I have one user that has access to the console via LDAP authentication but no matter what I try, I cannot get a WebReports account to be created for him. We are currently using 9.1.117.0. I’ve read about a similar issue in older versions but it was supposedly fixed in 9.0.835.0. How does the Web Report not see this user in the OU that has the role assignment? It seems to see all the others.
Hi,
when you say LDAP do you mean AD?
If so, there are two solutions that you can use for integrating with LDAP, they are described in:
http://www-01.ibm.com/support/knowledgecenter/SS6MER_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/Web_Reports/c_solution_overview.html
Which solution are you using?
Yes AD. Here is the issue.
We’ve been using AD authentication for some time and most users have no issue. One user doesn’t have an account listed within the WebReports even though they have been given access via the assigned AD group and they couldn’t use their AD account to log in. Other people within the assigned group are listed except this user. If I search for the user in “Active Directory Permissions”, they are listed to have the inherited permissions assigned to the group. If I try to explicitly give this user rights, I get the error “class NoSuchUserID”.
Hi Jim, I forwarded your question.
Hi Jim,
I remember a similar issue that depended from WebReports roles filtered by console operators. I do not know if it matches your case, but I think you could check if the role bound to the AD group is built up using console operator filters. In this case, you need to look if such console operators still exists on your IEM deployment. If some of these operators do not exist anymore, you need to remove filters on roles based on these operators.
I hope it helps to solve your issue.
I had this same issue. I was looking into some various settings (https://forum.bigfix.com/t/use-of-ldapsearchmaxresults/1181t5) but that did not help. I just upgraded to 9.2.1 and then I was able to see all the users and add ones that I could not add previously.
Hope that helps.
This sounds very much like an issue I had a while ago. Like you mentioned though, it was supposedly fixed in 9.0.835.0…
Did you check the webreports logs to see if there’s any errors?
The issue that I had was a result of the AD user GUIDs in the Bigfix database not matching the actual values in AD. You can check to see if this is the same issue by comparing the GUIDs:
- IN AD - log into the domain controller and check the value “ObjectGUID” for the affected user
- on the WebReports database, run the following query:
select CONVERT( uniqueidentifier, CONVERT(varbinary(MAX), ADGuid ) ),* from USER_NAMES where LoginName = ‘xxxxxx’
where xxxxx is the username of the affected user.
What are the results?
I was able to get the user’s GUID and, despite your query not working, found the table you were referencing and did a search for that user. This particular user name has a few entries but they are all local entries. Their GUID is not attached to any user in the database (current or deleted). I suppose I could try to manipulate their current account info to insert their GUID into the account and change the “IsADUser” column to 1?
Bumping to see if this would be worth attempting?
HI, sorry, I set tracking on this particular thread but for some reason never got notified when you had sent the last two previous posts. Did you get this figured out?
I tried this but my target for my SQL update actually changed a second entry that broke my BigFix server. Had to revert it back to the original setting and the strangest thing happened… it started working. Not sure how or why but after manipulating and reverting int he database, it corrected itself. I was able to add in the explicit permission without an error.
well, glad whatever you did worked. I encountered that issue early last year so I’d have to dig deep into my notes to figure out what the actual solution was.
Again, apologies for not responding. I need to figure out how the notifications work with this new forum I guess.