×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Helix Portal 22.2 ... Setting up role-based access control Syncing LDAP groups and users

Running the LDAP sync agent

As an LDAP administrator, you can run the LDAP sync agent to sync user groups only, users only, or user groups and users along with their mapping.

The agent syncs the newly added or updated user groups and users from LDAP, but it does not remove the user groups and users that are deleted from LDAP. The unwanted user groups and users must be deleted manually from the BMC Helix Portal console.

  • The LDAP sync agent is an independent utility and it syncs the users or groups in BMC Helix Portal regardless of your tenant authentication.
  • You can run the LDAP sync agent from any server that has access to the LDAP server.

Before you begin

Ensure that the following tasks are completed:

  • JDK version 11 or later is installed on the computer on which you want to run the LDAP sync agent and the JDK path is set in the PATH variable.
  • Minimum requirements:
    • Free disk space: 2 GB
    • RAM size: 2 GB
  • Download and configure the LDAP sync agent. 
  • Create a tenant-level access key or a user-level access key with the appropriate permissions to create, modify, list, and read objects. 
  • Create an external user with the same login ID as the LDAP admin user or create a default role. Ensure that the external user or the default role has all the permissions for the Identity Management Service application or service at a minimum. For more information, see User identities.
  • Ensure that Helix Single Sign-On is configured to authenticate users with your LDAP server details. Contact BMC Support to configure Helix Single Sign-On as described in  Configuring authentication Open link .

To run the LDAP sync agent

  1. Open command prompt from the bmc_helix_identity_sync_agent folder.
  2. (Optional) Check the agent version by running the following command:
    • (Windows)ldap-agent.bat -v
    • (Linuxsh ldap-agent.sh -v

  3. (Optional) Check whether the parameter configuration details provided earlier are runnable and can be parsed correctly by running the following dryrun command:

    • (Windows) ldap-agent.bat -d <objecttype>
    • (Linux) sh ldap-agent.sh -d <objecttype>

    The <objectType> value can be groups, users, or all based on the objects that you want to preview.

    Important

    By default, the top 10 results are displayed. To see the complete list, see the logs in the bmc_helix_identity_sync_agent\logs\agent.log file.

    When should the -d option be used?

    Before syncing the objects, it is a good practice to run the command with the -d option to preview the objects that will be synced. This command will not create any objects, it displays the details of the objects that will be synced (in the agent.log file). After verifying the objects that would be synced, you can proceed with importing the objects by using the -r option. 

  4. Start the agent to perform a one-time sync or a recurring sync of the objects specified in the application.properties file located at bmc_helix_identity_sync_agent\config by running the following command:
    • To perform a one-time sync:
      • (Windows) ldap-agent.bat -r
      • (Linux) sh ldap-agent.sh -r  
    • To perform a recurring sync:
      • (Windows) ldap-agent.bat -s
      • (Linux) sh ldap-agent.sh -s

    Important

    If you change any parameter configuration details in the application.properties file while the sync is in progress, ensure that you restart the agent to rerun the sync. 

    How LDAP groups with duplicate names are synced?

    • If the name of an out-of-the-box user group on BMC Helix Portal matches with an LDAP group, a new external user group is created on BMC Helix Portal.
    • If the name of an existing user group on BMC Helix Portal matches with an LDAP group, the existing group's type is updated from Local to External. The user group retains its existing associations and permissions unless you set the ade.user.group.mapping.replace parameter to true in the application.properties file.

    The synced groups are displayed on the User access > User groups page and the synced users are displayed on the User access > Users page.

To verify that the LDAP sync is complete

  1. Open the agent.log file located at bmc_helix_identity_sync_agent\logs.
  2. At the end of the file, locate a confirmation message indicating that the sync is complete. 

If the sync is not complete, see the log files available under the bmc_helix_identity_sync_agent\logs folder to review the possible causes. Under the logs folder, user-related failures are logged in the users.csv file and the user group-related failures are logged in the groups.csv file. For assistance, contact BMC Support.

Tasks to perform after the objects are synced

  • From local authentication, switch to LDAP.
  • The local users will no longer be functional after the authentication type changes.
  • Make sure that one or multiple synced users are designated as Tenant administrators so that they are not locked out.

Where to go from here

As a tenant administrator, assign appropriate roles and permissions to the synced user groups and users. For more information, see Setting up roles and permissions.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Bharati Poddar on Apr 28, 2022
authorizations ldap sync agent user_management groups

Comments

  1. Betty Neumann

    Would it be possible to use the details from the LDAP Sync Agent README.TXT file and include them in the docs here - there is a key piece of information that is easily missed if users do not read the readme

    These are important enough to be in the actual documentation, can we add them : Notes about syncing Group-User Membership: - The filters to sync Group "ldap.groups.search.filter" and Group-User membership "ldap.users.group.mapping.search.filter", if search for entries with specific name, should not search mutually exclusive entries from LDAP. - I.e. for a given agent run, "ldap.users.group.mapping.search.filter" should look for Groups which are being fetched using "ldap.groups.search.filter". - If Agent run, looks for different groups for Group entries and Group-User membership entries, the LDAP Users will not map with Group in BMC Helix Portal. - Also, if the Ldap user search is configured for a specific user, It may result in no group membership update in BMC Helix Portal.

    These are limitations and restrictions and users need to see them very clearly please.

    Jun 18, 2022 04:57
    1. Bharati Poddar

      Thanks for the feedback, Betty. 

      The configuration parameters (with examples) are explained in the Downloading and configuring the LDAP sync agent topic. The link to this topic is provided in the Before you begin section of this topic. Please let me know if further details need to be added.

      Thanks!

      Jun 20, 2022 09:54

Log in or register to comment.

Downloading and configuring the LDAP sync agent
Importing and syncing users and groups at logon time
© Copyright 2020-2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.