- This topic has 15 replies, 3 voices, and was last updated 6 days, 20 hours ago by
.
-
Posts
-
In my environment I won’t allow to install any third party software to AD servers. So I need to sync AD users & Groups using ldap. We have Microsoft AD 2012 R2. please share any user guide to do the integration. Official OpenIam guide is not working . I tried this link : https://docs.openiam.com/docs-4.1.14/html/connectors/ldap-ad.htm
Hi Anuradha,
Just a quick note that the AD Powershell Connector does not need to be installed on a domain controller. You can install it on its own server just domain join it, no need to have any domain controller roles. Even if you were ok with doing that, I’d recommend you do it on a separate box anyway.
If you still want to go down the LDAP Connector route, it would be helpful if you let me know what version of OpenIAM you have installed and how it is deployed.
Neil
HI Neil
Thank you for your quick response.
Actually I tried AD Powershell Connector installed on our domain joined sperate server. the connection was established successfully. but AD users or groups were not sync with the openiam instance. Why is that?You would need to dig into the logs to find out. Just a general note on that, you need to import groups before users. Group membership live on the AD User object so groups need to exist before you import users.
Take a look at the OpenIAM logs and see if you get any errors. Also take a look through the AD Powershell Connector logs to see what’s going on. Need to get an idea of what errors or logs you are seeing to take a guess at what’s going on. https://docs.openiam.com/docs-4.2.0.9/connectorconfig/microsoft/2-powershellconnectorsusage will show you how to view the connector logs.
How many user objects do you have in AD? Did you try reducing the scope of your search query to a single user to see if it imported it?
Hi
When I try to troubleshoot why Openiam not sync with AD, I found following log in AD Powershell connector logs,
Response result is '{"status":"FAILURE","errorCode":"FAIL_CONNECTOR","errorText":"Exception at Program.RequestHandler at invoking PowerShell - '\r\nSystem.Management.Automation.RuntimeException: Unable to connect to AD as PSDrive ---> System.Management.Automation.RuntimeException: Unable to connect to AD as PSDrive\r\n --- End of inner exception stack trace ---\r\n at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)\r\n at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke)\r\n at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync)\r\n at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings)\r\n at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings)\r\n at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)\r\n at ConnectorRequestRunner.Workers.PowershellWorker.RunPowershellScript(String scriptPath, MessageInfo openIAMRequest)\r\n'\r\nUnable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.\r\nAt C:\\Connectors\\ADConnector\\Connector.ps1:2277 char:9\r\n+ New-PSDrive -PSProvider ActiveDirectory -Server $headerAttrib ...\r\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nCategoryInfo: InvalidOperation: (:) [New-PSDrive], ADServerDownException\r\nFullyQualifiedErrorId: NewDriveProviderException,Microsoft.PowerShell.Commands.NewPSDriveCommand\r\n\r\n","fieldMappings":null,"stacktraceText":null,"responseValue":null,"errorTokenList":null,"failure":true,"success":false,"identity":null,"managedSystemId":"active_dir_win02_managed_sys_id","objectType":"USER","applicationId":"6484@172.24.90.132","userList":null,"groupList":null,"passwordExpirationDate":null,"daysToExpiration":null,"passwordChangeNeeded":false,"accountEnabled":false,"accountFound":false,"communicationException":false,"parentAuditLogId":null}'
Any ideas why this happen?Hi
when i try to synchronize the Groups in Provisioning menu below error log appear in AD connector log. I install AD connector on a separate server which is attached to my domain.
PowerShell exception System.Management.Automation.RuntimeException: Unable to connect to AD as PSDrive ---> System.Management.Automation.RuntimeException: Unable to connect to AD as PSDrive --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection<code>1 input, PSDataCollection</code>1 output, PSInvocationSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection<code>1 input, PSDataCollection</code>1 output, PSInvocationSettings settings) at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings) at ConnectorRequestRunner.Workers.PowershellWorker.RunPowershellScript(String scriptPath, MessageInfo openIAMRequest)The first thing to try is to check that you can connect to AD via PowerShell on the host you have installed the AD PowerShell Connector on. Use the credentials for the service account you have specified in the managed system. Ensure the host can look up the domain by DNS and connect via PowerShell.
https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser
Hi Neil,
I have tried that and I can browse user AD attributes from the AD connector installed server with the service account without any issue.
Is their any configuration file to define my AD server IP or FQDN in openiam installed server or in AD connector server?You need to configure that in the same place you configured the service account. Within the Webconsole → Provisioning → Managed Systems → Name of Managed System. You’ll find a “Host URL” field towards the top. Feel free to share your configuration with us.
Hi Neil,
I have attached the Managed service configuration page screenshot. As you can see in the 2nd attached screenshot shows AD powershell connector installed server is successfully connected to openiam server
hi
I was able to create a user in OpenIam system and sync with our AD. But can I get all the users in the AD to openIam system. So I can do user changes from Openiam console. and also reset user passwords from openiam self portal?error:
Exception at Program.RequestHandler at invoking PowerShell – ‘ System.Management.Automation.RuntimeException: Unable to connect to AD as PSDrive —> System.Management.Automation.RuntimeException: Unable to connect to AD as PSDrive — End of inner exception stack trace — at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection
1 input, PSDataCollection1 output, PSInvocationSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocationSettings settings) at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings) at ConnectorRequestRunner.Workers.PowershellWorker.RunPowershellScript(String scriptPath, MessageInfo openIAMRequest) ‘ ldap://192.168.192.212 At C:\Connectors\ADConnector\Connector.ps1:2277 char:9 + New-PSDrive -PSProvider ActiveDirectory -Server $headerAttributes.Url -C … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CategoryInfo: InvalidOperation: (:) [New-PSDrive], ArgumentException FullyQualifiedErrorId: NewDriveProviderException,Microsoft.PowerShell.Commands.NewPSDriveCommandHi Vitaly,
Though this is a related issue, for ease, please try not to hijack someone else’s post as it can make a thread confusing to follow. Also, the forums are being replaced by our new community at https://community.openiam.com so it may be better to repost your issue there.
Please can you post more information such as the version you are running, how you have deployed, what you are trying to achieve and what you have done so far. It is also useful to post your Managed System configuration as this is likely a configuration issue. I have no idea if this is normal, I would guess not but your PowerShell log mentions that its trying to connect to ldap, which doesn’t seem right.
Neil
- You must be logged in to reply to this topic.