You are not logged in.
Hi,
I have configured ldap as per documentation (4.6.2). Updated my sso/ldap.cf and tested with ldapfilter, ldaptest filter, ldaptest users etc.. everything seems to be working and giving me the right output as per my filter. But when i do a ldap import, i get below error.
net.datenwerke.gxtdto.client.servercommunication.exceptions.ServerCallFailedException: IllegalStateException: Missing parent for uid=akumar,cn=users,cn=accounts,dc=ipa,dc=unified,dc=com
Below is my ldap.cf
<?xml version="1.0" encoding="UTF-8"?>
<!--
ReportServer Configuration File
filename: sso/ldap.cf
Configures LDAP
-->
<configuration>
<disabled>false</disabled>
<provider>
<host>idm.unified.com</host>
<port>636</port>
</provider>
<security>
<!--
Allowed values are: none/starttls/ssl
Recommended is starttls.
-->
<encryption>ssl</encryption>
<principal>uid=binder,cn=users,cn=accounts,dc=ipa,dc=unified,dc=com</principal>
<credentials>password</credentials>
</security>
<base>cn=accounts,dc=ipa,dc=unified,dc=com</base>
<filter>
<![CDATA[
(|(memberOf=cn=unix,cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com))
]]>
</filter>
<externalDir>/usermanager/external</externalDir>
<writeProtection>true</writeProtection>
<logResultingTree>true</logResultingTree>
<flattenTree>false</flattenTree>
<attributes>
<objectClass>objectClass</objectClass>
<guid>nsUniqueId</guid>
<organizationalUnit>
<objectClass>organizationalUnit</objectClass>
<name>profile</name>
</organizationalUnit>
<group>
<objectClass>posixgroup</objectClass>
<name>cn</name>
<member>member</member>
</group>
<user>
<objectClass>person</objectClass>
<firstname>givenName</firstname>
<lastname>sn</lastname>
<username>uid</username>
<mail>mail</mail>
</user>
<additional>
<!--
You can request additional attributes including them here as:
<attribute>myAttribute1</attribute>
<attribute>myAttribute2</attribute>
-->
</additional>
</attributes>
</configuration>
Can someone suggest what is going wrong here please?
Offline
Hi Uddeep,
you have to import some kind of OU the users are in.
Missing parent for uid=akumar,cn=users,cn=accounts,dc=ipa,dc=unified,dc=com
You might want to add something like this in your filters:
(&(objectClass=organizationalUnit)(name=UserAccounts))Has to be the correct OU for akumar.
Regards,
Malte
Offline
Hi Uddeep,
what does "ldaptest orphans" return ? an empty list? we may extend the command to return these nodes as well, but pls confirm what you get in "ldaptest orphans".
Regards,
Eduardo
Offline
Hi Uddeep,
I think you can also see the problem when you execute "ldaptest users" and look for the parent column. For "uid=akumar,cn=users,cn=accounts,dc=ipa,dc=unified,dc=com" it is probably empty. If not empty, the parent listed in this column for this user is probably not listed in "ldaptest organisationalUnits". Can you pls confirm?
Regards,
Eduardo
Offline
Hi Eduardo,
you are right. The parent is listed when tried with 'ldaptest users' but the parent is not listed in 'ldaptest organizationalUnits' because we dont have any OU in our schema. see DN for eg. "uid=akumar,cn=users,cn=accounts,dc=ipa,dc=unified,dc=com"
First name (givenName) Last name (sn) Username (uid) Email (mail) Parent
Ajay Kumar akumar ajay.kumar@unified.com cn=users,cn=accounts,dc=ipa,dc=unified,dc=com
reportserver$ ldaptest organizationalUnits
Results for organizational unit properties with object class: 'organizationalUnit'
Organizational unit count: 0
No organizational units found
reportserver$
what should be defined in below, when we dont have any OU? just remove this from config?
<organizationalUnit>
<objectClass>organizationalUnit</objectClass>
<name>profile</name>
</organizationalUnit>
Offline
Hi Uddeep,
thank you for providing the information. Could you also please share the results of the "ldaptest orphans" command? This will help us gain a deeper understanding of the situation.
Regards,
Eduardo
Offline
Hello Eduardo,
here is the requested output.
reportserver$ ldaptest orphans
LDAP orphans (nodes that are not users or groups or organizational units)
No orphans found
reportserver$ ldapfilter
(|
| (memberOf=cn=unix,cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com)
|)
The provided filter can be simplified to:
(memberOf=cn=unix,cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com)
An indented representation of the simplified filter:
(memberOf=cn=unix,cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com)
reportserver$
Offline
Hello Eduardo,
Also would like to know if we can integrate Reportserver with SSO OIDC. If yes, could you please share the procedure to configure the same. TIA
Offline
Hi Udeep,
thanks for the information.
As malte_if wrote above, you should adapt your filter to include the missing parent OU.
The same for all other missing parent OUs.
If you don't wish to include your LDAP OUs, you can also flatten your LDAP structure in ReportServer (flattenTree), refer to https://reportserver.net/en/guides/conf … -settings/
Pls remember you have to run "config reload" after any configuration changes.
Regarding your question about SSO OIDC: you can integrate SSO with ReportServer PAMs. Pls refer to this: https://reportserver.net/en/guides/scri … tors-PAMs/
So this is not available out-of-the-box, but you should be able to create a PAM for this purpose.
We will extend the "ldaptest orphans" to include what you found out manually. We raised ticket RS-8332 for this purpose.
Regards,
Eduardo
Offline
Hello Eduardo,
Now I'm able to get the necessary users and groups alone and empty orphans with help of certain filters.
But now the problem is with guid. we have guid for users and groups but not for cn=groups and cn=users.
dn: cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com
cn: groups
objectClass: top
objectClass: nsContainer
ldapimport is not complaining that guid not found.
IllegalStateException: GUID 'ipaUniqueID' not found in node 'cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com'
Could you please suggest what can be done in this case.
Offline
Hi Uddeep,
in the current implementation, a GUID is needed for OUs as well.
You can test your GUIds with https://reportserver.net/en/guides/admi … -ldaptest/ 19.38.2. ldaptest guid
Regards,
Eduardo
Offline