PowerFlex 4.X: Unable To Add LDAP Group

SSO logs show that it is unable to find the PF_Admins security group in LDAP:

2023-09-07T13:30:38.536385897-05:00 stdout F 2023-09-07 18:30:38.536  INFO 1 --- [nio-8083-exec-8] c.dell.sso.controllers.GroupsController  : Received add group request
2023-09-07T13:30:38.550680368-05:00 stdout F 2023-09-07 18:30:38.550 ERROR 1 --- [nio-8083-exec-8] c.dell.sso.controllers.GroupsController  : Failed to add group request: Failed to find request group PF_Admins 
2023-09-07T13:30:38.550719535-05:00 stdout F com.dell.sso.exceptions.KeycloakException: Failed to find request group PF_Admins

Active Directory configuration does show that the PF_Admins security group does exist.

Impact

Unable to add LDAP groups.

There is a software code limitation where Active Directory information is only cached at the time of the initial connection to the LDAP server and pulls only 10 seconds' worth of information. When an admin attempts to add an LDAP group in the PFxM UI and the security group on the LDAP server was created after the initial connection to the Active Directory server, this group will not be stored in the initial cache, and the add LDAP group will fail. When the admin attempts to add the LDAP group, the software does not connect and pull a fresh Active Directory listing, instead, it is only using the initial cache from the first LDAP connection.

PowerFlex Manager versions 4.5 and under must do the following workaround:

Remove the LDAP server connection and then reconnect the PFxM to the LDAP server.
*Sometimes, this must be done multiple times in order to properly find the LDAP group.

PowerFlex Manager versions 4.5.1 and above can do the following workaround:

From PFMP, perform the following to set system variables:

#SSO variable
SSO_IP=`kubectl get svc -A | grep "sso " | awk '{print $4}'`

#Platform Manager Token
PM_TOKEN=`curl -k --location --request POST "https://${SSO_IP}:8080/rest/auth/login" --header 'Accept: application/json' --header 'Content-Type: application/json' --data '{"username": "admin","password": "Scaleio123!" }' | jq -r .access_token`
#Change the password to the password used to login to the PFxM UI

#Ingress IP
INGRESS_IP=$(kubectl get svc -A | grep -i rke2-ingress-nginx-controller | awk 'NR==1{print $5}')

#LDAP ID
LDAP_ID=$(curl -k https://${INGRESS_IP}/rest/v1/directory-services --header 'Accept: application/json' --header 'Content-Type: application/json' --header "Authorization: Bearer ${PM_TOKEN}" | jq -r '.[0].id')

Start the sync from PFMP to the LDAP server:

curl -k -X POST https://${INGRESS_IP}/rest/v1/directory-services/${LDAP_ID}/sync --header "Authorization: Bearer ${PM_TOKEN}" --header 'Accept: application/json' --header 'Content-Type: application/json'

The command above should return nothing to the screen if it is successful.
Wait up to 15 minutes and try the add user or group operation again.

Impacted Versions

PowerFlex Manager 4.x

Fixed In Version

PowerFlex Manager 4.5.1