPM APPLICATION

Resolution

Lets detail and explore the likely scenario which can occur in a typical LDAP integration scenario.
  
1. Create a user “user1” in AD, timestamp1 
2. Create a group “PPM” in AD, timestamp2 
3. One hour later, add user1 in AD to group “PPM”, timestamp3 
4. Check from AD the WhenChanged attribute of both user and group.
For "user1" the WhenChanged attribute was not changed, it’s still timestamp1.
The group’s timestamp was changed to timestamp3, the moment of adding the user. 

So this means that when a user is added to AD but not to the AD PPM group, and this user is added to the AD PPM group f.e. 6 months later, then the user’s timestamp does not change, only the group’s timestamp changes. 

On executing the ldap sync job, the new user is indeed present in the AD PPM group but as his WhenChanged date is still time stamp1, which is older than the job’s last sync date, it will not be picked up by the job.

 

During the LDAP implementation stages one may end up switching between LDAP settings .i.e., changing to a different group of users / different filter, while still using the same LDAP url/server, as a best practice one needs to reset the date/time that is being used in order to detect 'new' LDAP users since the last time the job ran. In order to instigate this reset run the following delete query on the database:

    DELETE FROM CMN_DIRECTORY_SERVERS WHERE HOST_URL = 'XXXX';

    COMMIT ;

Note: Replace XXXX as per the HOST_URL

 

 

Additional Information

Generally you'll only see one line in  the table CMN_DIRECTORY_SERVERS. If you delete that line, that line will be recreated the next time the LDAP synch job runs. Deleting this line will make the synch job reread everyone. This will make the job take longer to complete. 

For a FULL LDAP synchronization one would need to truncate the table CMN_DIRECTORY_SERVERS or use a delete query to remove the row from the table.

If there is no row in the CMN_DIRECTORY_SERVERS table, information for all users who are found will be added to the xog file it creates and then xogged into PPM (equivalent of the Data Warehouse - Full load job).  If there is a row in the cmn_directory servers table all users added or modified since the last modified date in this table will be placed in the xog file it creates and xogged into ppm.  This is the equivalent of the incremental Data Warehouse job.

If changing the LDAP group/filter and even after deleting rows from CMN_DIRECTORY_SERVERS you still finding new users are not getting synched/added to PPM or they are added to PPM after the job has completed when the synch job is run, check for issues with time zones or settings getting out of sync between the ppm database server and the ldap server. 

For additional information for integrating Clarity PPM with Lightweight Directory Access Protocol (LDAP) visit TECHDOC