kautium Absent Member.
Absent Member.
2828 views

Users not syncing from LDAP group to connectors correctly?

We have a weird problem with the latest build of Datasync (.579) -->

We have set datasync to sync users from one group in eDir to groupwise and mobile connectors. This has been working fine from the first public release of datasync to this date. Users have been reporting some weird problems and while trying to sort those out, we found that for some reason there are more users in groupwise connector than there are in mobile connector (and in eDir group). After a little bit of testing, we found out that users are syncing randomly ar not at all to groupwise connector.

There are 203 users on eDir group, 205 users on mobile connector and 224 users on groupwise connector. Users can be manually deleted from gw connector, but even if it looks like users are deleted, they seem to be popping back in occationally (this happens on both connectors, but mostly with gw connector). We have no idea where and why this happens. LDAP groups (eDir) are the same in both connectors and it looks like mobile connector reacts a little better to changes in eDir group. LDAP group polling interval is set to 300 seconds.

Any advice what to do and/or how to fix this?

I'm thinking about creating a new group that contains same users, then removing the old group and finally adding new group to datasync. Although this might create some new problems...
Labels (1)
0 Likes
9 Replies
jmarton2 Absent Member.
Absent Member.

Re: Users not syncing from LDAP group to connectors correctly?

kautium wrote:

> There are 203 users on eDir group, 205 users on mobile connector and
> 224 users on groupwise connector. Users can be manually deleted from
> gw connector, but even if it looks like users are deleted, they seem
> to be popping back in occationally (this happens on both connectors,
> but mostly with gw connector). We have no idea where and why this
> happens. LDAP groups (eDir) are the same in both connectors and it
> looks like mobile connector reacts a little better to changes in eDir
> group. LDAP group polling interval is set to 300 seconds.


I wonder if it isn't some sort of eDir/LDAP problem. What if you point
Mobility to a different LDAP server? And have you done an eDir health
check?

--
Novell Knowledge Partner
Enhancement Requests: http://www.novell.com/rms

Joe Marton Emeritus Knowledge Partner
0 Likes
kautium Absent Member.
Absent Member.

Re: Users not syncing from LDAP group to connectors correctl

jmarton;2146872 wrote:
I wonder if it isn't some sort of eDir/LDAP problem. What if you point
Mobility to a different LDAP server? And have you done an eDir health
check?

Changing LDAP server within same eDir tree did not help and neither did creating a new group with same users. And as i said, mobile connector is syncing users way better than gw connector, although not perfectly.

We also have another eDir tree that is used with identity manager and it could be used for datasync too, but i think datasync goes mad if users DN changes.

I think this is a problem inside Datasync or its database. I just deleted few users from new eDir group and after a while those same users got deleted from mobile connector automatically like they were supposed to, but GW connector did nothing to these accounts. I deleted users manually from gw connector, just to find out that after a while they were added back again for no apparent reason.

Exactly what server log should i be watching to find out what is going on?
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Users not syncing from LDAP group to connectors correctly?

kautium wrote:

> Exactly what server log should i be watching to find out what is going
> on?


I would look at
/var/log/datasync/connectors/default.pipeline1.groupwise.log which
shows communications between the GW connector and the sync engine.

--
Novell Knowledge Partner
Enhancement Requests: http://www.novell.com/rms

Joe Marton Emeritus Knowledge Partner
0 Likes
kautium Absent Member.
Absent Member.

Re: Users not syncing from LDAP group to connectors correctl

jmarton;2146892 wrote:
I would look at
/var/log/datasync/connectors/default.pipeline1.groupwise.log which
shows communications between the GW connector and the sync engine.

Thanks, but i could not find anything useful from that or any other log files, even with debug log level.

I have done some more testing, and it looks like Datasync gw connector thinks that there are 3 different groups from which to sync users, even though there is only one group configured. Web admin shows synchronization group just fine, but when i try to delete users that are actually not in the group (or in mobile connector), datasync says -->
"This user was added to the connector by a group. Please remove the user from the group: ['cn=DatasyncUsers1,ou=GRP,ou=STAFF,o=ORG', 'cn=DatasyncUsers2,ou=GRP,ou=STAFF,o=ORG', 'cn=DatasyncUsers3,ou=GRP,ou=STAFF,o=ORG']".

As you can see, it lists 3 groups, but only one of those groups is valid and as i said earlier, mobile connector syncs mostly fine with it. Those 2 extra groups does not even exist in eDir, but they can be seen in Datasync's database from command line with psql and it looks like they should be disabled in both connectors. It is possible that those extra groups have been configured to Datasync at some point in time, but there has never been more than one group configured at a time.

I also noticed that this behaviour does not include all extra users, some users can be deleted manually without any notification, but for some reason, some of those seem to pop back in later and some don't.

psql commands:
psql -U datasync_user mobility
\c datasync
select dn,disabled,"connectorID" from targets order by dn;
0 Likes
skapanen2 Absent Member.
Absent Member.

Re: Users not syncing from LDAP group to connectors correctly?

On 20.10.2011 10:46, kautium wrote:
>
> I have done some more testing, and it looks like Datasync gw connector
> thinks that there are 3 different groups from which to sync users, even
> though there is only one group configured. Web admin shows
> synchronization group just fine, but when i try to delete users that are
> actually not in the group (or in mobile connector), datasync says -->
> "This user was added to the connector by a group. Please remove the
> user from the group: ['cn=DatasyncUsers1,ou=GRP,ou=STAFF,o=ORG',
> 'cn=DatasyncUsers2,ou=GRP,ou=STAFF,o=ORG',
> 'cn=DatasyncUsers3,ou=GRP,ou=STAFF,o=ORG']".


You might need Novell Support to sort out the database issues..
I browsed my notes and we have only used one and the same eDir group all
the time with Datasync.

Ofcoz you could try to create the eDir groups listed in database and
just keep them empty, if that would remove the symptoms..

-sk


HAMK University - OES, NW, GW, NCS, eDir, Zen, IDM, NSL - www.hamk.fi
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Users not syncing from LDAP group to connectors correctly?

kautium wrote:

> psql -U datasync_user mobility
> \c datasync


One thing... you can immediately select the db from the command-line.

psql -U datasync_user datasync
psql -U datasync_user mobility

No need to always select the mobility db from the command-line and then
use \c to switch to the datasync db.

> select dn,disabled,"connectorID" from targets order by dn;


Try this.

psql -U datasync_user datasync
select * from targets where "targetType"='group' and
"connectorID"='default.pipeline1.groupwise';

Do you see more eDir groups listed there than you've added into the
connector?

--
Novell Knowledge Partner
Enhancement Requests: http://www.novell.com/rms

Joe Marton Emeritus Knowledge Partner
0 Likes
Highlighted
tschwartzniu Absent Member.
Absent Member.

Re: Users not syncing from LDAP group to connectors correctl

kautium;2147432 wrote:
Thanks, but i could not find anything useful from that or any other log files, even with debug log level.

I have done some more testing, and it looks like Datasync gw connector thinks that there are 3 different groups from which to sync users, even though there is only one group configured. Web admin shows synchronization group just fine, but when i try to delete users that are actually not in the group (or in mobile connector), datasync says -->
"This user was added to the connector by a group. Please remove the user from the group: ['cn=DatasyncUsers1,ou=GRP,ou=STAFF,o=ORG', 'cn=DatasyncUsers2,ou=GRP,ou=STAFF,o=ORG', 'cn=DatasyncUsers3,ou=GRP,ou=STAFF,o=ORG']".

As you can see, it lists 3 groups, but only one of those groups is valid and as i said earlier, mobile connector syncs mostly fine with it. Those 2 extra groups does not even exist in eDir, but they can be seen in Datasync's database from command line with psql and it looks like they should be disabled in both connectors. It is possible that those extra groups have been configured to Datasync at some point in time, but there has never been more than one group configured at a time.

I also noticed that this behaviour does not include all extra users, some users can be deleted manually without any notification, but for some reason, some of those seem to pop back in later and some don't.

psql commands:
psql -U datasync_user mobility
\c datasync
select dn,disabled,"connectorID" from targets order by dn;



Funny you should mention that. I am seeing the EXACT same thing. I even created a DEV box and I am seeing the same issue. My ID is placed in the group, and the GW connector finds it but Mobility does not.
0 Likes
kautium Absent Member.
Absent Member.

Re: Users not syncing from LDAP group to connectors correctl

jmarton;2147513 wrote:
One thing... you can immediately select the db from the command-line.

psql -U datasync_user datasync
psql -U datasync_user mobility

No need to always select the mobility db from the command-line and then
use \c to switch to the datasync db.

Thanks for the tip, although i already knew that. I just copied that straight from some guide i found with google.

I'm nor familiar with PostgrSQL, so do you know what command should i use to view database structure?

jmarton;2147513 wrote:
Try this.

psql -U datasync_user datasync
select * from targets where "targetType"='group' and
"connectorID"='default.pipeline1.groupwise';

Do you see more eDir groups listed there than you've added into the
connector?

It shows 3 groups but it also says that the 2 extra groups are disabled. I guess this is fine?

- - - - -
syncserver1=> select * from targets where "targetType"='group' and "connectorID"='default.pipeline1.groupwise';
dn | connectorID | targetName | targetType | custom1 | custom2 | disabled | settingsXML | referenceCount
---------------------------------------------+-----------------------------+------------+------------+---------+---------+----------+-------------+----------------
cn=DatasyncUsers2,ou=GRP,ou=STAFF,o=ORG | default.pipeline1.groupwise | | group | | | 1 | | 0
cn=DatasyncUsers1,ou=GRP,ou=STAFF,o=ORG | default.pipeline1.groupwise | | group | | | 0 | | 1
cn=DatasyncUsers3,ou=GRP,ou=STAFF,o=ORG | default.pipeline1.groupwise | | group | | | 1 | | 0
(3 rows)
- - - - -

Why do i get the feeling that datasync never deletes users and/or groups from database, even when they are deleted from admin's point of view...
0 Likes
jmarton2 Absent Member.
Absent Member.

Re: Users not syncing from LDAP group to connectors correctly?

kautium wrote:

> I'm nor familiar with PostgrSQL, so do you know what command should i
> use to view database structure?


Type this to "describe" the database which gets you a listing of tables.

\d

You can also describe an individual table by appending the table name
to that command. For example, in the datasync database:

\d targets

> It shows 3 groups but it also says that the 2 extra groups are
> disabled. I guess this is fine?


Hmmm... that's odd, especially if you never remember adding those two
extra groups. I'm almost tempted to say try removing those from the
database. You could try it and see what happens, taking a backup first
"just in case." Or to be safer you might want to just open an SR.

> Why do i get the feeling that datasync never deletes users and/or
> groups from database, even when they are deleted from admin's point of
> view...


Not sure about groups but I know when a user is deleted from the UI the
user doesn't actually get deleted from the db but instead is just set
to disabled. This normally is ok but if you have problems with a user
even after removing/readding the user, you'll want to remove the user,
delete the user from the db, then readd the the user.

--
Novell Knowledge Partner
Enhancement Requests: http://www.novell.com/rms

Joe Marton Emeritus Knowledge Partner
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.