By: Anthony PL user 01 Oct 2018 at 12:49 p.m. CDT

16 Responses
Anthony PL gravatar
I've been trying for about a week now trying to connect my Active Directory to the GLuu server. I can do the following just fine ldapsearch -p 389 -h pdtcfredc01.abc.lam.net -D svc_hermesldap@abc.lam.net -w notrealpass -b DC=abc,DC=lam,DC=net sAMAccountName=svc_hermesldap Yet when I try cache refresh I get "Cannot load running default" or If i manage authentication, It doesn't connect to the active directory server.

By Aliaksandr Samuseu staff 01 Oct 2018 at 1:31 p.m. CDT

Aliaksandr Samuseu gravatar
Hi, Anthony. Please provide screenshots of all your CR-related configuration pages with all your settings.

By Anthony PL user 01 Oct 2018 at 2:55 p.m. CDT

Anthony PL gravatar
Here you go. https://ibb.co/fB6XuK https://ibb.co/feTO1z https://ibb.co/i2d1oe https://ibb.co/kEMyZK I might add I did enable the custom script at one point but it gave me the following > Script has been executed successfully.Sample source entry is:uid: 'Test value'mail: 'Test value'sAMAccountName: 'Test value'cn: 'Test value'.Sample result entry is:dn: 'inum=@!4CF3.B85E.CAD1.319F!0001!06E1.EEB9!0000!A6A1.6C94,ou=people,o=@!4CF3.B85E.CAD1.319F!0001!06E1.EEB9,o=gluu'inum: '@!4CF3.B85E.CAD1.319F!0001!06E1.EEB9!0000!A6A1.6C94',gluuStatus: 'active'inum: '@!4CF3.B85E.CAD1.319F!0001!06E1.EEB9!0000!A6A1.6C94'gluuStatus: 'active'mail: 'Test value'uid: 'Test value'cn: 'Test value'preferredLanguage: 'en-us'userPassword: 'test'

By Aliaksandr Samuseu staff 01 Oct 2018 at 3:06 p.m. CDT

Aliaksandr Samuseu gravatar
2 notes so far: 1. You don't need CR script to be enabled for it to work. Unless you have a clear reason to enable it, you shouldn't 2. Seems to me your "Server ip address" property may not be correct. You should provide a local ip address of this very Gluu Server there (i.e. the one ifconfig will return after you've SSH-ed into this machine)

By Anthony PL user 01 Oct 2018 at 3:48 p.m. CDT

Anthony PL gravatar
I just realized I changed that by accident. Currently its pointing to the right IP address. I, however, am still getting. Validation messages Can't load Cache Refresh Scripts. Using default script I closed the ticket by accident. Can you please reopen it?

By Aliaksandr Samuseu staff 01 Oct 2018 at 4:19 p.m. CDT

Aliaksandr Samuseu gravatar
Reopened. >Can't load Cache Refresh Scripts. Using default script That shouldn't be a problem on itself, as long as you disabled the CR script you enabled previously, you shouln't be concerned with scripts any more. Your polling interval is a way too large for a test run. I would set it to 2-5 minutes for now, to be sure it will try to pull the entries shortly.

By Anthony PL user 01 Oct 2018 at 4:34 p.m. CDT

Anthony PL gravatar
So looking at the logs I get this now 2018-10-01 14:31:10,767 ERROR [ForkJoinPool.commonPool-worker-0] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:1069) - Failed to connect to LDAP server using configuration hermes_ldap 2018-10-01 14:31:10,937 ERROR [ForkJoinPool.commonPool-worker-0] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:1069) - Failed to connect to LDAP server using configuration local_inum 2018-10-01 14:31:10,938 ERROR [ForkJoinPool.commonPool-worker-0] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:281) - Skipping cache refresh due to invalid server configuration However as stated before I can log into the gluu server and run /opt/opendj/bin/ldapsearch -p 389 -h pdtcfredc01.abc.lam.net -D svc_hermesldap@abc.lam.net -w mypass -b DC=abc,DC=lam,DC=net sAMAccountName=svc_hermesldap

By Aliaksandr Samuseu staff 01 Oct 2018 at 5 p.m. CDT

Aliaksandr Samuseu gravatar
Please double-check your values on "Source backend" tab, it seems to me you may have a typo in your Bind DN (an extra space after "=" in OU part). Also make sure you don't have unexpected trailing/starting spaces/tabs in any of the strings there (often happens when you copy-paste them from somewhere)

By Anthony PL user 01 Oct 2018 at 5:12 p.m. CDT

Anthony PL gravatar
yep doubled check and even changed it nothing. Still same errors. I'm guessing Gluu just isn't compatible. https://ibb.co/cCPPPK

By Aliaksandr Samuseu staff 01 Oct 2018 at 5:36 p.m. CDT

Aliaksandr Samuseu gravatar
>I'm guessing Gluu just isn't compatible. That's highly unlikely. We haven't got any reports of any incompatibilities with directories compliant to the spec. Never have had issues with AD, in particular, except for misconfiguration issues. What does this command you mentioned before return for you? I'm interested in DN part, specifically ``` # ldapsearch -p 389 -h pdtcfredc01.abc.lam.net -D svc_hermesldap@abc.lam.net -w notrealpass -b DC=abc,DC=lam,DC=net sAMAccountName=svc_hermesldap ```

By Anthony PL user 01 Oct 2018 at 5:39 p.m. CDT

Anthony PL gravatar
dn: CN=Service Account\, Hadoop,OU=Service Accounts,OU=CA - Fremont Campus,OU=NA ,DC=abc,DC=lam,DC=net with few changes that. I changed the bindDN to the above but the error is still this ``` 2018-10-01 15:46:10,935 ERROR [ForkJoinPool.commonPool-worker-7] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:1069) - Failed to connect to LDAP server using configuration local_inum 2018-10-01 15:46:10,936 ERROR [ForkJoinPool.commonPool-worker-7] [gluu.oxtrust.ldap.cache.service.CacheRefreshTimer] (CacheRefreshTimer.java:281) - Skipping cache refresh due to invalid server configuration ``` there are no updated users in the GLU LDAP? could it be too many users?

By Aliaksandr Samuseu staff 01 Oct 2018 at 5:46 p.m. CDT

Aliaksandr Samuseu gravatar
You seem to use a different Bind DN on your last screenshot. Could you try to use this one, exactly as this command returns it, instead? ``` CN=Service Account\, Hadoop,OU=Service Accounts,OU=CA - Fremont Campus,OU=NA ,DC=abc,DC=lam,DC=net ``` Also, just for the sake of initial test, please use ip address in "Server:Port" field instead of DNS name.

By Aliaksandr Samuseu staff 01 Oct 2018 at 5:51 p.m. CDT

Aliaksandr Samuseu gravatar
It also may be useful to add "-T" argument to the command: `# ldapsearch -p 389 -h pdtcfredc01.abc.lam.net -T -D svc_hermesldap@abc.lam.net -w notrealpass -b DC=abc,DC=lam,DC=net sAMAccountName=svc_hermesldap` This will prevent it from splitting strings in the output with newlines, making it much easier to copy-paste without risk of carrying some unwanted character in the string, or removing a character while cleaning it from those.

By Aliaksandr Samuseu staff 01 Oct 2018 at 6:02 p.m. CDT

Aliaksandr Samuseu gravatar
Btw (though this isn't related to your current issue), as your backend is AD, it seems a bit unusual you use "uid" as key attriubte on "Backend key/Attributes" tab. Usually for AD it's "samaccountname", though it's not mandatory and if you have your reasons for "uid", it's okay (until it exists in your AD's entries, and it's unique and equal to "samaccountname", as you map the latter to "uid" locally on the 1st tab)

By Anthony PL user 01 Oct 2018 at 6:04 p.m. CDT

Anthony PL gravatar
Thank you Aliaksandr. I was able to finally connect it at least. I have two questions. 1. Why did the local_inum error disappear? Could it be because I mimc'd the Cache-Refresh > Source Backend LDAP servers tap to. Manage Authentication add LDAP source? 2. Also why did it only pull 123 users? was it because the refresh time was too low?

By Aliaksandr Samuseu staff 01 Oct 2018 at 6:56 p.m. CDT

Aliaksandr Samuseu gravatar
>Why did the local_inum error disappear? Not sure, tbh, could just be some kind of [unplanned] coupling between those log messages. >Could it be because i mimc the Cache-Refresh > Source Backend LDAP servers tap to. Manage Authentication add LDAP source? Not perfectly sure what do you mean (you could clarify with a screenshot of settings there, perhaps), but normally you use the same LDAP server settings you used for CR on "Manage authentication" page. >Also why did it only pull 123 users? was it because the refresh time was too low? Refresh time only is supposed to control time between 2 pulling attempts, so it's unlikely. More likely something is off with the key and/or objectclass values you used (see [my post before](https://support.gluu.org/identity-management/6074/cache-refesh-and-direct-ldap-connection-not-working/#at39296))

By Anthony PL user 02 Oct 2018 at 12:39 a.m. CDT

Anthony PL gravatar
Thank You, I will continue play around with the configurations and see if I can get more users pulled. thanks for getting my started.