Automic Workload Automation

Hello, I've raised a ticket with Tricise for this but I'm finding that the LDAP sync tool is not making the changes to the automation engine, or not always.

It can seemingly create a new user, add that user to a usergroup.  But it won't remove a user that shouldn't be there or add another already existing user.  Or add the new user to the other groups that it should be present in.  I was wondering if anyone had found the same issue, the ldap_sync tool logs look clean but the effect is not happening.  Running with an older, v21 version, of the ldap tool has the same effect.

There's also another bug in v24.3, you can't create a user with the same name as another user in a different client through the UI.  As a workaround you can export / import the user into the desired client.  This should be fixed in v24.4

The issue in v24.2 where only the first number of users in a client with lots of users would be displayed in a usergroup has been fixed in v24.3 - thanks.

Hi Leon,

Could you check ldap config file? (example: ldap/clients/default.xml)

<AE userDomain="xxxx" autoDeactivateUsers="true" />

AE Attributes

autoDeactivateUsers

Enables/disables deactivation of AE user objects as follows:

true:LDAP Sync deactivates AE user objects that cannot be found in the directory within the specified domain and search filter
false: LDAP Sync does not change the active state of the user object in the AE. Removing a user from LDAP will not delete or deactivate the user object in the AE, but the user cannot login to the AE anymore as authentication is done against LDAP.
Type: Boolean

Mandatory: Yes

Default: false

https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/24.2/Automic%20Automation%20Guides/Content/LdapSync/setup-configuration-clientSetting.htm?tocpath=Administering%20and%20Configuring%7CLDAP%252FLDAP%20Sync%20-%20Authenticating%20Login%20Data%20and%20Synchronizing%20Users%20%7CLDAP%20Sync%20-%20Synchronizing%20LDAP%20and%20Automic%20system%20Users%7C_____2

Hello, I've raised a ticket with Tricise for this but I'm finding that the LDAP sync tool is not making the changes to the automation engine, or not always.

It can seemingly create a new user, add that user to a usergroup.  But it won't remove a user that shouldn't be there or add another already existing user.  Or add the new user to the other groups that it should be present in.  I was wondering if anyone had found the same issue, the ldap_sync tool logs look clean but the effect is not happening.  Running with an older, v21 version, of the ldap tool has the same effect.

There's also another bug in v24.3, you can't create a user with the same name as another user in a different client through the UI.  As a workaround you can export / import the user into the desired client.  This should be fixed in v24.4

The issue in v24.2 where only the first number of users in a client with lots of users would be displayed in a usergroup has been fixed in v24.3 - thanks.

Hello, yes the ldap config file is ok.  I have the same default settings on my test and production v21 settings where it's working fine.  Also I think this was working on V24.2.  The file format hasn't changed between the releases.  Also it's not the autodeactivate, that's not the issue.  It's correctly finding and trying to add the users, it's just not doing it, or not for where a person is a member of more than one ldap sync'd group. 

I think it is a bug in the Automic Engine v24.3 on syncing users that are in more than one ldap enabled user-group, probably introduced in allowing the rest interface to manage usergroups.

Hi Leon,

Could you check ldap config file? (example: ldap/clients/default.xml)

<AE userDomain="xxxx" autoDeactivateUsers="true" />

AE Attributes

autoDeactivateUsers

Enables/disables deactivation of AE user objects as follows:

true:LDAP Sync deactivates AE user objects that cannot be found in the directory within the specified domain and search filter
false: LDAP Sync does not change the active state of the user object in the AE. Removing a user from LDAP will not delete or deactivate the user object in the AE, but the user cannot login to the AE anymore as authentication is done against LDAP.
Type: Boolean

Mandatory: Yes

Default: false

https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/24.2/Automic%20Automation%20Guides/Content/LdapSync/setup-configuration-clientSetting.htm?tocpath=Administering%20and%20Configuring%7CLDAP%252FLDAP%20Sync%20-%20Authenticating%20Login%20Data%20and%20Synchronizing%20Users%20%7CLDAP%20Sync%20-%20Synchronizing%20LDAP%20and%20Automic%20system%20Users%7C_____2

Hello, I've raised a ticket with Tricise for this but I'm finding that the LDAP sync tool is not making the changes to the automation engine, or not always.

It can seemingly create a new user, add that user to a usergroup.  But it won't remove a user that shouldn't be there or add another already existing user.  Or add the new user to the other groups that it should be present in.  I was wondering if anyone had found the same issue, the ldap_sync tool logs look clean but the effect is not happening.  Running with an older, v21 version, of the ldap tool has the same effect.

There's also another bug in v24.3, you can't create a user with the same name as another user in a different client through the UI.  As a workaround you can export / import the user into the desired client.  This should be fixed in v24.4

The issue in v24.2 where only the first number of users in a client with lots of users would be displayed in a usergroup has been fixed in v24.3 - thanks.

Hello Leon,

Did you open a case for this? This is an important issue and we are also using v21 and plan to switch to v24 soon because v21's EOL date is approaching.

Hello, yes the ldap config file is ok.  I have the same default settings on my test and production v21 settings where it's working fine.  Also I think this was working on V24.2.  The file format hasn't changed between the releases.  Also it's not the autodeactivate, that's not the issue.  It's correctly finding and trying to add the users, it's just not doing it, or not for where a person is a member of more than one ldap sync'd group. 

I think it is a bug in the Automic Engine v24.3 on syncing users that are in more than one ldap enabled user-group, probably introduced in allowing the rest interface to manage usergroups.

Hi Leon,

Could you check ldap config file? (example: ldap/clients/default.xml)

<AE userDomain="xxxx" autoDeactivateUsers="true" />

AE Attributes

autoDeactivateUsers

Enables/disables deactivation of AE user objects as follows:

true:LDAP Sync deactivates AE user objects that cannot be found in the directory within the specified domain and search filter
false: LDAP Sync does not change the active state of the user object in the AE. Removing a user from LDAP will not delete or deactivate the user object in the AE, but the user cannot login to the AE anymore as authentication is done against LDAP.
Type: Boolean

Mandatory: Yes

Default: false

https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/24.2/Automic%20Automation%20Guides/Content/LdapSync/setup-configuration-clientSetting.htm?tocpath=Administering%20and%20Configuring%7CLDAP%252FLDAP%20Sync%20-%20Authenticating%20Login%20Data%20and%20Synchronizing%20Users%20%7CLDAP%20Sync%20-%20Synchronizing%20LDAP%20and%20Automic%20system%20Users%7C_____2

Hello, I've raised a ticket with Tricise for this but I'm finding that the LDAP sync tool is not making the changes to the automation engine, or not always.

It can seemingly create a new user, add that user to a usergroup.  But it won't remove a user that shouldn't be there or add another already existing user.  Or add the new user to the other groups that it should be present in.  I was wondering if anyone had found the same issue, the ldap_sync tool logs look clean but the effect is not happening.  Running with an older, v21 version, of the ldap tool has the same effect.

There's also another bug in v24.3, you can't create a user with the same name as another user in a different client through the UI.  As a workaround you can export / import the user into the desired client.  This should be fixed in v24.4

The issue in v24.2 where only the first number of users in a client with lots of users would be displayed in a usergroup has been fixed in v24.3 - thanks.

Hello, yes.  I have a case open with Tricise.  I think it is related to having a larger number of users and groups in a client.  In a small client where I am only syncing a few users and a couple of groups it is working. I get the same result if I switch to using VARA's for managing the usergroup to ldap mapping too.

Hello Leon,

Did you open a case for this? This is an important issue and we are also using v21 and plan to switch to v24 soon because v21's EOL date is approaching.

Hello, yes the ldap config file is ok.  I have the same default settings on my test and production v21 settings where it's working fine.  Also I think this was working on V24.2.  The file format hasn't changed between the releases.  Also it's not the autodeactivate, that's not the issue.  It's correctly finding and trying to add the users, it's just not doing it, or not for where a person is a member of more than one ldap sync'd group. 

I think it is a bug in the Automic Engine v24.3 on syncing users that are in more than one ldap enabled user-group, probably introduced in allowing the rest interface to manage usergroups.

Hi Leon,

Could you check ldap config file? (example: ldap/clients/default.xml)

<AE userDomain="xxxx" autoDeactivateUsers="true" />

AE Attributes

autoDeactivateUsers

Enables/disables deactivation of AE user objects as follows:

true:LDAP Sync deactivates AE user objects that cannot be found in the directory within the specified domain and search filter
false: LDAP Sync does not change the active state of the user object in the AE. Removing a user from LDAP will not delete or deactivate the user object in the AE, but the user cannot login to the AE anymore as authentication is done against LDAP.
Type: Boolean

Mandatory: Yes

Default: false

https://docs.automic.com/documentation/webhelp/english/ALL/components/DOCU/24.2/Automic%20Automation%20Guides/Content/LdapSync/setup-configuration-clientSetting.htm?tocpath=Administering%20and%20Configuring%7CLDAP%252FLDAP%20Sync%20-%20Authenticating%20Login%20Data%20and%20Synchronizing%20Users%20%7CLDAP%20Sync%20-%20Synchronizing%20LDAP%20and%20Automic%20system%20Users%7C_____2

Hello, I've raised a ticket with Tricise for this but I'm finding that the LDAP sync tool is not making the changes to the automation engine, or not always.

It can seemingly create a new user, add that user to a usergroup.  But it won't remove a user that shouldn't be there or add another already existing user.  Or add the new user to the other groups that it should be present in.  I was wondering if anyone had found the same issue, the ldap_sync tool logs look clean but the effect is not happening.  Running with an older, v21 version, of the ldap tool has the same effect.

There's also another bug in v24.3, you can't create a user with the same name as another user in a different client through the UI.  As a workaround you can export / import the user into the desired client.  This should be fixed in v24.4

The issue in v24.2 where only the first number of users in a client with lots of users would be displayed in a usergroup has been fixed in v24.3 - thanks.

Hello, I've raised a ticket with Tricise for this but I'm finding that the LDAP sync tool is not making the changes to the automation engine, or not always.

It can seemingly create a new user, add that user to a usergroup.  But it won't remove a user that shouldn't be there or add another already existing user.  Or add the new user to the other groups that it should be present in.  I was wondering if anyone had found the same issue, the ldap_sync tool logs look clean but the effect is not happening.  Running with an older, v21 version, of the ldap tool has the same effect.

There's also another bug in v24.3, you can't create a user with the same name as another user in a different client through the UI.  As a workaround you can export / import the user into the desired client.  This should be fixed in v24.4

The issue in v24.2 where only the first number of users in a client with lots of users would be displayed in a usergroup has been fixed in v24.3 - thanks.