Forum Replies Created

Viewing 15 posts - 1 through 15 (of 27 total)
  • Author
    Posts
  • in reply to: Powershell Sync User Scripts #2857
    Neil Herbert
    Participant

    Hi Borja,

    These forums are no longer used, please join us over at https://community.openiam.com

    Neil

    in reply to: AD User not Sync’d #2833
    Neil Herbert
    Participant

    Hi Jefri,

    Welcome to the forums, unfortunately, we’ve moved! Please join us at https://community.openiam.com and repost over there. It maybe useful to post your manage system configuration as well.

    Neil

    in reply to: Sync MS AD users and groups using Ldap #2796
    Neil Herbert
    Participant

    Hi Vitaly,

    Though this is a related issue, for ease, please try not to hijack someone else’s post as it can make a thread confusing to follow. Also, the forums are being replaced by our new community at https://community.openiam.com so it may be better to repost your issue there.

    Please can you post more information such as the version you are running, how you have deployed, what you are trying to achieve and what you have done so far. It is also useful to post your Managed System configuration as this is likely a configuration issue. I have no idea if this is normal, I would guess not but your PowerShell log mentions that its trying to connect to ldap, which doesn’t seem right.

    Neil

    in reply to: Reconciliation JDBC Target system #2783
    Neil Herbert
    Participant

    Hi Davide,

    From your other post, I understand that you have deployed via Docker? The first thing to do is make sure you are deploying the JDBC Connector. OpenIAM uses SOA or Microservices and the JDBC Connector “Microservice” is not deployed out of the box. You will need to make sure you’ve uncommented line 180 in the startup.sh file (https://bitbucket.org/openiam/openiam-docker-compose/src/84ec2c1cd38bbf0c6150bd3aa2ed2e8757c03df5/startup.sh#lines-180)

    Out of the box you will find that the JDBC Connector is already supplied as a configured connector, you should also find an example JDBC Managed System which will help you get started.

    In the search query field you need to write your SQL select statement to get users from that system and either use the Policy Map or a Transform groovy script to map the columns from the database to OpenIAM.

    Hopefully that’s enough to get you going.

    in reply to: Sync MS AD users and groups using Ldap #2750
    Neil Herbert
    Participant

    You need to configure that in the same place you configured the service account. Within the Webconsole → Provisioning → Managed Systems → Name of Managed System. You’ll find a “Host URL” field towards the top. Feel free to share your configuration with us.

    in reply to: Sync MS AD users and groups using Ldap #2747
    Neil Herbert
    Participant

    The first thing to try is to check that you can connect to AD via PowerShell on the host you have installed the AD PowerShell Connector on. Use the credentials for the service account you have specified in the managed system. Ensure the host can look up the domain by DNS and connect via PowerShell.

    https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser

    in reply to: Sync MS AD users and groups using Ldap #2743
    Neil Herbert
    Participant

    You would need to dig into the logs to find out. Just a general note on that, you need to import groups before users. Group membership live on the AD User object so groups need to exist before you import users.

    Take a look at the OpenIAM logs and see if you get any errors. Also take a look through the AD Powershell Connector logs to see what’s going on. Need to get an idea of what errors or logs you are seeing to take a guess at what’s going on. https://docs.openiam.com/docs-4.2.0.9/connectorconfig/microsoft/2-powershellconnectorsusage will show you how to view the connector logs.

    How many user objects do you have in AD? Did you try reducing the scope of your search query to a single user to see if it imported it?

    in reply to: Sync MS AD users and groups using Ldap #2740
    Neil Herbert
    Participant

    Hi Anuradha,

    Just a quick note that the AD Powershell Connector does not need to be installed on a domain controller. You can install it on its own server just domain join it, no need to have any domain controller roles. Even if you were ok with doing that, I’d recommend you do it on a separate box anyway.

    If you still want to go down the LDAP Connector route, it would be helpful if you let me know what version of OpenIAM you have installed and how it is deployed.

    Neil

    in reply to: Connector JDBC #2732
    Neil Herbert
    Participant

    So that is a different connector, the JDBC Connector will be called jdbc-connector-rabbitmq.jar.

    This can be downloaded from:

    https://download.openiam.com/release/community/4.2.0.9/connectors/jdbc-connector-rabbitmq.jar

    Follow the docs on my previous link. Ensure it has the right owner. Also ensure you configure the jdbc connector on the VM and point it at the Connector Queue listed under Webconsole → Provisioning → Connectors → JDBC Connector. You should see examples of how other connectors are configured somewhere in the /usr/local/openiam/connectors.

    in reply to: Connector JDBC #2730
    Neil Herbert
    Participant

    If it’s not able to verify the connection, it sounds like you might not have the JDBC connector started. Some connectors are not supplied or started with the base install. Take a look inside the /usr/local/openiam/connectors/bin/ folder and make sure the appropriate connector binary is present. You will then need to check that the connector has been started using the instructions at https://docs.openiam.com/docs-4.2.0.9/connectorconfig/1-registerconnector/2-rpm

    in reply to: Connector JDBC #2728
    Neil Herbert
    Participant

    Hi Davide, welcome to the OpenIAM community!

    I will see what I can do to help, but you will need to provide more information.

    The error you are seeing suggests a timeout issue between OpenIAM, RabbitMQ and the JDBC Connector. OpenIAM posts messages/events onto RabbitMQ which are then picked up by connectors for processing. The error you’ve posted shows that OpenIAM isn’t receiving a response within the default timeout.

    • What you are trying to do when you see this error?
    • Have you run your search query directly on the database? If so how long does it take to complete?
    • Do you get a green timestamp next to the managed system that’s using the JDBC Connector?
    • How have you deployed OpenIAM? docker, rpm etc?
    • Have you deployed a JDBC connector within your environment?

    Neil

    in reply to: Disallow user edit personal info #2721
    Neil Herbert
    Participant

    Hi Ben,

    I know this is a slightly old post but thought it might be useful for others to answer you.

    Take a look at this section of the docs from an older release – https://docs.openiam.com/docs-4.1.14/html/administration/sysadm/page-templates.htm

    Login to the WebConsole, go to Page Templates under the Administration menu. Find the Default template and edit it. The default template governs what end users on the self-service portal see. Pick the fields you want to prevent the end user from editing, click edit and untick the Is Editable box and save the field.

    Neil

    in reply to: Authoritative Guide on AD Powershell Config #2716
    Neil Herbert
    Participant

    One of the most common issues appears to be this one:

    Nothing has been found in target system. Configuration query was:Get-ADUser -filter *
    Nothing has been found in target system. Configuration query was:Get-ADUser -Filter {objectClass -eq “user”}

    I’ve replied to a number of posts that state this error. The first thing to check if whether the connector is talking to OpenIAM. This error usually indicates that there is a communications issue with the connector and OpenIAM.

    Go to the Managed Systems page and check that the status is in green and has a recent timestamp. I believe connectors are meant to check in every 60 seconds.

    If green check the logs. Details of how to view the AD Powershell Connector logs can be found in the docs here.

    Check for errors in the logs as well as whether it’s getting requests from RabbitMQ and whether it starts to try and collect what has been asked for. Watch the task manager, increased memory use for the AD Powershell Connector is a good indicator that it’s doing something.

    You should limit the scope of what you are requesting with your search query, such as only selecting the attributes needed. I’ve seen 70,000 user objects without specifying the attributes needed using 4gb of ram! Start by limiting the scope to just one user and try again. If limiting it to one user works, it’s likely a timeout issue, otherwise it’s likely to be an issue with your search query or maybe even permissions. Information on what to use as a search query can be found on the docs here. Try running the same query manually in Powershell and see if you get any results.

    If you have more than a handful of user objects in AD, the chances are that this error indicates a timeout issue. Watch the stdout and stderr for your OpenIAM services, you may see an error stating that a response was not received in time from RabbitMQ. If you see this the AD Powershell Connector is taking too long to respond, this means it’s got a lot of data to get and process. The default timeout is either 30 or 60 seconds (can’t remember which) in which OpenIAM will wait for a response before abandoning the request. I don’t think this is in the docs, but you need to increase the timeout for the IDM and Synchronization service. You do this by adding new parameters to the javaopts within your deployment. I can’t remember the exact settings but can find them later.

    Feel free to chip in things I’ve missed, correct me with things I’ve gotten wrong.

    in reply to: Authoritative Guide on AD Powershell Config #2718
    Neil Herbert
    Participant

    I’ve tried to reply a few times to you but because I’ve tried to include links to the OpenIAM docs, it appears my replies have been moderated. 🙁

    in reply to: Authoritative Guide on AD Powershell Config #2713
    Neil Herbert
    Participant

    Great post, great request. I agree we need the docs to cover things in a bit more detail such as the issues mentioned.

    However, this is probably something we as a community should be able to cover. I’ve been thinking for a while we really need some community champions to help drive the community. There are so few people active on here, we need end users to help engage with the community and make it better. The more of us that engage with the community, the less unanswered questions there will be and answers to the problems mentioned will be readily available.

Viewing 15 posts - 1 through 15 (of 27 total)