Openam – MS Active Directory Datastore question

This topic has 14 replies, 4 voices, and was last updated 6 years, 2 months ago by Peter Major.

  • Author
    Posts
  • #10129
     bvoros
    Participant

    Hello All,

    I am trying to configure an MS ActiveDirectory datastore.
    All is well apart from not being able to have all users displayed under Subjects.
    The users are in various OUs all over the place.

    What would be the best way to approach this problem?

    Can OpenAM be configured to search the entire domain starting at the top?
    DC=ad,DC=mydomain,DC=com

    Thank you in advance,
    Bertalan

    #10133
     Scott Heger
    Participant

    In your Data Store set your “LDAP Organization DN:” to DC=ad,DC=mydomain,DC=com and then in the User Configuration section remove the values in the “LDAP People Container Naming Attribute:” and “LDAP People Container Value:” fields leaving those blank. Ensure the “LDAPv3 Plug-in Search Scope:” is set to SCOPE_SUB. Save your changes and check Subjects.

    #10148
     bertalanvoros
    Participant

    Thanks a lot for the response Scott.

    This is how I have it configured but it’s only displaying a subset, about 1/7th of all users.

    #10154
     Scott Heger
    Participant

    Look at your “LDAP Users Search Filter:” to see if that is the cause of limiting your results, or check to see if the account specified in your “LDAP Bind DN:” setting has appropriate access to retrieve all users that match your criteria.

    #10160
     bertalanvoros
    Participant

    Thanks again for your help!

    I have tested the user used to bind OpenAM in an LdapBrowser and all seems to be well for as long as referral handling is turned off.

    I have also tested the following search filer:
    (&(objectClass=person)(!(objectClass=computer))(!(userAccountControl=AccountDisabled)))

    This results in slightly over 1000 objects when running a search in my LdapBrowser.

    The same gets me 102 subjects in OpenAM.

    How do I instruct OpenAM to reload data from a given Datastore?

    #10161
     bertalanvoros
    Participant

    Interestingly, login is OK, there are only 102 users displayed under subjects, but I can log in using an account that is not visible in the subjects list.

    So authentication seems to be OK.

    #10163
     Scott Heger
    Participant

    Interesting. You could try to restart your OpenAM container. Typically I don’t find that necessary, but something to try. Good that authentication is working though. One other thing you could try is to search for one of the user’s that doesn’t show up. Use the search box in the Subjects tab and see if that adds the user to the list.

    #10206
     bertalanvoros
    Participant

    Hi again,

    I can confirm that subjects can be found by searching.
    There was no change after having restrted the container.
    I have also added another OpenAM server to the site and it exhibits the same behaviour on the interface.
    This is also the case when the entire config is blown away and rebuilt.

    Otherwise everything looks fine.

    #10219
     Scott Heger
    Participant

    In your Data Store config, what do you have for “Maximum Results Returned from Search:”? The default is 1000 I believe. Did you happen to change that to 100?

    #10221
     bertalanvoros
    Participant

    Unfortunately not, it has been the default 1000.
    I upped the search timeout to 30 just in case but that made no difference either.

    #10225
     Scott Heger
    Participant

    That’s odd. Well, the important thing is that authentication is working for the users that are not showing in the Subjects tab. You generally shouldn’t be doing much of anything with users via the Subjects tab anyway so you should be good.

    #10878
     bertalanvoros
    Participant

    SOLVED: Found the setting controlling this in the GUI.

    The number of results displayed on the console is limited to 100.
    It can be set to the desired level under
    Configuration -> Console -> Administration -> Realm Attributes -> Maximum Results Returned from Search

    #10936
     Peter Major
    Moderator

    There is not much point in displaying all the end-users on the admin interface. If you really need to deal with individual accounts, then you really just search for them. Increasing the default limits are likely to put more strain on your data stores, as there will be more requests sent to them when browsing the Subjects tab.
    If you need to manage your identities, then probably you should use something else than the Subjects tab (or OpenAM for that matter).

    #10944
     bertalanvoros
    Participant

    This is all true, but from an usability point of view when you are installing OpenAM for the first time you expect to see all your users or an indication that the list is limited for the reasons mentioned above.

    #10952
     Peter Major
    Moderator

    Feel free to file a bug about the usability issue at bugster.forgerock.org . The UI was mostly inherited from Sun, but we are in the process of implementing a new JavaScript based UI, so hopefully these old quirks can be made a bit more friendly.

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?