This topic has 14 replies, 4 voices, and was last updated 6 years, 2 months ago by 
-
Posts
-
Hello All,
I am trying to configure an MS ActiveDirectory datastore.
All is well apart from not being able to have all users displayed under Subjects.
The users are in various OUs all over the place.What would be the best way to approach this problem?
Can OpenAM be configured to search the entire domain starting at the top?
DC=ad,DC=mydomain,DC=comThank you in advance,
BertalanIn your Data Store set your “LDAP Organization DN:” to DC=ad,DC=mydomain,DC=com and then in the User Configuration section remove the values in the “LDAP People Container Naming Attribute:” and “LDAP People Container Value:” fields leaving those blank. Ensure the “LDAPv3 Plug-in Search Scope:” is set to SCOPE_SUB. Save your changes and check Subjects.
Thanks a lot for the response Scott.
This is how I have it configured but it’s only displaying a subset, about 1/7th of all users.
Look at your “LDAP Users Search Filter:” to see if that is the cause of limiting your results, or check to see if the account specified in your “LDAP Bind DN:” setting has appropriate access to retrieve all users that match your criteria.
Thanks again for your help!
I have tested the user used to bind OpenAM in an LdapBrowser and all seems to be well for as long as referral handling is turned off.
I have also tested the following search filer:
(&(objectClass=person)(!(objectClass=computer))(!(userAccountControl=AccountDisabled)))This results in slightly over 1000 objects when running a search in my LdapBrowser.
The same gets me 102 subjects in OpenAM.
How do I instruct OpenAM to reload data from a given Datastore?
Interestingly, login is OK, there are only 102 users displayed under subjects, but I can log in using an account that is not visible in the subjects list.
So authentication seems to be OK.
Interesting. You could try to restart your OpenAM container. Typically I don’t find that necessary, but something to try. Good that authentication is working though. One other thing you could try is to search for one of the user’s that doesn’t show up. Use the search box in the Subjects tab and see if that adds the user to the list.
Hi again,
I can confirm that subjects can be found by searching.
There was no change after having restrted the container.
I have also added another OpenAM server to the site and it exhibits the same behaviour on the interface.
This is also the case when the entire config is blown away and rebuilt.Otherwise everything looks fine.
In your Data Store config, what do you have for “Maximum Results Returned from Search:”? The default is 1000 I believe. Did you happen to change that to 100?
Unfortunately not, it has been the default 1000.
I upped the search timeout to 30 just in case but that made no difference either.That’s odd. Well, the important thing is that authentication is working for the users that are not showing in the Subjects tab. You generally shouldn’t be doing much of anything with users via the Subjects tab anyway so you should be good.
SOLVED: Found the setting controlling this in the GUI.
The number of results displayed on the console is limited to 100.
It can be set to the desired level under
Configuration -> Console -> Administration -> Realm Attributes -> Maximum Results Returned from SearchThere is not much point in displaying all the end-users on the admin interface. If you really need to deal with individual accounts, then you really just search for them. Increasing the default limits are likely to put more strain on your data stores, as there will be more requests sent to them when browsing the Subjects tab.
If you need to manage your identities, then probably you should use something else than the Subjects tab (or OpenAM for that matter).This is all true, but from an usability point of view when you are installing OpenAM for the first time you expect to see all your users or an indication that the list is limited for the reasons mentioned above.
You must be logged in to reply to this topic.
