1 2 Previous Next 16 Replies Latest reply on Dec 12, 2018 3:57 PM by Rick.Smith1

    EPM 2018.1 - LDAP Group membership issue

    GaryOco Apprentice

      Hi, we're on-prem customer and I've noticed some odd behaviour, it's either on the core/DB or agent, I can't quite work out which one.

       

      The inventory on machines is not recording the LDAP group membership properly. For example, my laptop is in 4 different AD groups, EPM is only showing two, but appears to have mix and matched the records. This only appears to be affecting the machines LDAP group info, user group info is fine.

       

      ldapwhomai reports the group membership properly, I ran an outputted inventory scan and found the below, which seems to suggest it's the agent mixing and matching the memberships:

      LDAP Groups - Machine - (Display Name:P) - Name =CN=PG-SW-Pilot Group,OU=Software,OU=Standard Permission Groups,OU=Standard Groups,OU=Groups,OU=User and Group Assets,DC=insurance,DC=lan

      LDAP Groups - Machine - (Display Name:P) - Description =Pilot Group for Software Deployments

      LDAP Groups - Machine - (Display Name:P) - Name =CN=PG-SW-Google Chrome,OU=Software,OU=Standard Permission Groups,OU=Standard Groups,OU=Groups,OU=User and Group Assets,DC=insurance,DC=lan

      LDAP Groups - Machine - (Display Name:P) - Description =Add machines for google chrome deployment

      LDAP Groups - Machine - (Display Name:D) - Name =CN=Domain Computers,CN=Users,DC=insurance,DC=lan

      LDAP Groups - Machine - (Display Name:D) - Description =All workstations and servers joined to the domain

      LDAP Groups - Machine - (Display Name:P) - Name =OU=Portable,OU=Swansea,OU=Clients,OU=Hardware Assets,DC=insurance,DC=lan

       

      If I read this right (and I could well be wrong) it's trying to list the groups using the same display names, i.e. all with the display name of "P" - one for "Name =CN=PG-SW-Pilot Group" and one for "Name =OU=Portable,OU=Swansea,OU" and finally "ame =CN=PG-SW-Google Chrome"


      I've tried uninstalling the agent/deleting from the console and reinstalling to no avail.

       

      Tried following this: How to set up and configure policies to use LDAP Groups or LDAP Containers  but I don't seem to get any different results.

       

      I've just changed the inventory history to 1 day (we've only just migrated so don't much history to keep) in case it's something in the history causing the issue. But I don't understand how when I get the above output on a manual scan on my computer. I would assume if it was the history or database I should only see that issue on the console, not output on the agent.

       

      Can anyone recommend other settings/logs I can check for what might be causing this issue?

        • 1. Re: EPM 2018.1 - LDAP Group membership issue
          Rick.Smith1 Expert

          GaryOco Not happy to hear you are having this issue. We have been reporting LDAP group membership problems for awhile now in EPM 2017 and none of the updates have resolved it despite being told that there have been updates to the ldapwhoami exe.

           

          We've actually written our own auto it script that simply grabs the information and dumps the LDAP groups to the registry and then we are using custom data to gather the groups we are specifically needing. We've no idea why our script works flawlessly and the ldapwhoami seems to just crash and returns no groups. Some times it works and groups appear, so then our queries built on that data magically shrink and grow in number.

           

          So that reminds me I need to follow up with our TAM where this issue is at, because we have yet to get a resolution to it or a status update. I think its because they are waiting to see if EPM 2018 would just fix it since I keep hearing the problem cannot be reproduced in house, they have made updates to it, so lets just see....  and then it just seems to die there as if it can't be reproduced in house so it must be environmental and my problem. (Late night rant) 

           

          Rick

          • 2. Re: EPM 2018.1 - LDAP Group membership issue
            GaryOco Apprentice

            That's unfortunate, I think I created the issue myself - I accidentally removed some machines from the console and since then it's gone wrong, but I don't know if it's a corruption/misinformation in the database or on the machine.

             

            I'll log a call with Support, see if they can help.

            • 3. Re: EPM 2018.1 - LDAP Group membership issue
              seattleman1969 SupportEmployee

              All, there is an open bug on this.

               

              Rick.Smith, I believe your TRM is probably working with you on it and his case is what I am basing my comments off of. The fix should be contained within the upcoming 2018.3 and 2017.3 SU6 releases. We do not have definitive dates on those releases yet, but it should be late October/early November.

               

              The issue is the way that LDAPWHOAMI.exe gathers information under the different account contexts it might run under, IE: Logged in domain user, inventory executes, LDAP information is gathered. No user logged in, System account executes the inventory scan with no domain context (for lack of a better term), LDAPWHOAMI.exe doesn't gather the LDAP information and the scan overwrites any data in inventory thus removing it and replacing with blank info.

              1 of 1 people found this helpful
              • 4. Re: EPM 2018.1 - LDAP Group membership issue
                Rick.Smith1 Expert

                Brandon - Thanks. I hadn't heard (or remembered hearing) an update and was needing to follow up as well, but we have several other big problems we were\are working through. I've just gotten 2018.1 installed in our test enviornment and am eagerly awaiting the 2018.3 update so we can get that tested and the deployment to production started.

                 

                Rick

                • 5. Re: EPM 2018.1 - LDAP Group membership issue
                  ldms_4mfe Apprentice

                  Hi GaryOco,

                   

                  just one wild guess, because just the P*-Groups are not imported.

                  I have no Server at the hand. But maybe the group-names are to long (136 chars?)

                   

                  I think it would be worth to have a look at the event viewer or the Program Files\LANDesk\ManagementSuite\ldscan\ErrorScan  on the core:

                   

                  Maybe there are some errors like this:

                  Error: Committing on Table...Increased column size might be necessary (Event ID 4100)

                   

                  Kind regards, Marco

                   

                  EDIT:

                  After checking on SQL. The table coloumn is a nvarchar with 256 chars limit. So this is probably not the reason.

                  • 6. Re: EPM 2018.1 - LDAP Group membership issue
                    GaryOco Apprentice

                    Hi Marco,

                     

                    I can see the issue in the local copy of the inventory file before the server processes it so I don't think it's a core/DB issue. I've spoken to support who were able to replicate the issue in their lab, indicating it's an issue with the release/agent update. The issue didn't exist before 2018.1 although I can't say I didn't somehow cause it if I'm honest, although if support can replicate without doing what I thought I did to cause it, indicates it wasn't a me issue (hopefully anyway).

                     

                    We've got a work around of browsing the groups via the AD connector as opposed to relying on the inventory information, however the pessimist in me wonders, if that's broken, what else is that I'm not aware of.

                     

                    Unfortunately I've no real way of knowing what is and isn't reporting accurately.


                    Thanks for the reply though, when I hear back from Support I'll post an update here.

                    • 7. Re: EPM 2018.1 - LDAP Group membership issue
                      Rick.Smith1 Expert

                      This bug is still in 2018.3. Major issue for us as we rely on the query conditions with the LDAP groups. I've escalated through my TAM as well.

                       

                      Like you all inventory scans in 2018.1 & 2018.3 are jacked up as far as the LDAP Groups - Machine - Display Names go.

                       

                      This is what a record should look like.

                       

                      Instead under Machine the Display Name is jacked up. Only the first letter is kept of what appears to be the last record that begins with the letter.

                      So frustrating. At this point we don't have a work around. I am going to see if I can use DTS to possibly fix the data or import direct from LDAP after the fact until Ivanti can provide a fix. Hopefully its immediate. Other options are to go in and try to adjust every query to use the Name vs the Display Name. Only the Display Name field is messed up for us.

                       

                      Rick

                      1 of 1 people found this helpful
                      • 8. Re: EPM 2018.1 - LDAP Group membership issue
                        GaryOco Apprentice

                        Hi Rick,

                         

                        As a temporary measure we've been deploying to LDAP queries we create by browsing the Directories LDAP listings, which works well and updates pretty quickly.

                         

                        The biggest issue with this, is that with controlled software such as Visio or Project, we use a global uninstall on all machines, unless they are in a specific group (which performs the install). Without the agent pulling in that info for the exclusion then the global uninstalls can't run and we potentially have machines with controlled software installed that shouldn't be installed. I cannot find a way to create a LDAP query that will exclude the machines without the inventory reading that info.

                         

                        For our global uninstalls the query looks something like this:

                         

                        "Computer"."LDAP Groups"."Machine"."Name"  Not Like  "CN=SOFTWARE_AD_GROUP,OU=Software,OU=User and Group Assets,DC=DOMAIN"

                         

                        Hopefully we'll have something soon.

                         

                        Ivanti have logged a problem ticket, I'm gonna give it a chase.

                         

                        Thanks

                        1 of 1 people found this helpful
                        • 9. Re: EPM 2018.1 - LDAP Group membership issue
                          Rick.Smith1 Expert

                          GaryOco thanks for the feedback, hopefully this gets resolved and solid soon.

                           

                          I think what we are going to go forward with at this point is to use DTS to import the data direct from LDAP and associate it to the record. Technically what I think happens here is for each device that is in EPM, it pulls the AD MemberOf data in to the inventory record. It then stores the data into the .\Computer Groups\ area.

                           

                          I now just need to manually go through the 2800 queries and scopes we have and update them. My plan is to query LDAP about every 1-2 hours, so there will be some lag, but there is already lag waiting for an updated inventory scan to come in anyhow.

                           

                          Rick

                          1 of 1 people found this helpful
                          • 10. Re: EPM 2018.1 - LDAP Group membership issue
                            ldms_4mfe Apprentice

                            Hi again,

                             

                            we are on 2017.3 SU5 and I can see the same behaviour with our clients.

                            Some of them still work, some I could fix with resetting all Inventory Informations in the Registry...Some are not fixable with that.

                             

                            Did support or TAM report any news on that?

                             

                            Regards, Marco

                            • 12. Re: EPM 2018.1 - LDAP Group membership issue
                              GaryOco Apprentice

                              I gave them a chase, and said "they'd get back to me" unfortunately I have heard nothing since.

                               

                              We've got an EPM webex call later this week though, I plan on bringing this up then.

                               

                              Ta

                              • 13. Re: EPM 2018.1 - LDAP Group membership issue
                                ldms_4mfe Apprentice

                                They pointed me to 2018.3 ... and all problems will be solved. Hoho... and I still believe in Santa Claus.

                                • 14. Re: EPM 2018.1 - LDAP Group membership issue
                                  Rick.Smith1 Expert

                                  Marco,

                                   

                                  The LDAP inventory issue is not resolved in 2018.3. Its not set to be resolved in SU1 either so far as I know. I have 2018.3 now and have been heavily working this issue with the PM and team, I do not know about an official release for the LDAP problem, my guess is SU2. I'm hoping to receive SU1 soon, but to address some of the other issues we've reported which I was told will be in the SU1 release, but again the LDAP problem was not a part of the promised fixes in SU1 either.

                                   

                                  Rick

                                  2 of 2 people found this helpful
                                  1 2 Previous Next