Unable to remove user from DataSync

  • 7012163
  • 17-Apr-2013
  • 26-Jun-2014

Environment

Novell Data Synchronizer Mobility Pack

Situation

Removing user from LDAP group does not remove from DataSync
Removing user from group does not update to datasync

Unable to remove user account from WebAdmin
Some user accounts can't be removed
Errors in /var/log/datasync/configengine/engine.log:
[LDAPPoll_thread] [directory:280] [userID:] [eventID:] [objectID:] [] Adding user: cn=user1,ou=users,o=novell to connector default.pipeline1.mobility failed with Failure .

Resolution

  1. See TID 7015282  - How to install dsapp on a Mobility server.
    Note: Once dsapp is loaded, proceed with the steps below.
  2. Select Database
  3. Enter 'y' to stop Mobility services
  4. Select Fix targets/membershipCache
    Note: The LDAP server will be contacted for a list of membership of Mobility groups.
  5. Approve the list of Group Membership:
    • If the list appears correct, such as the following, enter y:
      Mobility Group(s):
       cn=admingroup,o=novell
       cn=mobility,ou=users,o=novell

      Group Membership:
      "cn=admin,o=novell","cn=admingroup,o=novell"
      "cn=user1,ou=users,o=novell","cn=mobility,ou=users,o=novell"

    • If the list shows anything other than a formatted list like the above, enter n and proceed with the steps provided in additional information. There could be trouble contacting the LDAP server or the admin user provided for Mobility has insufficient privileges.

Cause

If a user is first added individually through WebAdmin and then later added to a group, the user never gets added to membershipCache table in groupwise database. Thus when removing the user from the LDAP group, the user is never removed from DataSync.

Restarting DataSync will increase referenceCounts in targets table of groupwise database by 1 with the following error in /var/log/datasync/configengine/engine.log:
[LDAPPoll_thread] [directory:280] [userID:]
[eventID:] [objectID:] [] Adding user: cn=user1,ou=users,o=novell to connector default.pipeline1.mobility failed with Failure .


referenceCounts increases by 1 because the user is in the targets table, but not in the membershipCache table. It cannot be added to membershipCache because it is already in targets. The steps outlined in this TID should resolve this issue.

Status

Reported to Engineering

Additional Information

Below are the steps to manually resolve the issue by importing a list of membership from LDAP and inserting it into the database:
  1. Make sure to download and install DataSync build 299 or later.  At the time of writing this TID, build 299 has not been released. Please contact Novell Technical Services to get the build. See How to update Mobility for updating instructions.
    Also, the latest-released version can be downloaded from: https://download.novell.com/patch/finder
  2. Verify desired groups are in WebAdmin. http://<serverAddress>:8120
    1. List group(s) out by Fully-Distinguished Name (FDN) for later steps:
      cn=mobilityGroup,o=novell
  3. Verify a list of users from the desired groups are returned using LDAP:
    1. Copy and Paste the command below into a terminal window on the Mobility server after replacing the following variables with those correct in context of your unique environment:
      ldapsearch -x -H ldap://myldapserver.com -D cn=myadmin,o=novell -w mypassword -b cn=mobilityGroup,o=novell | perl -p00e 's/\r?\n //g' | grep member: | cut -d ":" -f 2 | sed 's/^[ \t]*//' | sed 's/^/"/' | sed 's/$/","cn=mobilityGroup,o=novell"/' | sed '1s/^/memberdn,groupdn\n/'
      1. myldapserver.com with the Domain/IP address of your LDAP server
      2. cn=myadmin,o=novell with a user who has rights to see members of the desired groups (preferably an admin)
      3. mypassword with the above user's password
      4. cn=mobilityGroup,ou=users,o=novell with the FDN of the group (one group at a time)
    2. Verify the following command returns a list of users for each group you have in DataSync WebAdmin. Here is an example:
      memberdn,groupdn
      "cn=admin,o=novell","cn=mobilityGrp,o=novell"
      "cn=user1,ou=users,o=novell","cn=mobilityGrp,o=novell"
      "cn=user2,ou=users,o=novell","cn=mobilityGrp,o=novell"
      "cn=user3,ou=users,o=novell","cn=mobilityGrp,o=novell"
    3. If the command returns a list similar to what is found above, then copy the working command to a text editor for safe-keeping and proceed with Step 4. Otherwise, troubleshoot LDAP connectivity.
  4. Clear membershipCache table:
    1. Open a terminal window for the Datasync server and type rcdatasync stop to stop all the datasync services.
    2. Type the following command:
      psql -U datasync_user datasync
    3. Enter password for the datasync database. If the database password is not known, please check /etc/datasync/configengine/configengine.xml file as the password is stored in plaintext in the following format:
      <db>datasync</db>
      <username>datasync_user</username>
      <password>novell</password>
    4. Type the following command:
      delete from "membershipCache";
  5. Insert list of users from desired groups into membershipCache table:
    1. Append the following to the working LDAP command generated from Step 3:
      | psql -U datasync_user datasync -c "\copy \"membershipCache\"(memberdn,groupdn) from STDIN WITH DELIMITER ',' CSV HEADER"
    2. An example of the entire command will look similar to the following:
      ldapsearch -x -H ldap://myldapserver.com -D cn=myadmin,o=novell -w mypassword -b cn=mobilityGroup,o=novell | perl -p00e 's/\r?\n //g' | grep member: | cut -d ":" -f 2 | sed 's/^[ \t]*//' | sed 's/^/"/' | sed 's/$/","cn=mobilityGroup,o=novell"/' | sed '1s/^/memberdn,groupdn\n/' | psql -U datasync_user datasync -c "\copy \"membershipCache\"(memberdn,groupdn) from STDIN WITH DELIMITER ',' CSV HEADER"
    3. From a new terminal window: Copy & Paste the joined command into a terminal window on the Mobility server and press [Enter]
    4. Verify the list of users has been properly inserted into the database:
      select * from "membershipCache";
      1. The above command should return a list similar to the following:
                  memberdn            |        groupdn         
        ------------------------------+------------------------

         cn=admin,o=novell            | cn=mobilityGrp,o=novell
         cn=user1,ou=users,o=novell   | cn=mobilityGrp,o=novell

         
        cn=user2,ou=users,o=novell   | cn=mobilityGrp,o=novell
         
        cn=user3,ou=users,o=novell   | cn=mobilityGrp,o=novell
  6. Correct referenceCount issue in targets table:
    1. Type the following command within the postgres database:
      update targets set "referenceCount"='1' where disabled='0';
    2. Type \q to exit the database.
  7. Type rcdatasync start to bring datasync services back online.