Disable AD users/groups when imported in TCA
search cancel

Disable AD users/groups when imported in TCA

book

Article ID: 380073

calendar_today

Updated On:

Products

VMware Telco Cloud Automation

Issue/Introduction

There are multiple versions of Active Directory configuration and maintenance on the customer's environment. This can cause problems in TCA as it tries to locally import all the AD users and groups.

Environment

2.x

Cause

  1. Active Directory MaxPageSize configuration:  This configuration on the Active Directory server controls the number of objects to be returned in an LDAP/AD Query, the default is 1000. Causing TCA to only import the returned 1000 objects.

  2. Size of Data synced:  The Active Directory Server can have more than 100000 objects, when an import is api called, it is network intensive, and returning all the objects in a single API call may time out the API call.

  3. Malformed AD Object:  The Active Directory Server can have an object which is misconfigured according to the Active Directory specification, which can cause the import to fail.

  4. Refer the following kb article discovered on TCA 3.1.1: Ignoring misconfigured users on Customer AD. 

Resolution

TCA disables the import of AD users and groups, and communicates with the AD for determining user's group membership.

Patch TCA via the following steps:

  1. Download the relevant patch JAR files from the keycloak-2.3-patch-jars.zip file:
    1. the 3 files included in the zip are:
      1. hybridity-appliance-management-0.1.0.war

      2. web-server-0.1.0.war

      3. keycloak-adapter-1.0.jar

  2. Copy the JAR files to TCA Manager Shell as follows:

    SCP Files
    scp hybridity-appliance-management-0.1.0.war admin@<tca-m-ip>:/opt/vmware/hybridity-appliance-management-0.1.0.war
    scp web-server-0.1.0.war admin@<tca-m-ip>:/opt/vmware/web-server-0.1.0.war
    scp keycloak-adapter-1.0.jar admin@<tca-m-ip>:/opt/vmware/Adapters/1.0/keycloak-adapter-1.0.jar
    scp keycloak-adapter-1.0.jar admin@<tca-m-ip>:/opt/vmware/Services/workflow_service_1.0/keycloak-adapter-1.0.jar
  3. Restart the relevant services

    Restart Services
    sudo systemctl restart tca-keycloak
    sudo systemctl restart appliance-management
    sudo systemctl restart web-engine
  4. Clean up the imported users and groups
    1. Inside the TCA Manager SSH terminal, log into the DB Postgres shell as follows:

      Postgres Shell
      export PGPASSWORD=$(cat /common/pgsql/passwords/keycloak_user) && psql -U keycloak_user keycloak
    2. Delete Imported Groups via the following 2 queries:

      Postgres Delete groups data
      keycloak=> delete from "group_attribute";
      DELETE 53
      keycloak=>
      keycloak=> delete from "keycloak_group";
      DELETE 53
  5.  The TCA user should be able to configure Active Directory on appliance management successfully.

Attachments

keycloak-2.3-patch-jars.zip get_app