10 Replies Latest reply on Jan 30, 2018 12:13 PM by phoffmann

    How does inventory gather LDAP information?

    bdwest Apprentice

      We have a 2016.3 deployment on a dark core network.  I have been deploying some software packages using Active Directory groups, and it's been successful so far.  I'm setting up another software package to do the same thing.  The query that polls the security group, and also looks to see if that software has already been installed, found only one system that is in the group, but doesn't have the software.  When I checked, I realized that that system shouldn't be in that security group.  So I removed it from that AD security group.  I then had it run scans for hardware, hardware and software, and full sync.  It still didn't update the fact that it's no longer a member of that security group.  So I left it for a couple of days, hoping that some other process would update the status.  But the query is still showing that system is in that AD security group.


      How do I troubleshoot this?  I tried to figure out what process is polling LDAP for new status, but couldn't figure it out.  It doesn't appear we have the LDAP Enumeration registry key set, but the inventory for each system includes LDAP Groups/Machine, and it appears to be accurate most of the time.  I'm not seeing any errors (that I know of) with the scans on this system, but it still has the outdated LDAP Group membership.  Where do I start in troubleshooting this?

        • 1. Re: How does inventory gather LDAP information?
          JoeDrwiega SupportEmployee

          Log into the client and run ldapwhoami.exe and see what results it has. Also be sure your COM+ is using a domain account as well: How to Configure COM+ Server Credentials

          Also are you using Data Analytics at all?

          • 2. Re: How does inventory gather LDAP information?
            bdwest Apprentice
            • We are not licensed for Data Analytics, to the best of my knowledge.
            • When I run ldapwhoami.exe, I get the results I expect (I added my own machine to a particular AD security group last week; I don't see that group in the machine's inventory, but I do see it in these results.)
            • The COM+ aspect may be the problem.  I thought I had set this up properly seven months ago.  But I see in the instructions you linked to that this account is supposed to be a domain admin.  Right now, it's not. That's heavily restricted in this environment.  What are the truly necessary permissions/requirements for this account to do its job?  Is there a log for this somewhere that I can check and see what's working and what's not working?
            • 3. Re: How does inventory gather LDAP information?
              phoffmann SupportEmployee

              It doesn't need *ANY* special sauce permissions.


              It literally *JUST* needs to be an AD account (assuming you have a service account - use THAT) ... quering AD doesn't require special permissions. We just need to be able to authenticate with it so we can resolve AD objects with it.


              So - no fear of needing "Domain Admin" or something like that.


              Just your basic AD account without interactive logon permissions will do just fine .

              • 4. Re: How does inventory gather LDAP information?
                bdwest Apprentice

                Good.  I was thrown by this in the documentation (which apparently needs to be changed?): "You need to configure this COM+ application on the Web console server to use a domain administrator account."


                I am, indeed, using the service account for this.  So is there a log that tells me what is or isn't working with this process?  How can I tell what is or isn't working with this?

                • 5. Re: How does inventory gather LDAP information?
                  phoffmann SupportEmployee

                  Well - COM+ by and large is "a black box" (thanks Microsoft) that's *VERY* difficult to get information out of. Gets particularly "magic 8-ball"-y when trying to figure out whether / when COM+ has decided to break in some shape or form...


                  However, if you've got AD-users / AD-queries that you're resolving, then the SCHEDQRY log(s) are a good source of indication whether things are going wrong, usually.


                  Hrmmm -- I though I had chased down all those silly ideas of "must be a domain admin" ... guess that one slipped the net. Thanks bdwest -- I'll poke someone later in the week (when I'm not bouncing around all over the place) to get that fixed up. That's a constant myth I've been dispelling for years now ... hadn't thought we had an instance of that in those docs.

                  • 6. Re: How does inventory gather LDAP information?
                    bdwest Apprentice

                    The SchedQry log seems to be better than nothing(?) but it's not answering my questions.

                    • New systems appear to be properly populated with the AD security groups they were in, at the very least when they first joined LDMS.
                    • But when I add a system to a security group and run hardware, hardware-and-software, and full-sync queries, the "LDAP Groups\Machine" does not get updated to reflect the new change.
                    • I thought maybe this was a server-based querying process, or something else I didn't have visibility into or awareness of, but maybe was happening on a scheduled basis, so I left one machine in particular since last Thursday.  It still hasn't been updated.
                    • I looked at the SchedQry logs.  During the ResolveTasks step, where it is "Resolving all queries," it finds [22] queries to process.  For each of those 22 queries, it gives four lines that say "WARNING: Unable to resolve user scopes because current user idn is not available for user [our service account for LDMS]"  the archived logs go back to November 16, and all of them have this same pattern.  There are no other errors, warnings, etc. that I see in the logs.


                    So the querying of AD appears to be working sometimes, for instance when we add a new system (which we've added many of since November 16).  But it doesn't appear to be updating changes that are made to an object.



                    • 7. Re: How does inventory gather LDAP information?
                      bdwest Apprentice

                      One question: what system/process updates the LDAP Groups\Machine area in a given computer's inventory?  Does that get gathered by the agent on a given system?  Or is it gathered by some central process on the core server?

                      • 8. Re: How does inventory gather LDAP information?
                        JonnyB SupportEmployee

                        There are cases we see where a limited user can't enumerate groups to do authentication. It is more the exception than the rule

                        • 9. Re: How does inventory gather LDAP information?
                          bdwest Apprentice

                          I finally figured out both the answer to my question and the core problem.


                          The problem was that my LDScan folder was full of 9,600+ files (about ten days' worth).  Once I restarted the core server's Inventory service, the files emptied out and the LDAP information updated.


                          The answer to my original question, then, would appear to be "the agent on each machine is what is gathering LDAP Group information, that is then reported to the core server as part of the Inventory."  I did not understand this structural fact of how the LDAP information is gathered.


                          So, just to make sure I get this, does the core server gather any LDAP information outside of its own agent's inventory?

                          • 10. Re: How does inventory gather LDAP information?
                            phoffmann SupportEmployee

                            Not really.


                            The Core primarily uses the inventory data it's gathered for marrying up LDAP stuff. In essence, that's the basis for it to be able to "magic" together a relationship between "user X that's some object in AD that no one knows anything about" and "device Y that User X happens to be on" (for instance).


                            It's a bit of harmless "cloak and dagger" magickery, for the net effect of being able to make sense of AD-objects which may be users, devices or so on, without an otherwise much of a common identifier .


                            Hope that helps.

                            2 of 2 people found this helpful