Unable to configure vIDB in Fleet Management with more than a 1000 group search query - searching the entire DN failed with error (1551)
search cancel

Unable to configure vIDB in Fleet Management with more than a 1000 group search query - searching the entire DN failed with error (1551)

book

Article ID: 420479

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

On the UI you can see:

Your request failed with error "(1551) - Failed to lookup AD/LDAP users for IDP Configuration #####-#######-######-####### LDAP Directory xxxxx-xxxxx-xxxxx-xxxxx."

DEBUG level logging on vIDB can show similar output:

 

xxxxxxxxxxx DEBUG vidb-service-xxxxxxxxxxx :usergroup (ForkJoinPool-9-worker-2) [CUSTOMER;xxxxxxxxxxx -] com.vmware.vidm.dirsynclib.datastore.service.impl.LdapGroupServiceImpl - Search filter for groups query (&(objectClass=group)(cn=*xxxxxxxxxxx *)) and targetDN CN=xxxxxxxxxxx ,DC=xxxxxxxxxxx ,DC=xxxxxxxxxxx 
xxxxxxxxxxx  DEBUG vidb-service-xxxxxxxxxxx :usergroup (ForkJoinPool-9-worker-2) [CUSTOMER;xxxxxxxxxxx ;-] com.vmware.vidm.dirsynclib.datastore.transformers.request.LdapGroupRequestTransformer - LdapGroup attributes to fetch from AD: {sAMAccountName=false, objectClass=false, objectGUID=false, distinguishedName=false}

....

xxxxxxxxxxx  DEBUG vidb-service-xxxxxxxxxxx :usergroup (ForkJoinPool-9-worker-2) [xxxxxxxxxxx ;-] com.vmware.vidm.dirsynclib.datastore.querymanager.impl.jndi.JndiQueryManager - Retrieved 480 records from ldap query. Time taken to fetch data from AD 410 seconds

 

 

Environment

VCF 9.0

VCF Operations 9.0

VMware Identity Broker 9.0.0 (appliance)

AD/LDAP source does not have tuple indexing enabled

Cause

Searching for a substring in AD will take a long time and will cause a timeout on the UI; in our case the AD search took 410 seconds, while the UI API has a 3 minute timeout.

The issue happens because you have configured the search to query through the entire DN.

Resolution

Issue will be addressed in releases after VCF 9.0.1 

 

Workarounds available:

1. Update your search query so you're retrieving results in less than 3 minutes from your LDAP. Best way to do this would be to create a top level group that contains the groups/users that you wish to add to manage through VCF Operations UI

 

2. Index the (Microsoft) AD to get faster results

Enable tuple indexing:

https://learn.microsoft.com/en-us/windows/win32/ad/how-tuple-indexing-works

enable bit 5 on Search-Flags:
https://learn.microsoft.com/en-us/windows/win32/adschema/a-searchflags

Powered by Wolken Software