AppSync: LDAP Users and Groups Missing from AppSync Configuration After Upgrade to AppSync 4.4.0.0 or 4.4.1.0
Summary: LDAP Users and LDAP Groups are missing from the AppSync UI "Settings > User, Group, and Roles" post upgrade to AppSync 4.4.0.0 or 4.4.1.0.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
LDAP Users and LDAP Groups are missing from the AppSync UI Settings > User, Group, and Roles after upgrade to AppSync 4.4.0.0 or 4.4.1.0.
The AppSync upgrade log at <Drive: EMC\AppSync\_Dell EMC AppSync_installation\Logs\Dell_EMC_AppSync_Install_xx_xx_xx_xx> shows:
Possible symptom is that AppSync fails to lookup users and groups from subtree levels when only DC=appxycnee,DC=lab are defined in the search path.
Below error is seen when trying to add a user or group in AppSync UI:
However, the LDAP configuration works as expected when the User Search Path and Group Search Path is updated with CN and OU details.
The LDAP server works with below when subtree levels are specified:
And fails with below when only base level is specified:
The AppSync upgrade log at <Drive: EMC\AppSync\_Dell EMC AppSync_installation\Logs\Dell_EMC_AppSync_Install_xx_xx_xx_xx> shows:
Command.run(): C:\Users\Administrator\AppData\Local\Temp\2\721210.tmp\executeScriptTmp0.bat:stdout [Successfully configured LDAP User xxxxxxx] Command.run(): C:\Users\Administrator\AppData\Local\Temp\2\721210.tmp\executeScriptTmp0.bat:stdout [Begin configuring the LDAP User] Command.run(): C:\Users\Administrator\AppData\Local\Temp\2\721210.tmp\executeScriptTmp0.bat:stdout [An error occured while adding the LDAP user xxxxxx] Command.run(): C:\Users\Administrator\AppData\Local\Temp\2\721210.tmp\executeScriptTmp0.bat:stdout [An error occured while adding the LDAP user yyyyyyyyy] Command.run(): C:\Users\Administrator\AppData\Local\Temp\2\721210.tmp\executeScriptTmp0.bat:stdout [Begin configuring the LDAP group] Command.run(): C:\Users\Administrator\AppData\Local\Temp\2\721210.tmp\executeScriptTmp0.bat:stdout [An error occured while adding the LDAP group gggggggg] Command.run(): C:\Users\Administrator\AppData\Local\Temp\2\721210.tmp\executeScriptTmp0.bat:stdout [An error occured while adding the LDAP group gggggggggg1]
Possible symptom is that AppSync fails to lookup users and groups from subtree levels when only DC=appxycnee,DC=lab are defined in the search path.
Below error is seen when trying to add a user or group in AppSync UI:
User "ABCDEFGH" could not be found on the LDAP server. Check the spelling and/or verify if the user exists on the LDAP server. And also verify user attributes in LDAP configuration settings.
However, the LDAP configuration works as expected when the User Search Path and Group Search Path is updated with CN and OU details.
The LDAP server works with below when subtree levels are specified:
Example: CN:users,OU=people,DC=appxycnee,DC=lab
And fails with below when only base level is specified:
Example: DC=appxycnee,DC=lab
Cause
As part of the upgrade to AppSync 4.4.0.0, AppSync backs up the users and groups details from CST/Lockbox to a transient table in AppSync's persistence. With operations after upgrade, the users and groups are imported to keycloak. AppSync then deletes data from the transient table once the import operation is successful. In this case, the user import operation failed as AppSync was unable to lookup LDAP Server for the user and group search path at subtree levels.
The same issue exists in AppSync 4.4.1.0.
The release notes for 4.4.1.0 incorrectly state APPSYNC-3824 and APPSYNC-3743 as being included.
The same issue exists in AppSync 4.4.1.0.
The release notes for 4.4.1.0 incorrectly state APPSYNC-3824 and APPSYNC-3743 as being included.
Resolution
A hotfix exists for AppSync 4.4.0.0 and 4.4.1.0. Mention this article number when calling Dell Support to open a service request to obtain the hotfix.
The hotfix allows AppSync to search at the subtree level (OU and CN names) even when the DCs are defined, with only the base level DC=appcycnee,DC=lab defined in the search string, The hotfix allows AppSync to search all users and groups as seen below in the AS structure:
Following the application of the hotfix, the LDAP definition in AppSync must be removed and readded. This is a critical step, and the hotfix does not work until the LDAP definition in AppSync is removed and readded.
The LDAP users and groups may be readded.
In Summary:
The hotfix allows AppSync to search at the subtree level (OU and CN names) even when the DCs are defined, with only the base level DC=appcycnee,DC=lab defined in the search string, The hotfix allows AppSync to search all users and groups as seen below in the AS structure:
appsyncee.lab\Users\User1 appsyncee.lab\Managed\User2
The LDAP users and groups may be readded.
In Summary:
- Install the hotfix.
- Remove and readd the LDAP Settings. This is a required step. The hotfix does not work unless this is done. The search path can be at the DC levels if required per hotfix resolution (CN and OU not required with hotfix).
- Add Users and Groups to the AppSync UI.
Products
AppSync, AppSyncArticle Properties
Article Number: 000197466
Article Type: Solution
Last Modified: 14 Dec 2022
Version: 5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.