• State Suggested Answer
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 95 subscribers
  • Views 754 views
  • Users 0 members are here
Options
Related

Target System Browser doesn't show any user account - only OU's

nico weber
6 months ago

Dear community,

may i ask you for support please?
I created a new "Sync Project" to establish a connection to our UNIX system, using a LDAP connector.

In the Target System Configuration I’m able to connect to our unix system.
I can browse in the directory, I can even see all “organizationalUnits”. But I can’t see any users.

Fun fact:
Going back to the "Target System Configuration". Right hand side, in the “Scope” section I can select “Edit Scope”.
In the right window then, I can see all the OU’s in a tree structure. Here I can go down to the users OU, open it and all user accounts are shown up there. Here i can see all user accounts.

The question now is:
Why I can’t see any user accounts in the "Target System Browser"? But all accounts are shown in the "Target System Configuration" + Scope section?

Does anybody have an idea?

Thanks and kind regards
Nico

  • 0 5 months ago

    Hi Nico,

    this may be related to the object classes of your users.
    Are you looking at "inetOrgPerson" in the target system browser? What objectclasses does your user have?
    In case it has no "inetOrgPerson" but "person" objectclass you have to look at the "person" schema type (you may have to update the schema before browsing).

    Thanks,
    Stephan

  • 0 5 months ago

    Hi Nico,

    I have found that if the objects do not have 'TOP' in the ObjectClass path then they will not be seen by the OI system.

    A lot of LDAP implementations are quite relaxed and for some reason don't insist on 'TOP'.

    At one of my customers they were missing TOP from some of their structural object classes.  It was a simple fix ..... that wasn't breaking ..... to add TOP ..... and then everything started to work.

    HTH, Barry.

  • 0 5 months ago in reply to Stephan.Hausmann

    hi Stephan,
    thanks for the reply. Simply updating the schema and looking for "person" did not help.

    Yes, we found out that a missing object class is the root cause of this issue. We've adapted the object class of an test user accordingly. Then the user was visible in the object browser. But this solution won't fix our issue, as we do not want to update thousands of Unix accounts to get them displayed in OneIdentity.

    Is there really no other solution than touching all of our unix accounts? Disappointed

    Thanks and kind regards
    Nico

  • 0 5 months ago in reply to Barry Jackson

    Hi Barry,

    thanks for your reply.
    Yes, we can confirm that a missing object class on the accounts in the root cause. We tested the behavior with a test user.
    The problem is that we do not want to adapt all of our unix accounts only to get them displayed in OneIdentity.

    Cheers

  • 0 5 months ago in reply to nico weber

    Hi Nico,

    I advised my customer of the issue and they made the change so I'm not certain what they actually did but I'm fairly certain they didn't need to change every object ...... they just changed the schema file to add TOP to the definition of the ObjectClass.  From what I recall this is then picked up the lower level objects.

    Regards, Barry.

  • 0 5 months ago

    I’d like to inform you. We finally fixed it, without changing any of our accounts in the target system.

    Just a short explanation what we did:
    When you create a LDAP Sync project, in the “LDAP Schema Extensions” section you will have an option to switch the type of object classes.
    Here we simply changed the objectclasses type from some object class to “Auxiliary”. Then we were able to fetch all our unix accounts in the target browser.