Unsolved
1 Message
0
2095
DDPE 9.2 Unable to reconcile user
Hello all, I have been struggling with DDPE for awhile now. However, now I'm struggling on this part that I just can't seem to get passed. The domain is AD integrated. I was able to successfully add the domain to DDPE and I am able to query users by Common Name, Universal Principal Name and sAM Account Name. I'm also able to query users with wild cards successfully. Once I attempt to add the user (user account scheduled for addition to the domain), it never adds but shows an "Unable to reconcile user" in the logs. Java 8u191 and .NET Framework 4.7.2 are installed. I have add the logs below. I confirmed that I am able to LDAP query with the user account.
jvm 1 | com.dell.ddps.service.admin.impl.AdminServiceAsyncHelper [serviceExecutor-1] - Unable to reconcile user.
jvm 1 | com.credant.ad.common.AdWebserviceException: User not found.
jvm 1 | at com.credant.ad.ldap.Ldap.findBestFitUser(Ldap.java:793)
jvm 1 | at com.credant.ad.ldap.Ldap.findAndReconcileUser(Ldap.java:179)
jvm 1 | at com.dell.ddps.service.admin.impl.AdminServiceAsyncHelper.addUsersAsync(AdminServiceAsyncHelper.java:40)
jvm 1 | at com.dell.ddps.service.admin.impl.AdminServiceAsyncHelper$$FastClassBySpringCGLIB$$be883399.invoke()
jvm 1 | at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
jvm 1 | at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:711)
jvm 1 | at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
jvm 1 | at org.springframework.aop.interceptor.AsyncExecutionInterceptor$1.call(AsyncExecutionInterceptor.java:97)
jvm 1 | at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
jvm 1 | at java.util.concurrent.FutureTask.run(FutureTask.java:166)
jvm 1 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) jvm 1 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) jvm 1 | at java.lang.Thread.run(Thread.java:722)
dell-dale p
156 Posts
0
January 28th, 2019 08:00
Hi akholbrook,
Apologies for the delay in us following up on this.
Based on your post, it sounds like we are able to search, though pulling the user in through the "WebUI" via the "Users" section and activation are where our failures are lying. This is common to see when we do not have a complete list of UPN Suffices within the "Domain" configuration in the Dell Security Management Server. I normally leverage Active Directory Domains and Trusts, which is part of the Remote Server Administrative Tools, to pull a complete list of suffixes that are present in the environment.
When we attempt to search in our UI, we are doing a different call than when we are trying to register or activate a user, and it sounds like we may be hitting the issues with these two calls being different. For searching, we do a generic BIND to LDAP, and make a quick request as the user defined in the Domain Settings.
For a registration or an activation, we do a BIND, and then we perform a DSCrackNames call, requesting user group information, extended AD info (SID, X400 and X500 address, and group membership of that user). We do this by establishing a connection over the "port" value defined within the Domain Settings page (blank port value represents 389, we support 389, 636, 3268 (global catalog) and 3269 (secure global catalog)). Could we be requiring a secure LDAP connection for some of these calls to succeed?
Once we establish this initial connection, we will attempt to swap to RPC, by querying port 135, and then swapping to an RPC "high" port afterwards (49152-65535).
The java version on the server, if it is installed separately, is not leveraged at this time. The Dell Security Management Server specifically leverages a built-in java version that has been tested, validated and customized for our general use.
I hope this additional information to assist with troubleshooting helps!