IMC
cancel
Showing results for 
Search instead for 
Did you mean: 

IMC UAM 7.2 LDAP sync issue

Istvan Hegedus
Occasional Contributor

IMC UAM 7.2 LDAP sync issue

Hi,

After upgrading from IMC 7.0 to 7.2 (via 7.1 of course) I have faced a strange issue. Sometimes during the nightly LDAP synchronization IMC starts to remove users from Access User database like they are expired/non-existent users. It cancels the accounts. It doesn't happen always but when it happens I have to restore the database from previous backup. The same can be reproduced by manual syncing. Most of the times IMC synchronizes user attributes well, removes only those users which are inactivated in LDAP however rarely it happens that it removes most of the users (thousands of users). This causes BYOD users to re-register their devices.

Our LDAP server is Solaris 10 (Sparc), directory proxy and Directory itself is ODSEE (Oracle Directory Server Enterprise Edition) 11.1.3.0.

Has anyone noticed this kind of problem? I do know that it did not exist with IMC 7.1 base version (no patches) however I don't know whether it was introduced by later 7.1 patches or by 7.2 version.

Thanks

Istvan

 

6 REPLIES
NeilR
Respected Contributor

Re: IMC UAM 7.2 LDAP sync issue

Not having that particular problem but a different (maybe related?) issue with iMC_UAM_7.2_E0405 that forced  me to roll back to 7.1

Some 802 users would fail to authenticate with E63117: system unknown error. I noticed this within a short time of upgrading, so did not get to the autosync time for the LDAP db.

But could imagine a possible mode where user record is corrupted so that authentication would not occur and subesequent sync might remove the user, like canceleing or blacklisting perhaps?

A case was opened and escalated as other customers were preorted to be having "similar" issues - do not know which ones. That was about a month ago. 

Have you logged a case with HPE?

Istvan Hegedus
Occasional Contributor

Re: IMC UAM 7.2 LDAP sync issue

Hi,

So far I have not logged a case with HP but will do so.

Regarding the downgrade my problem is that although I have the 7.1 database backup however now 4 weeks passed and a lots of new users registered. If I downgrade I have to make sure that all newly registered users and their device mac addresses are transferred to 7.1. Now this seems to be a challenge because of several reasons:

1. Although IMC has a batch user export menu, in 7.2 GUI it has disappeared

2. Even if I can export new users, their device mac addresses cannot be exported/imported

I think here only a good SQL script could help that exports access and platform user accounts and their registered device mac addresses... If someone knows which tables to export/import please let me know.

Thanks

Istvan

NeilR
Respected Contributor

Re: IMC UAM 7.2 LDAP sync issue

The table  ead.tbl_acm_user seems to have some of what you want, for the user, both ldap and MAC. 

you might also want to look at the ead.tbl_acm_service table - looks like thats where the services the user is linked to are stored.

BTW if you haven't setup a backup server using the same license I'd recommend it. It can continue to do authentication when the main server is offline being upgraded

PS - I have not done an extract then restore using SQL so my info is based on browsing the tables - 

Istvan Hegedus
Occasional Contributor

Re: IMC UAM 7.2 LDAP sync issue

Thanks for the hints. I will check it. 
Of course we have a stateless failover setup so the standby server takes over authentications however new users cannot register their devices for BYOD.

I have installed the latest UAM 7.2 E405P02 patch but the following day UAM process has been frozen so I had to restart it. I was expecting this patch cures at least this freezing (at least the release notes mention that too many transparent authentication request could cause database connectivity break and this has been fixed). I don't know whether LDAP sync will be any better with it, now I set the sync period to 7 days and cross my fingers each week that it goes well... but I have to downgrade to 7.1

NeilR
Respected Contributor

Re: IMC UAM 7.2 LDAP sync issue

UAM 7.2 E405P03 has been posted. However this has not fixed my problem. 

Does mention a fix for large LDAP syncs

NeilR
Respected Contributor

Re: IMC UAM 7.2 LDAP sync issue

Spent time with HP regarding the 802.1x issue I was having. This is a problem for me with mixed MAC and 802.1x on the same port.

User would authenticate once succesfully using 802.1x, register the MAC address as the account ID and then subsequently no longer authenticate with 802.1x

Problem is with mschapserverV2. There was lab code that seems to fix this issue that we tested. However next patch is probably a couple of months out.