Home Forums Identity Governance Authoritative Guide on AD Powershell Config

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #2589
    etis
    Participant

    Majority of the issues in the forum have to do with errors encountered while configuring the AD Powershell Connector especially the Synchronization configuration.

    Can we have a complete guide on:
    1. Managed System Configuration for the AD Powershell connector with specific values for each field
    2. Synchronization configuration for the AD Powershell connector with specific values for each field
    3. Reconciliation configuration for the AD Powershell connector with specific values for each field

    Common errors during Synchronization and how to resolve it. Examples:
    Nothing has been found in target system. Configuration query was:Get-ADUser -filter *
    Nothing has been found in target system. Configuration query was:Get-ADUser -Filter {objectClass -eq “user”}

    can’t retrieve lineObjects from target systemclass ADAttributeNamesLookup cannot be cast to class org.openiam.sync.service.AttributesScript
    (This happens when we set Attribute Names Lookup to – /attribute-lookup/ADAttibuteNamesLookup.groovy)

    It will save time for users having to open different topics for similar problems.

    #2713
    Neil Herbert
    Participant

    Great post, great request. I agree we need the docs to cover things in a bit more detail such as the issues mentioned.

    However, this is probably something we as a community should be able to cover. I’ve been thinking for a while we really need some community champions to help drive the community. There are so few people active on here, we need end users to help engage with the community and make it better. The more of us that engage with the community, the less unanswered questions there will be and answers to the problems mentioned will be readily available.

    #2714
    etis
    Participant

    Thanks Neil.

    There’s an upcoming OpenIAM webinar that i think might address some of our questions.
    That shouldn’t stop us though from helping out when we can like you said.

    A key step that we can help ourselves with is what to do if we have specific types of error messages like the ones i listed out.
    Configurations might not always work, but if we know how to troubleshoot, it will help in leading us to the right path.

    #2718
    Neil Herbert
    Participant

    I’ve tried to reply a few times to you but because I’ve tried to include links to the OpenIAM docs, it appears my replies have been moderated. ๐Ÿ™

    #2719
    etis
    Participant

    I guess it’s due to the doc links. I’ve used a combination of the old and new guides but the specific issue of Synchronization not working on a Powershell AD Connector & Managed System remains.

    #2716
    Neil Herbert
    Participant

    One of the most common issues appears to be this one:

    Nothing has been found in target system. Configuration query was:Get-ADUser -filter *
    Nothing has been found in target system. Configuration query was:Get-ADUser -Filter {objectClass -eq โ€œuserโ€}

    I’ve replied to a number of posts that state this error. The first thing to check if whether the connector is talking to OpenIAM. This error usually indicates that there is a communications issue with the connector and OpenIAM.

    Go to the Managed Systems page and check that the status is in green and has a recent timestamp. I believe connectors are meant to check in every 60 seconds.

    If green check the logs. Details of how to view the AD Powershell Connector logs can be found in the docs here.

    Check for errors in the logs as well as whether it’s getting requests from RabbitMQ and whether it starts to try and collect what has been asked for. Watch the task manager, increased memory use for the AD Powershell Connector is a good indicator that it’s doing something.

    You should limit the scope of what you are requesting with your search query, such as only selecting the attributes needed. I’ve seen 70,000 user objects without specifying the attributes needed using 4gb of ram! Start by limiting the scope to just one user and try again. If limiting it to one user works, it’s likely a timeout issue, otherwise it’s likely to be an issue with your search query or maybe even permissions. Information on what to use as a search query can be found on the docs here. Try running the same query manually in Powershell and see if you get any results.

    If you have more than a handful of user objects in AD, the chances are that this error indicates a timeout issue. Watch the stdout and stderr for your OpenIAM services, you may see an error stating that a response was not received in time from RabbitMQ. If you see this the AD Powershell Connector is taking too long to respond, this means it’s got a lot of data to get and process. The default timeout is either 30 or 60 seconds (can’t remember which) in which OpenIAM will wait for a response before abandoning the request. I don’t think this is in the docs, but you need to increase the timeout for the IDM and Synchronization service. You do this by adding new parameters to the javaopts within your deployment. I can’t remember the exact settings but can find them later.

    Feel free to chip in things I’ve missed, correct me with things I’ve gotten wrong.

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.