Anonymous_User Absent Member.
Absent Member.
270 views

AD driver: Problems sync of (lage) groups


Hi,

in an productive IDM environment we have problems in syncing groups to
Active Directory.
The membership should be controlled through the IDVault, so we set up
the filter to reset member on the publisher and set the merge-authority
to IDVault as well.

What we see is an infinite loop of the synchronization of (certain)
groups. It seams that all changes on the subscriber come back on the
pubisher (as expected) resulting in a reset. The reset is invoced on the
subscriber channel which ends up in the loop.

My guess is that the optimize-modify seams not to work if there are to
many members ?!

we are running idm 4.0.2 and ad driver version 4.0.0.2

Any suggestions?

Regards,

Thorsten


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=52219

Labels (1)
0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AD driver: Problems sync of (lage) groups

tschloesser wrote:

> in an productive IDM environment we have problems in syncing groups to
> Active Directory.
> The membership should be controlled through the IDVault, so we set up
> the filter to reset member on the publisher and set the merge-authority
> to IDVault as well.
>
> What we see is an infinite loop of the synchronization of (certain)
> groups. It seams that all changes on the subscriber come back on the
> pubisher (as expected) resulting in a reset. The reset is invoced on the
> subscriber channel which ends up in the loop.
>
> My guess is that the optimize-modify seams not to work if there are to
> many members ?!
>
> we are running idm 4.0.2 and ad driver version 4.0.0.2


level 3 trace please.

What Windows version? You should consider updating to AD driver version 4.0.0.3

Are using the "Enable DirSync Incremental Values" driver parameter??
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver: Problems sync of (lage) groups


Hi Alex,

sorry I can not provide that L3 trace right now and here since duue to
the fact that the groups have more than 1k members the trace is quite
lagre 😉

But I guess I found the root of the problem: It Is not the
optimize-modify not working but the oposite!

Against my suggestions the customer puts users to the synchronized group
in the IDVault which are not synchroniszed to AD. As a consequence the
number of group members in the vault is larger than the number of
synchronized members in AD.

Resuilt: The optimize modify allways comes to the end, that an update of
the group in AD is needed - this results in the loop which dramatically
slows dowon all operations with a low polling rate.

Unforunally I did not find any solution yet,since it seams that it will
be impossilbe to clean up the data in the IDVault 😞

The only thing I can think of is not to synchronize or reset the members
on the publisher but use a trigger to force a reset of all members at a
given point in time.

Regards,

Thorsten


--
tschloesser
------------------------------------------------------------------------
tschloesser's Profile: https://forums.netiq.com/member.php?userid=3232
View this thread: https://forums.netiq.com/showthread.php?t=52219

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AD driver: Problems sync of (lage) groups

tschloesser wrote:

> But I guess I found the root of the problem: It Is not the
> optimize-modify not working but the oposite!
>
> Against my suggestions the customer puts users to the synchronized group
> in the IDVault which are not synchroniszed to AD. As a consequence the
> number of group members in the vault is larger than the number of
> synchronized members in AD.
>
> Resuilt: The optimize modify allways comes to the end, that an update of
> the group in AD is needed - this results in the loop which dramatically
> slows dowon all operations with a low polling rate.
>
> Unforunally I did not find any solution yet,since it seams that it will
> be impossilbe to clean up the data in the IDVault 😞
>
> The only thing I can think of is not to synchronize or reset the members
> on the publisher but use a trigger to force a reset of all members at a
> given point in time.


Can't you strip off users who don't have an AD association? So that the optimize modify only goes through *if* it really needs to.
It has been a while since I looked into this, but I thought that you could use the association-ref attribute for this.
0 Likes
Knowledge Partner
Knowledge Partner

Re: AD driver: Problems sync of (lage) groups

On 11/18/2014 2:02 PM, Alex McHugh wrote:
> tschloesser wrote:
>
>> But I guess I found the root of the problem: It Is not the
>> optimize-modify not working but the oposite!
>>
>> Against my suggestions the customer puts users to the synchronized group
>> in the IDVault which are not synchroniszed to AD. As a consequence the
>> number of group members in the vault is larger than the number of
>> synchronized members in AD.
>>
>> Resuilt: The optimize modify allways comes to the end, that an update of
>> the group in AD is needed - this results in the loop which dramatically
>> slows dowon all operations with a low polling rate.
>>
>> Unforunally I did not find any solution yet,since it seams that it will
>> be impossilbe to clean up the data in the IDVault 😞
>>
>> The only thing I can think of is not to synchronize or reset the members
>> on the publisher but use a trigger to force a reset of all members at a
>> given point in time.

>
> Can't you strip off users who don't have an AD association? So that the optimize modify only goes through *if* it really needs to.
> It has been a while since I looked into this, but I thought that you could use the association-ref attribute for this.


In fact, I thought there was a default rule in the shipping configs that
did just that?

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.