LDAP Synchronization does not retrieve all the Groups filtered in ldap.xml

book

Article ID: 87068

calendar_today

Updated On:

Products

CA Automic Dollar Universe

Issue/Introduction

The LDAP Group Synchronization on UVMS do not retrieve all the Groups defined in the filter used in the ldap.xml, as a result the commands unicheckldap -listgroups and the output of the command LDAP Synchronization may differ.

 

Error Message :
There is no error message but the synchronization log does not show that all the groups and users have been retrieved and created on Univiewer Management Server:

 2013-06-06 12:48:22 | -------------------------------------------- 
| 2013-06-06 12:48:22 | Starting Synchronization of groups with LDAP 
| 2013-06-06 12:48:22 | -------------------------------------------- 
| 2013-06-06 12:48:25 | Connecting to LDAP: [LDAP Repository] 
| 2013-06-06 12:48:25 | 0 matching group(s) retrieved 
| 2013-06-06 12:48:25 | 0 matching user(s) retrieved 
| 2013-06-06 12:48:25 | 0 group(s) were deleted from UVMS 
| 2013-06-06 12:48:25 | 0 group(s) were created on UVMS 
| 2013-06-06 12:48:26 | 0 login(s) were deleted from UVMS 
| 2013-06-06 12:48:26 | 0 login(s) were created on UVMS 
| 2013-06-06 12:48:26 | 2 login(s) could not be deleted because they are member of internal groups 
| 2013-06-06 12:48:26 | - orsyp 
| 2013-06-06 12:48:26 | - duadmin 
| 2013-06-06 12:48:26 | The synchronization of groups is over 

Cause

Cause type: Configuration
Root Cause: The LDAP_SYNCHRONIZATION_MODE is set by default to M (Manual List of Groups to be synchronized).

Environment

OS: All
OS Version: All OS

Component: Univiewer Management Server 6.x

Resolution

In order to make sure the LDAP Group Synchronization retrieves all Groups, please follow the procedure below:


-Turn on auto-registration of users by setting the AUTO_REGISTRATION variable to Y

unisetvar AUTO_REGISTRATION Y


If this variable is set to N, a valid LDAP login that is not declared in the UVMS will be refused access.
If this variable is set to Y, the record of a valid LDAP login will be automatically created in the UVMS on the first connection attempt.


-Enable the update Membership at login. When The AUTHENTICATION_MODE is set to "S", it's possible to turn on the update of membership at login by setting the LDAP_MEMBERSHIP_AT_LOGIN variable to Y When this function is activated, every time a user connects to UVMS through UVC, its groups membership is checked on LDAP. This mean that the credentials of that users will match what's defined on LDAP at the time of the login.



-Enable the synchronization type. There are two types of synchronizations which can be enabled by setting the LDAP_SYNCHRONIZATION_MODE variable.

F (Filter): All groups are automatically retrieved from LDAP.

M (Manual): The synchronization will only update the LDAP groups that are already defined in UVMS.


If you want to retrieve all Groups, you need to define it to F:


unisetvar LDAP_SYNCHRONIZATION_MODE F


-Define the Synchronization frequency in hours:

Example: 
UVMS Advance setting




-Restart UVMS and try to manually synchronize LDAP with the following command:

unisync LDAP

Attachments