ldapimport failing with IllegalStateException: Missing parent for user

Uddeep · March 19, 2024, 6:06am

Hi,

I have configured ldap as per documentation (4.6.2). Updated my sso/ldap.cf and tested with ldapfilter, ldaptest filter, ldaptest users etc.. everything seems to be working and giving me the right output as per my filter. But when i do a ldap import, i get below error.

net.datenwerke.gxtdto.client.servercommunication.exceptions.ServerCallFailedException: IllegalStateException: Missing parent for uid=akumar,cn=users,cn=accounts,dc=ipa,dc=unified,dc=com

Below is my ldap.cf

<?xml version="1.0" encoding="UTF-8"?> false idm.unified.com 636 ssl uid=binder,cn=users,cn=accounts,dc=ipa,dc=unified,dc=com password cn=accounts,dc=ipa,dc=unified,dc=com /usermanager/external true true false objectClass nsUniqueId organizationalUnit profile posixgroup cn member person givenName sn uid mail

Can someone suggest what is going wrong here please?

IF_Malte · March 19, 2024, 7:23am

Hi Uddeep,

you have to import some kind of OU the users are in.

You might want to add something like this in your filters:

(&(objectClass=organizationalUnit)(name=UserAccounts))

Has to be the correct OU for akumar.

Regards,
Malte

IF_Eduardo · March 19, 2024, 8:22am

Hi Uddeep,

what does “ldaptest orphans” return ? an empty list? we may extend the command to return these nodes as well, but pls confirm what you get in “ldaptest orphans”.

Regards,
Eduardo

IF_Eduardo · March 19, 2024, 8:26am

Hi Uddeep,

I think you can also see the problem when you execute “ldaptest users” and look for the parent column. For “uid=akumar,cn=users,cn=accounts,dc=ipa,dc=unified,dc=com” it is probably empty. If not empty, the parent listed in this column for this user is probably not listed in “ldaptest organisationalUnits”. Can you pls confirm?

Regards,
Eduardo

Uddeep · March 19, 2024, 9:18am

Hi Eduardo,

you are right. The parent is listed when tried with ‘ldaptest users’ but the parent is not listed in ‘ldaptest organizationalUnits’ because we dont have any OU in our schema. see DN for eg. “uid=akumar,cn=users,cn=accounts,dc=ipa,dc=unified,dc=com”

First name (givenName) Last name (sn) Username (uid) Email (mail) Parent
Ajay Kumar akumar ajay.kumar@unified.com cn=users,cn=accounts,dc=ipa,dc=unified,dc=com

reportserver$ ldaptest organizationalUnits
Results for organizational unit properties with object class: ‘organizationalUnit’
Organizational unit count: 0
No organizational units found
reportserver$

what should be defined in below, when we dont have any OU? just remove this from config?

<organizationalUnit>
  <objectClass>organizationalUnit</objectClass>
  <name>profile</name>
</organizationalUnit>

IF_Eduardo · March 19, 2024, 9:28am

Hi Uddeep,

thank you for providing the information. Could you also please share the results of the “ldaptest orphans” command? This will help us gain a deeper understanding of the situation.

Regards,
Eduardo

Uddeep · March 19, 2024, 9:44am

Hello Eduardo,

here is the requested output.

reportserver$ ldaptest orphans
LDAP orphans (nodes that are not users or groups or organizational units)
No orphans found
reportserver$ ldapfilter
(|
| (memberOf=cn=unix,cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com)
|)

The provided filter can be simplified to:

 (memberOf=cn=unix,cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com)

An indented representation of the simplified filter:

(memberOf=cn=unix,cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com)
reportserver$

Uddeep · March 19, 2024, 10:59am

Hello Eduardo,

Also would like to know if we can integrate Reportserver with SSO OIDC. If yes, could you please share the procedure to configure the same. TIA

IF_Eduardo · March 20, 2024, 2:04pm

Hi Udeep,

thanks for the information.
As malte_if wrote above, you should adapt your filter to include the missing parent OU.
The same for all other missing parent OUs.

If you don’t wish to include your LDAP OUs, you can also flatten your LDAP structure in ReportServer (flattenTree), refer to https://reportserver.net/en/guides/config/chapters/SSO-related-settings/
Pls remember you have to run “config reload” after any configuration changes.

Regarding your question about SSO OIDC: you can integrate SSO with ReportServer PAMs. Pls refer to this: https://reportserver.net/en/guides/script/chapters/Custom-Authenticators-PAMs/
So this is not available out-of-the-box, but you should be able to create a PAM for this purpose.

We will extend the “ldaptest orphans” to include what you found out manually. We raised ticket RS-8332 for this purpose.

Regards,
Eduardo

Uddeep · March 21, 2024, 9:27am

Hello Eduardo,

Now I’m able to get the necessary users and groups alone and empty orphans with help of certain filters.
But now the problem is with guid. we have guid for users and groups but not for cn=groups and cn=users.

dn: cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com
cn: groups
objectClass: top
objectClass: nsContainer

ldapimport is not complaining that guid not found.

IllegalStateException: GUID ‘ipaUniqueID’ not found in node ‘cn=groups,cn=accounts,dc=ipa,dc=unified,dc=com’

Could you please suggest what can be done in this case.

IF_Eduardo · April 30, 2024, 9:41am

Hi Uddeep,

in the current implementation, a GUID is needed for OUs as well.
You can test your GUIds with https://reportserver.net/en/guides/admin/chapters/terminal-command-ldaptest/ 19.38.2. ldaptest guid

Regards,
Eduardo