Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000218374

4.X - Unable To Add LDAP Group

Summary: 4.X - Unable To Add LDAP Group

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Symptoms

Issue Description

Attempting to add an LDAP group fails inside the PFxM UI.

 

Symptoms

SSO logs show that it is unable to find the PF_Admins security group in LDAP:

2023-09-07T13:30:38.536385897-05:00 stdout F 2023-09-07 18:30:38.536  INFO 1 --- [nio-8083-exec-8] c.dell.sso.controllers.GroupsController  : Received add group request
2023-09-07T13:30:38.550680368-05:00 stdout F 2023-09-07 18:30:38.550 ERROR 1 --- [nio-8083-exec-8] c.dell.sso.controllers.GroupsController  : Failed to add group request: Failed to find request group PF_Admins 
2023-09-07T13:30:38.550719535-05:00 stdout F com.dell.sso.exceptions.KeycloakException: Failed to find request group PF_Admins

 

Active Directory configuration does show that the PF_Admins security group does exist.

 

Impact

Unable to add LDAP groups.

 

Cause

There is a software code limitation where Active Directory information is only cached at the time of the initial connection to the LDAP server and pulls only 10 seconds' worth of information. When an admin attempts to add an LDAP group in the PFxM UI and the security group on the LDAP server was created after the initial connection to the Active Directory server, this group will not be stored in the initial cache, and the add LDAP group will fail. When the admin attempts to add the LDAP group, the software does not connect and pull a fresh Active Directory listing, instead, it is only using the initial cache from the first LDAP connection.

 

Resolution

Workaround

PowerFlex Manager versions 4.5 and under must do the following workaround:

Remove the LDAP server connection and then reconnect the PFxM to the LDAP server.
*Sometimes, this must be done multiple times in order to properly find the LDAP group.

 

PowerFlex Manager versions 4.5.1 and above can do the following workaround:

From PFMP, perform the following to set system variables:

#SSO variable
SSO_IP=`kubectl get svc -A | grep "sso " | awk '{print $4}'`

#Platform Manager Token
PM_TOKEN=`curl -k --location --request POST "https://${SSO_IP}:8080/rest/auth/login" --header 'Accept: application/json' --header 'Content-Type: application/json' --data '{"username": "admin","password": "Scaleio123!" }' | jq -r .access_token`
#Change the password to the password used to login to the PFxM UI

#Ingress IP
INGRESS_IP=$(kubectl get svc -A | grep -i rke2-ingress-nginx-controller | awk 'NR==1{print $5}')

#LDAP ID
LDAP_ID=$(curl -k https://${INGRESS_IP}/rest/v1/directory-services --header 'Accept: application/json' --header 'Content-Type: application/json' --header "Authorization: Bearer ${PM_TOKEN}" | jq -r '.[0].id')

 

Start the sync from PFMP to the LDAP server:

curl -k -X POST https://${INGRESS_IP}/rest/v1/directory-services/${LDAP_ID}/sync --header "Authorization: Bearer ${PM_TOKEN}" --header 'Accept: application/json' --header 'Content-Type: application/json'

 

The command above should return nothing to the screen if it is successful.
Wait up to 15 minutes and try the add user or group operation again.

 

Impacted Versions

PowerFlex Manager 4.x

 

Fixed In Version

PowerFlex Manager 4.5.1

 

Article Properties

Last Published Date

20 Feb 2024

Version

4

Article Type

Solution

Back to Top