Announcement

Collapse
No announcement yet.

Upgrade 4.5.2.7 to 4.6.3.6 breaks Active Directory sync

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Upgrade 4.5.2.7 to 4.6.3.6 breaks Active Directory sync

    We have been using 4.5.2.7 for a year without problem, syncing with Active Directory. We have a single AD entry that syncs users from a dedicated OU, e.g., "OU=Regular,OU=Users,OU=OurOrg,DC=ourdomain,DC=loc al". When we sync in this version it reads the users and reads their group memberships, populating User > Group, where we assign filters to the groups of interest.. It works fine.

    When we upgrade to 4.6.3.6 this sync breaks. Users are imported as before, but their group memberships are not imported.
    • The User > Group page shows no groups
    • When we do the first manual AD sync the status shows the groups and memberships being deleted: "Success! Added user = 0, Deleted user = 0, Added group = 0, Deleted group = 45, Added relation = 0, Deleted relation = 649"
    Without the groups the users don't get the correct NxFilters.

    We have reverted to 4.5.2.7 for now, but how are we supposed to configure AD Sync in 4.6.3.6 so that users' group memberships are imported? We haven't found any information on the change that is causing this problem.

    Thanks.
    Tags: None
  • #2
    45 groups not imported. How many groups do you have? When you use v4.6.3.6, do you see any group imported or there's no group imported? Your groups might be in a different OU.

    If I were you, I will install v4.6.3.6 on my PC and then try to sync from the scratch.

    There were some changes with AD import to support Azure AD but in our test we get the same result as before. If you look into /nxfilter/log/nxfilter.log file, you may find something.

    Comment

    • #3
      There are 0 groups imported. And the groups are in a different OU.

      But with 4.5.2.7 the groups were detected automatically when the users were synced, presumably by reading the memberships of the users. There was no need to sync the groups separately.

      I wondered if this was the problem, so in 4.6.3.6 I tried to add a second AD entry to sync the groups OU separately. But it would not add the second sync entry for the second OU, though 4.5.2.7 would.

      So do we now have to sync more of AD so that both users and groups are synced by a single query?

      Comment

      • #4
        Can't you put them into the same OU? We might have changed something with that but I guess having same OU or same BaseDN would be more natural.

        Comment

        • #5
          If they both are in 'OU=OurOrg,DC=ourdomain,DC=local', try to remove the other part of your BaseDN.

          Comment

          • #6
            We resolved the issue by changing the AD sync search to "OU=OurOrg,DC=ourdomain,DC=local" which includes both
            • "OU=Regular,OU=Users,OU=OurOrg,DC=ourdomain,DC=loc al"
            • "OU=Security,OU=Groups,OU=OurOrg,DC=ourdomain,DC=l ocal"
            though it also syncs about 400 unnecessary groups related to workstation management. But NxFilter 4.6.3.6 is working.

            Thanks.

            Comment

            • #7
              About those unnecessary groups, read https://forum.nxfilter.org/tips-tric...e-created-ones

              You may be able to exclude them from importation.

              Comment

              • #8
                Thanks, I was able to exclude most of them via the existing Exclude option

                Comment

                Previous template Next
                Working...
                X