NetXMS Support Forum

Hello!

I'm trying to integrate NetXMS with my LDAP environment and things are looking a little ugly so far...

My first issue is with the debugging. I started my netxms server in a screen session with the command "/usr/local/bin/netxmsd" in order to get access to the console. I am then presented with a prompt in which I can type some commands. Since I want to debug the ldap synchronization mechanism, I type "ldapsync"as instructed in the manual (HERE). After the console is done presenting me with various errors (discussed further down this post) I am no longer presented with a command prompt. I have to kill the server instance and restart it in the same fashion in order to get one more try at debugging, which is very annoying.

First question: Is this a bug? How can I attach/re-attach to the console and get a prompt without killing the server instance and then starting it locally?

In the various debug messages produced by the ldapsync command, I noticed a problem in my NetXMS's ldap syncronisation parameters. The exact error is:
[14-May-2015 10:18:18.750] [DEBUG] Found dn: cn=wildfly,ou=groups,dc=myCompany,dc=ca
[14-May-2015 10:18:18.750] [DEBUG] LDAPConnection::fillLists(): cn=wildfly,ou=groups,dc=myCompany,dc=ca is not a user nor a group
[14-May-2015 10:20:51.965] [DEBUG] LDAPConnection::fillLists(): Found dn: cn=steeve,ou=users,dc=myCompany,dc=ca
[14-May-2015 10:20:51.965] [DEBUG] LDAPConnection::fillLists(): cn=steeve,ou=users,dc=myCompany,dc=ca is not a user nor a group

Which means that the various parameters I entered in my LDAP config are wrong. What I can gather from the logs and the various documentation we have internally is that a group is identified by "ou=groups" and a user is identified by "ou=users", whereas an object name is "cn=objectName".

Here is what I have so far in the config:
LdapConnectionString:   ldap://olserver1.myCompany.priv:389
LdapGroupClass:   groups
LdapMappingDescription:   description
LdapMappingFullName:   full name
LdapMappingName:   cn
LdapPageSize:   1000
LdapSearchBase:   dc=myCompany,dc=ca
LdapSearchFilter:   (objectClass=*)
LdapSyncInterval:   5
LdapSyncUser:   cn=admin,dc=myCompany,dc=ca
LdapSyncUserPassword:   myPaSsWoRd
LdapUserClass:   users
LdapUserDeleteAction:   0

I am not "that" familiar with the LDAP syntax, and even less with NetXMS's so I would like to know if anyone could help with those 2 issues:
1) The console prompt disappearing after invoking "ldapsync"
2) The configuration mismatch

Thank you all for your dedication to this project, I am sure that we can make it great by poking around issues like this one!

Start the server with 'netxmsd -d' command to run as a deamon.

Then use 'nxadm -i' to connect the shell to the server.
You can then kill / reattach the shell as much as you want without influencing the server process.

Thank you for that tip! Unfortunately, when I attach to the server and use the ldapsync command, nothing happens... I have indeed set the debug level to 4 before typing it in, but after pressing enter the cursor just stands there without a prompt, until I give up and try again...

I guess you are connecting to Active Directory? If yes, class and attribute names are wrong. Please set them as described here: https://www.netxms.org/documentation/adminguide/user-management.html#active-directory.

Best regards,
Victor

No, we are using an OpenLDAP server

Still, classes and attributes looks wrong: https://www.netxms.org/documentation/adminguide/user-management.html#open-ldap (check values of parameters LdapMappingName, LdapMappingFullName, LdapMappingDescription, LdapGroupClass, LdapUserClass).

Best regards,
Victor

They indeed were wrong!

I am sorry, I should have checked everything before posting  ...

I used ldapsearch in order to get my answers:
ldapsearch -x -b "dc=myCompany,dc=ca" "(objectclass=*)"

The previous command gave me plenty of information about everything in the database, including "quite" explicitely the objectClass for everything....

Is it possible to specify more than one class per object in order to be more specific?

For example, I have not been able to add the groups yet in NetXMS but I can see that they belong to the "posixGroup" object class as well as the "top" class. The same goes for the accounts that belong to the "account", "posixAccount" and "top" class.

It's not possible to specify multiple classes, but usually it's not needed. You should specify most specific class that covers all objects that you need - in your case it will be "posixAccount" for users and "posixGroup" for groups.

Best regards,
Victor