Article Number: 000218374
Attempting to add an LDAP group fails inside the PFxM UI.
SSO logs show that it is unable to find the PF_Admins security group in LDAP:
2023-09-07T13:30:38.536385897-05:00 stdout F 2023-09-07 18:30:38.536 INFO 1 --- [nio-8083-exec-8] c.dell.sso.controllers.GroupsController : Received add group request 2023-09-07T13:30:38.550680368-05:00 stdout F 2023-09-07 18:30:38.550 ERROR 1 --- [nio-8083-exec-8] c.dell.sso.controllers.GroupsController : Failed to add group request: Failed to find request group PF_Admins 2023-09-07T13:30:38.550719535-05:00 stdout F com.dell.sso.exceptions.KeycloakException: Failed to find request group PF_Admins
Active Directory configuration does show that the PF_Admins security group does exist.
Unable to add LDAP groups.
There is a software code limitation where Active Directory information is only cached at the time of the initial connection to the LDAP server and pulls only 10 seconds' worth of information. When an admin attempts to add an LDAP group in the PFxM UI and the security group on the LDAP server was created after the initial connection to the Active Directory server, this group will not be stored in the initial cache, and the add LDAP group will fail. When the admin attempts to add the LDAP group, the software does not connect and pull a fresh Active Directory listing, instead, it is only using the initial cache from the first LDAP connection.
PowerFlex Manager versions 4.5 and under must do the following workaround:
Remove the LDAP server connection and then reconnect the PFxM to the LDAP server.
*Sometimes, this must be done multiple times in order to properly find the LDAP group.
PowerFlex Manager versions 4.5.1 and above can do the following workaround:
From PFMP, perform the following to set system variables:
#SSO variable SSO_IP=`kubectl get svc -A | grep "sso " | awk '{print $4}'` #Platform Manager Token PM_TOKEN=`curl -k --location --request POST "https://${SSO_IP}:8080/rest/auth/login" --header 'Accept: application/json' --header 'Content-Type: application/json' --data '{"username": "admin","password": "Scaleio123!" }' | jq -r .access_token` #Change the password to the password used to login to the PFxM UI #Ingress IP INGRESS_IP=$(kubectl get svc -A | grep -i rke2-ingress-nginx-controller | awk 'NR==1{print $5}') #LDAP ID LDAP_ID=$(curl -k https://${INGRESS_IP}/rest/v1/directory-services --header 'Accept: application/json' --header 'Content-Type: application/json' --header "Authorization: Bearer ${PM_TOKEN}" | jq -r '.[0].id')
Start the sync from PFMP to the LDAP server:
curl -k -X POST https://${INGRESS_IP}/rest/v1/directory-services/${LDAP_ID}/sync --header "Authorization: Bearer ${PM_TOKEN}" --header 'Accept: application/json' --header 'Content-Type: application/json'
The command above should return nothing to the screen if it is successful.
Wait up to 15 minutes and try the add user or group operation again.
PowerFlex Manager 4.x
PowerFlex Manager 4.5.1
20 Feb 2024
4
Solution