April 28, 2016 at 5:46 pm #10129bvorosParticipant
I am trying to configure an MS ActiveDirectory datastore.
All is well apart from not being able to have all users displayed under Subjects.
The users are in various OUs all over the place.
What would be the best way to approach this problem?
Can OpenAM be configured to search the entire domain starting at the top?
Thank you in advance,
BertalanApril 28, 2016 at 7:05 pm #10133
In your Data Store set your “LDAP Organization DN:” to DC=ad,DC=mydomain,DC=com and then in the User Configuration section remove the values in the “LDAP People Container Naming Attribute:” and “LDAP People Container Value:” fields leaving those blank. Ensure the “LDAPv3 Plug-in Search Scope:” is set to SCOPE_SUB. Save your changes and check Subjects.April 29, 2016 at 11:52 am #10148
Thanks a lot for the response Scott.
This is how I have it configured but it’s only displaying a subset, about 1/7th of all users.April 29, 2016 at 4:32 pm #10154
Look at your “LDAP Users Search Filter:” to see if that is the cause of limiting your results, or check to see if the account specified in your “LDAP Bind DN:” setting has appropriate access to retrieve all users that match your criteria.April 29, 2016 at 6:17 pm #10160
Thanks again for your help!
I have tested the user used to bind OpenAM in an LdapBrowser and all seems to be well for as long as referral handling is turned off.
I have also tested the following search filer:
This results in slightly over 1000 objects when running a search in my LdapBrowser.
The same gets me 102 subjects in OpenAM.
How do I instruct OpenAM to reload data from a given Datastore?April 29, 2016 at 6:49 pm #10161
Interestingly, login is OK, there are only 102 users displayed under subjects, but I can log in using an account that is not visible in the subjects list.
So authentication seems to be OK.April 29, 2016 at 7:34 pm #10163
Interesting. You could try to restart your OpenAM container. Typically I don’t find that necessary, but something to try. Good that authentication is working though. One other thing you could try is to search for one of the user’s that doesn’t show up. Use the search box in the Subjects tab and see if that adds the user to the list.May 3, 2016 at 3:25 pm #10206
I can confirm that subjects can be found by searching.
There was no change after having restrted the container.
I have also added another OpenAM server to the site and it exhibits the same behaviour on the interface.
This is also the case when the entire config is blown away and rebuilt.
Otherwise everything looks fine.May 3, 2016 at 4:47 pm #10219
In your Data Store config, what do you have for “Maximum Results Returned from Search:”? The default is 1000 I believe. Did you happen to change that to 100?May 3, 2016 at 4:53 pm #10221
Unfortunately not, it has been the default 1000.
I upped the search timeout to 30 just in case but that made no difference either.May 3, 2016 at 5:50 pm #10225
That’s odd. Well, the important thing is that authentication is working for the users that are not showing in the Subjects tab. You generally shouldn’t be doing much of anything with users via the Subjects tab anyway so you should be good.June 1, 2016 at 2:35 pm #10878
SOLVED: Found the setting controlling this in the GUI.
The number of results displayed on the console is limited to 100.
It can be set to the desired level under
Configuration -> Console -> Administration -> Realm Attributes -> Maximum Results Returned from SearchJune 3, 2016 at 2:07 am #10936Peter MajorModerator
There is not much point in displaying all the end-users on the admin interface. If you really need to deal with individual accounts, then you really just search for them. Increasing the default limits are likely to put more strain on your data stores, as there will be more requests sent to them when browsing the Subjects tab.
If you need to manage your identities, then probably you should use something else than the Subjects tab (or OpenAM for that matter).June 3, 2016 at 1:37 pm #10944
This is all true, but from an usability point of view when you are installing OpenAM for the first time you expect to see all your users or an indication that the list is limited for the reasons mentioned above.June 3, 2016 at 4:27 pm #10952Peter MajorModerator
You must be logged in to reply to this topic.