When trying to assign LDAP groups to an ACL in IM I get the error "Cannot list LDAP groups"
Article ID: 93210
Updated On:
Products
DX Unified Infrastructure Management (Nimsoft / UIM)
Issue/Introduction
In IM (or Admin Console), you can try to assign LDAP groups to ACL's via Security -> Manage Access Control List... -> Set LDAP group. In some environments this this can cause IM (or Admin console) to report the error "Cannot list LDAP groups" without further information on the problem.
Environment
Any current UIM version
Cause
The problem is that in the background, the hub is doing an LDAP search on the DN defined on the LDAP configuration to find all groups. By default, this DN is the base DN and in large environments with hundreds or thousands of groups, the IM (or Admin console) timeout is reached before the list has been compiled by the hub, resulting in the error message "Cannot list LDAP groups"
Resolution
You cannot specify a specific list of groups for UIM use in the GUI. What you can do is:
- Create a sub container for your LDAP groups you want to use for UIM, and move the groups into that CN and change the DN for the groups container in the hub configuration
- Edit the AD template in the hub.cfg, specifically the filter_group group entry to include both the category and the group name(s) you want the hub to limit the search to. This will allow the hub to overcome the limitation when too many groups are found in the specified DN in the hub configuration. The filter would need to look like this:
(&(objectCategory=group) (cn=<common part of groupnames>*))
For example if all your groups contain the word "Nimsoft" you could put:
filter_group = (&(objectCategory=group)(cn=*Nimsoft*))
Feedback
Yes
No
Powered by
