By: kamlesh sharma user 12 Oct 2020 at 1:38 a.m. CDT

32 Responses
kamlesh sharma gravatar
Dear team, When using default sample script in cache refresh it gives following result. ``` 2020-10-11 14:16:50,104 INFO [qtp790067787-19] [org.gluu.oxtrust.action.ConfigureCacheRefreshAction] (ConfigureCacheRefreshAction.java:477) - Script has been executed successfully. ``` Sample source entry is: ``` uid: 'Test value' userPassword: 'Test value' sn: 'Test value' cn: 'Test value''. ``` Sample result entry is: ``` 'dn: 'inum=0000!DFB6.435D,ou=people,o=gluu' inum: '0000!DFB6.435D', gluuStatus: 'active' inum: '0000!DFB6.435D' gluuStatus: 'active' uid: 'Test value' userPassword: 'Test value' cn: 'Test value' sn: 'Test value' preferredLanguage: 'en-us' userPassword: 'test'' ``` Kindly can you advise how to sync userpassword, groups and group membership using cache refresh. Thanks in advance!

By Mohib Zico staff 12 Oct 2020 at 4:43 a.m. CDT

Mohib Zico gravatar
Hello, >> can you advise how to sync userpassword UserPassword is UserPassword in Gluu Server. Attribute name is same. It should be okay if you use like UID or any standard attribute. >> groups and group membership using cache refresh. You can use `memberOf`

By kamlesh sharma user 12 Oct 2020 at 7:28 a.m. CDT

kamlesh sharma gravatar
Hi, Thank you. I added the userPassword attribute to cache refresh between GLUU and my LDAP. It fails with following error. Please advise. Caused by: com.unboundid.ldap.sdk.LDAPException: Entry inum=0000!C1A5.16A5,ou=people,o=gluu can not be added because BER encoding of userPassword;binary attribute is not supported

By kamlesh sharma user 13 Oct 2020 at 7:05 a.m. CDT

kamlesh sharma gravatar
Hi, I have changed my backend LDAP now to openDJ and performed a cache refresh as a fresh. The earlier BER encoding error was because my source LDAP ws not support "allow-pre-encoded-passwords" Hence I created a sample openDJ LDAP and performed a cache refresh again. However, this time when I run the cahce refresh for following attrbutes: cn, sn, uid and userPassword... it sync only cn sn and uid. userPassword field is missing in gluu>users>manage people.. after cache refresh. ``` 2020-10-13 11:47:47,377 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:1158) - Created Cache Refresh PersistenceEntryManager: org.gluu.persist.ldap.impl.LdapEntryManager@77bad1fb 2020-10-13 11:47:47,378 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:339) - Attempting to load entries from source server 2020-10-13 11:47:47,463 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:348) - Found '1231' entries in source server 2020-10-13 11:47:47,464 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:352) - Found '1231' unique entries in source server 2020-10-13 11:47:49,830 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:404) - Found '1231' changed entries 2020-10-13 11:47:49,830 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:409) - Loaded '0' problem entries from problem file 2020-10-13 11:47:52,242 ERROR [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:735) - Failed to 'add' person '0000!B627.57A7' java.lang.NullPointerException: null 2020-10-13 11:47:52,633 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:423) - Updated '1230' entries 2020-10-13 11:47:52,634 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:425) - Failed to update '1' entries 2020-10-13 11:47:52,636 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:468) - Removed '0' persons from target server 2020-10-13 11:47:52,636 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:485) - There are '0' entries before updating inum list 2020-10-13 11:47:52,636 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:489) - There are '0' entries after removal '0' entries 2020-10-13 11:47:52,637 INFO [Thread-40151] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:493) - There are '1231' entries after adding '1231' entries ```

By Mohib Zico staff 13 Oct 2020 at 7:21 a.m. CDT

Mohib Zico gravatar
Can you please share your Cache Refresh configuration screenshots?

By kamlesh sharma user 13 Oct 2020 at 7:46 a.m. CDT

kamlesh sharma gravatar
Hi, Attached links as screen print for cache config. https://imgur.com/1WuxK42 https://imgur.com/b0t6LEu https://imgur.com/ETo3vYw

By Mohib Zico staff 13 Oct 2020 at 7:57 a.m. CDT

Mohib Zico gravatar
Ok, if you have `userPassword` available in backend LDAP, it should have been here in Gluu Server as well. `userPassword` attribute is not available in oxTrust GUI ( for security reason ). So you might wanna run ldapsearch command in your Gluu Server. Just do one ldapsearch command and search for one user. See if `userPassword` attribute available or not.

By kamlesh sharma user 13 Oct 2020 at 8:06 a.m. CDT

kamlesh sharma gravatar
Hi, Greeat! You are right. I can see the userPassword attribute in gluu ldap with the users password when I perform an LDAP search. Now let me cache refresh teh groups as per your earlier advise to use "memberof" attribute. Will this sync groups and groupmembership both in gluu. Please advise.

By kamlesh sharma user 13 Oct 2020 at 8:32 a.m. CDT

kamlesh sharma gravatar
Hi, I have mapped in cache refresh: member(source) to memberOf(destination) for group sync, after the trigger there is no update in gluu for the groups. Please advise. I also added object class "groupOfNames" and verified again. Still there is no sync in groups. Please advise.

By kamlesh sharma user 13 Oct 2020 at 8:56 a.m. CDT

kamlesh sharma gravatar
Any suggesstions please.

By kamlesh sharma user 14 Oct 2020 at 1:12 a.m. CDT

kamlesh sharma gravatar
Hi, Please advise.

By Mohib Zico staff 14 Oct 2020 at 1:19 a.m. CDT

Mohib Zico gravatar
Hello Kamlesh, Please share two things again: - Share the ldif for one / couple of users from your backend OpenDJ ( 'source' ). So we can understand what you are trying to pull. - Your all Cache Refresh config again. Also, please note that: community tickets has no SLA ( Service Level Agreement). We try our best to answer all community tickets but our customer's tickets always get higher priority. If we are equipped with customer's tickets/issues... community tickets might take couple of hours to couple of days to get response.

By kamlesh sharma user 14 Oct 2020 at 1:55 a.m. CDT

kamlesh sharma gravatar
Hi, Thank you for your feedback, attached as requested. Please check and advise. https://imgur.com/ODwtVqW for sample ldif https://imgur.com/lutByri https://imgur.com/CR6TUWP Thanks in advance!

By Mohib Zico staff 14 Oct 2020 at 2:17 a.m. CDT

Mohib Zico gravatar
Thanks. So... I see that, you are trying to pull `member` attribute from your backend OpenDJ into your Gluu Server's `memberOf` attribute. But there is no `member` attribute available in data you share here: https://imgur.com/ODwtVqW

By kamlesh sharma user 14 Oct 2020 at 2:30 a.m. CDT

kamlesh sharma gravatar
Hi, In the ldif if you see at the end, there is a member for role: cn=TestRole. Basically TestRole is the group I have to import and the member are within the group. Please advise.

By Mohib Zico staff 14 Oct 2020 at 2:45 a.m. CDT

Mohib Zico gravatar
Sorry, seems like I didn't 'scroll down' :-) Ok.. so if you want to 'import' "cn=TestRole" DN, you have to put all required attribute inside of that DN as well. i..e UID, sn, cn etc. Try that and see how things go please.

By kamlesh sharma user 14 Oct 2020 at 2:51 a.m. CDT

kamlesh sharma gravatar
Hi, I have already mapped sn cn uid userPassword when I synch users and now added member-memberOf attribute. Im missing something else. Please advise. https://imgur.com/lutByri https://imgur.com/CR6TUWP

By kamlesh sharma user 14 Oct 2020 at 3:15 a.m. CDT

kamlesh sharma gravatar
Hi, Because even in Gluu for Group there are only two attributes: Display Name(probably the CN) and Add Members(memberOf). So when we cache refresh with these attributes it should pull these data. There is no erros in cache refresh logs as well?

By kamlesh sharma user 14 Oct 2020 at 8:14 a.m. CDT

kamlesh sharma gravatar
Hi team, Please advise.

By kamlesh sharma user 15 Oct 2020 at 8:13 a.m. CDT

kamlesh sharma gravatar
Hi team, Please advise.

By Mohib Zico staff 15 Oct 2020 at 8:18 a.m. CDT

Mohib Zico gravatar
Please try [this](https://support.gluu.org/cache-refresh/8963/cache-refresh-for-new-attributes/#at64700).

By kamlesh sharma user 15 Oct 2020 at 8:24 a.m. CDT

kamlesh sharma gravatar
Hi, Nothing opens from the hyperlink you gave. Please can you paste full link.

By kamlesh sharma user 15 Oct 2020 at 8:27 a.m. CDT

kamlesh sharma gravatar
Did you mean your previous reply: Sorry, seems like I didn't 'scroll down' :-) Ok.. so if you want to 'import' "cn=TestRole" DN, you have to put all required attribute inside of that DN as well. i..e UID, sn, cn etc. Try that and see how things go please. If yes, then I have already cache refreshed cn sn and uid for users. For groups, only memberOf has to synchd, which is not happening. Please advise.

By Mohib Zico staff 15 Oct 2020 at 8:35 a.m. CDT

Mohib Zico gravatar
>> If yes, then I have already cache refreshed cn sn and uid for users. For groups, only memberOf has to synchd, which is not happening. For your 'Group' entry, the way Cache Refresh work out of the box ( without any custom script ), you have to add those 'all' attributes for 'cn=TestRole' dn. Or, there is an alternative and standard way... The way organization does add memberOf / member in _user's ldif_. Say.. for your user 'uid=test-MW', add a new attribute "memberOf or member == cn=TestRole, o=moi, C=BH" That's how you can test mapping of memberOf in normal scenario. If you need beyond that practice, it will require jython custom script which would do that task for you in Cache Refresh.

By kamlesh sharma user 15 Oct 2020 at 9:11 a.m. CDT

kamlesh sharma gravatar
Hi, below is the role: dn: cn=TestRole,0=moi,c=bh objectClass: groupOfNames objectClass: top description: test cn: TestRole member: uid=test-MW,ou=snrp,o=moi,C=BH Did you mean the "dn" attribute hs to be synched along with cn and member? In gluu the dn for groups would be default ou=groups,o=gluu Like for user we have ou=people,o=gluu... Please advise.

By kamlesh sharma user 15 Oct 2020 at 12:56 p.m. CDT

kamlesh sharma gravatar
Hi. I would like to follow this approach as uou suggested. For your 'Group' entry, the way Cache Refresh work out of the box ( without any custom script ), you have to add those 'all' attributes for 'cn=TestRole' dn. I have cn member description and dn attributed in cn=TestRole. Please advise if dn need to be cache refreshed.

By Mohib Zico staff 15 Oct 2020 at 10:16 p.m. CDT

Mohib Zico gravatar
I think I'll share a generic method of using syncing cache for member attribute for you. This is going beyond community support so better to show something generic which will help community in this community ticket.

By kamlesh sharma user 17 Oct 2020 at 12:42 p.m. CDT

kamlesh sharma gravatar
Hi, Please can you share the generic method per your last advise. I would like to sync groups ASAP. Thanks in advance!

By kamlesh sharma user 18 Oct 2020 at 3:48 a.m. CDT

kamlesh sharma gravatar
Hi, Awaiting your feedback.

By Mohib Zico staff 19 Oct 2020 at 6:24 a.m. CDT

Mohib Zico gravatar
Ok, here is a real life example. See how memberOf is being mapped into Gluu Server: - this is the data of user in Gluu Server after mapping `member --> memberOf`: ``` dn: inum=xxxx,ou=people,o=gluu objectClass: top objectClass: gluuCustomPerson objectClass: gluuPerson mail: testuser@abc.co givenName: Test inum: xxxx updatedAt: xxxx memberOf: CN=testCN,OU=testOU,DC=abc,DC=co displayName: Test gluuStatus: active sn: Test cn: Test role: xxx uid: testuser ``` - this is the data of user in source ( backend LDAP / AD ): ``` dn: Test User,DC=abc,DC=co objectClass: top objectClass: person objectClass: user cn: Test sn: Test givenName: Test displayName: Test member: CN=testCN,OU=testOU,DC=abc,DC=co badPwdCount: 0 badPasswordTime: xxxx lastLogon: xxxx .... .... ```

By kamlesh sharma user 19 Oct 2020 at 9:22 a.m. CDT

kamlesh sharma gravatar
Hi, But my backend openDJ LDAP has a different structure. I have the group and member attribute within the group. ``` dn: cn=roles,o=gdnpr,o=moi,C=BH objectclass: groupOfNames objectclass: top cn: roles member: uid=test-MW,ou=systemadmin,o=gdnpr,o=moi,c=bh ``` Please advise.

By Mohib Zico staff 20 Oct 2020 at 12:13 a.m. CDT

Mohib Zico gravatar
I don't think there isn't any easy way you can use default Cache Refresh method to pull memberOf / member for any user then. Because: - Cache Refresh _only_ pull user's information. i.e. in your case: 'ou=snpr,o=moi,c=bh' - You can pull other dn with cache refresh ( o=moi, C=BH ) but that DN has to be properly synced from objectClass side ( which is not ideal and you have to modify those group CN in your backend server ). There might be some other custom solution which would import/push group DN's from your backend LDAP / AD and modify every user's entry _inside_ Gluu Server with some script to properly inject member.

By kamlesh sharma user 25 Oct 2020 at 7:15 a.m. CDT

kamlesh sharma gravatar
Hi, Please can you share a script to pull one new attribute from openDJ to gluu.