6 Replies Latest reply on Oct 15, 2018 9:36 AM by GaryOco

    EPM 2018.1 - LDAP Group membership issue

    GaryOco Apprentice

      Hi, we're on-prem customer and I've noticed some odd behaviour, it's either on the core/DB or agent, I can't quite work out which one.

       

      The inventory on machines is not recording the LDAP group membership properly. For example, my laptop is in 4 different AD groups, EPM is only showing two, but appears to have mix and matched the records. This only appears to be affecting the machines LDAP group info, user group info is fine.

       

      ldapwhomai reports the group membership properly, I ran an outputted inventory scan and found the below, which seems to suggest it's the agent mixing and matching the memberships:

      LDAP Groups - Machine - (Display Name:P) - Name =CN=PG-SW-Pilot Group,OU=Software,OU=Standard Permission Groups,OU=Standard Groups,OU=Groups,OU=User and Group Assets,DC=insurance,DC=lan

      LDAP Groups - Machine - (Display Name:P) - Description =Pilot Group for Software Deployments

      LDAP Groups - Machine - (Display Name:P) - Name =CN=PG-SW-Google Chrome,OU=Software,OU=Standard Permission Groups,OU=Standard Groups,OU=Groups,OU=User and Group Assets,DC=insurance,DC=lan

      LDAP Groups - Machine - (Display Name:P) - Description =Add machines for google chrome deployment

      LDAP Groups - Machine - (Display Name:D) - Name =CN=Domain Computers,CN=Users,DC=insurance,DC=lan

      LDAP Groups - Machine - (Display Name:D) - Description =All workstations and servers joined to the domain

      LDAP Groups - Machine - (Display Name:P) - Name =OU=Portable,OU=Swansea,OU=Clients,OU=Hardware Assets,DC=insurance,DC=lan

       

      If I read this right (and I could well be wrong) it's trying to list the groups using the same display names, i.e. all with the display name of "P" - one for "Name =CN=PG-SW-Pilot Group" and one for "Name =OU=Portable,OU=Swansea,OU" and finally "ame =CN=PG-SW-Google Chrome"


      I've tried uninstalling the agent/deleting from the console and reinstalling to no avail.

       

      Tried following this: How to set up and configure policies to use LDAP Groups or LDAP Containers  but I don't seem to get any different results.

       

      I've just changed the inventory history to 1 day (we've only just migrated so don't much history to keep) in case it's something in the history causing the issue. But I don't understand how when I get the above output on a manual scan on my computer. I would assume if it was the history or database I should only see that issue on the console, not output on the agent.

       

      Can anyone recommend other settings/logs I can check for what might be causing this issue?

        • 1. Re: EPM 2018.1 - LDAP Group membership issue
          Rick.Smith1 Specialist

          GaryOco Not happy to hear you are having this issue. We have been reporting LDAP group membership problems for awhile now in EPM 2017 and none of the updates have resolved it despite being told that there have been updates to the ldapwhoami exe.

           

          We've actually written our own auto it script that simply grabs the information and dumps the LDAP groups to the registry and then we are using custom data to gather the groups we are specifically needing. We've no idea why our script works flawlessly and the ldapwhoami seems to just crash and returns no groups. Some times it works and groups appear, so then our queries built on that data magically shrink and grow in number.

           

          So that reminds me I need to follow up with our TAM where this issue is at, because we have yet to get a resolution to it or a status update. I think its because they are waiting to see if EPM 2018 would just fix it since I keep hearing the problem cannot be reproduced in house, they have made updates to it, so lets just see....  and then it just seems to die there as if it can't be reproduced in house so it must be environmental and my problem. (Late night rant) 

           

          Rick

          • 2. Re: EPM 2018.1 - LDAP Group membership issue
            GaryOco Apprentice

            That's unfortunate, I think I created the issue myself - I accidentally removed some machines from the console and since then it's gone wrong, but I don't know if it's a corruption/misinformation in the database or on the machine.

             

            I'll log a call with Support, see if they can help.

            • 3. Re: EPM 2018.1 - LDAP Group membership issue
              seattleman1969 SupportEmployee

              All, there is an open bug on this.

               

              Rick.Smith, I believe your TRM is probably working with you on it and his case is what I am basing my comments off of. The fix should be contained within the upcoming 2018.3 and 2017.3 SU6 releases. We do not have definitive dates on those releases yet, but it should be late October/early November.

               

              The issue is the way that LDAPWHOAMI.exe gathers information under the different account contexts it might run under, IE: Logged in domain user, inventory executes, LDAP information is gathered. No user logged in, System account executes the inventory scan with no domain context (for lack of a better term), LDAPWHOAMI.exe doesn't gather the LDAP information and the scan overwrites any data in inventory thus removing it and replacing with blank info.

              1 of 1 people found this helpful
              • 4. Re: EPM 2018.1 - LDAP Group membership issue
                Rick.Smith1 Specialist

                Brandon - Thanks. I hadn't heard (or remembered hearing) an update and was needing to follow up as well, but we have several other big problems we were\are working through. I've just gotten 2018.1 installed in our test enviornment and am eagerly awaiting the 2018.3 update so we can get that tested and the deployment to production started.

                 

                Rick

                • 5. Re: EPM 2018.1 - LDAP Group membership issue
                  ldms_4mfe Apprentice

                  Hi GaryOco,

                   

                  just one wild guess, because just the P*-Groups are not imported.

                  I have no Server at the hand. But maybe the group-names are to long (136 chars?)

                   

                  I think it would be worth to have a look at the event viewer or the Program Files\LANDesk\ManagementSuite\ldscan\ErrorScan  on the core:

                   

                  Maybe there are some errors like this:

                  Error: Committing on Table...Increased column size might be necessary (Event ID 4100)

                   

                  Kind regards, Marco

                   

                  EDIT:

                  After checking on SQL. The table coloumn is a nvarchar with 256 chars limit. So this is probably not the reason.

                  • 6. Re: EPM 2018.1 - LDAP Group membership issue
                    GaryOco Apprentice

                    Hi Marco,

                     

                    I can see the issue in the local copy of the inventory file before the server processes it so I don't think it's a core/DB issue. I've spoken to support who were able to replicate the issue in their lab, indicating it's an issue with the release/agent update. The issue didn't exist before 2018.1 although I can't say I didn't somehow cause it if I'm honest, although if support can replicate without doing what I thought I did to cause it, indicates it wasn't a me issue (hopefully anyway).

                     

                    We've got a work around of browsing the groups via the AD connector as opposed to relying on the inventory information, however the pessimist in me wonders, if that's broken, what else is that I'm not aware of.

                     

                    Unfortunately I've no real way of knowing what is and isn't reporting accurately.


                    Thanks for the reply though, when I hear back from Support I'll post an update here.