LDAP User

[Logan Graham]

Hi All,

Hoping you can help me, we have had an issue since the 20th with trying to import users into Hornbill, if we run the import script we currently get this log output

2018/07/31 14:35:44 [DEBUG] ---- XMLMC LDAP Import Utility V2.0.3 ----
2018/07/31 14:35:44 [DEBUG] Flag - Config File new_add.json
2018/07/31 14:35:44 [DEBUG] Flag - Zone eur
2018/07/31 14:35:44 [DEBUG] Flag - Dry Run false
2018/07/31 14:35:44 [DEBUG] Flag - Workers 1
2018/07/31 14:35:44 [WARN] 2.0.3 is not latest, you should upgrade to 3.1.1 by downloading the latest package Here https://github.com/hornbill/goLDAPUserImport/releases/tag/v3.1.1
2018/07/31 14:35:44 [DEBUG] Loading Config File: C:\LDAP_Import/new_add.json
2018/07/31 14:35:44 [DEBUG] Instance Endpoint https://eurapi.hornbill.com/woodlandtrust/xmlmc/
2018/07/31 14:35:44 [DEBUG] Attempting Connection to LDAP... 
Server: xxx.xxx.org.uk
Port: xxx
Type: 
Skip Verify: true
Debug: false
2018/07/31 14:35:44 [DEBUG] Creating LDAP Connection
2018/07/31 14:35:44 [DEBUG] LDAP Search Query 
{Server:xxx.xxx.org.uk UserName:xxx@xxx.org.uk Password:xxx Port:xxx ConnectionType: InsecureSkipVerify:true Scope:2 DerefAliases:1 SizeLimit:0 TimeLimit:0 TypesOnly:false Filter:(objectClass=user) DSN:CN=xxx,OU=xxx,OU=xxx Staff,OU=xx Users,DC=xxx,DC=org,DC=uk Debug:false} ----
2018/07/31 14:35:44 [DEBUG] LDAP Results: 1
2018/07/31 14:35:44 [DEBUG] Processing Users
2018/07/31 14:35:44 2018/07/31 13:35:44 [DEBUG] Buffer For Job: 1 - Worker: 1 - User: xxx
2018/07/31 13:35:44 [ERROR] Unable to Search For User: You do not have the required privilege level [user] to invoke the method data::entityDoesRecordExist
2018/07/31 13:35:44 [DEBUG] Create User: xxx
2018/07/31 13:35:44 [DEBUG] LDAP Attribute for Site Lookup: [physicalDeliveryOfficeName]
2018/07/31 13:35:44 [DEBUG] Looking Up Site xxx
2018/07/31 13:35:44 [ERROR] Unable to Search for Site: You do not have the required privilege level [user] to invoke the method data::entityBrowseRecords
2018/07/31 13:35:44 [DEBUG] Site Lookup found Id 
2018/07/31 13:35:44 [DEBUG] password
2018/07/31 13:35:44 [DEBUG] Auto Generated Password for: xxx - xxx
2018/07/31 13:35:44 [ERROR] Unable to Load LDAP Attribute: mobile For Input Param: [mobile]
2018/07/31 13:35:44 [ERROR] Unable to Create User: You do not have the required privilege level [user] to invoke the method admin::userCreate

2018/07/31 14:35:44 [ERROR] Error encountered please check the log file
2018/07/31 14:35:44 [ERROR] Error Count: 1
2018/07/31 14:35:44 [DEBUG] Updated: 0
2018/07/31 14:35:44 [DEBUG] Updated Skipped: 0
2018/07/31 14:35:44 [DEBUG] Created: 0
2018/07/31 14:35:44 [DEBUG] Created Skipped: 0
2018/07/31 14:35:44 [DEBUG] Profiles Updated: 0
2018/07/31 14:35:44 [DEBUG] Profiles Skipped: 0
2018/07/31 14:35:44 [DEBUG] Time Taken: 812.4844ms
2018/07/31 14:35:51 [DEBUG] ---- XMLMC LDAP Import Complete ---- 
 

I have been trying to figure out what account is being used to see if i need to change privileges but I see no hint to what account this is using. I have recently taken over from a person maintained the service desk and his account is no longer in hornbill.

My question is really is there a way of finding out what account this is trying to use?

I have "XXX" out the sensitive data. 

Thanks,

Logan G 

[James Ainsworth]

Hi Logan,

6 hours ago, Logan Graham said:

2018/07/31 14:35:44 [WARN] 2.0.3 is not latest, you should upgrade to 3.1.1 by downloading the latest package

It might be worth starting with updating your version of the Import Utility.  If your imports were working, and they have recently stopped working it might simply be that if there was a modification to the security model on the platform, the Import Utility would need to be updated to match the version of the platform.

If the issue continues after updating, we can then help investigate.  Information about downloading the new version can be found here. This wiki page also includes a link on how to configure the new 3.0 version of the Import Utility.

Let us know how you get on with this.

Regards,

James

 

[Logan Graham]

HI James,

Thanks for the reply, I don't think the update would help matters in this scenario. Seems odd to me that it would randomly stop working and it be down to the version number.

I would rather know what account this is trying to use first as updating it may cause more issues. 

If there is a way to find out what account this is using it would help me massively.

as on the wiki is mentions about this error;

[ERROR] Unable to Assign Role to User: You cannot create or update the role as you do not have sufficient permissions to set the system rights. - every action within Hornbill must be performed in the context of a user account. This error is suggesting that the user account you are using to run the utility does not posses the appropriate Hornbill roles set to associate the necessary roles the imported user. See the Testing section above, specifically "What Hornbill Roles are needed for the Import to Complete Successfully?".

The main issue is not knowing what account this is using.

Thanks,

Logan G

[James Ainsworth]

Hi Logan,

As the user can be any account that you select, I can't say which account you are using.  In the link to the documentation that I posted further up, there is a section that describes where the API key for the user that you have selected for the imports needs to be added to the config script.

 

On each User Profile in Administration you can create an API key for that user.   This is what will be used within your config script for the import utility.  For obvious security reasons, there is no way to tell from looking at the configuration file of the import tool to see the user name or password.  Possibly, the API key was for the account of the person that you mentioned who is no longer in Hornbill.

The rights needed to perform the imports include

• Manage Users
• Create Users
• Update Users
• Execute Stored Queries

There is a Role called ''User Import'' which contains all of these rights.

I would still recommend updating to 3.x of the Import Utility.  This version is more secure and easier to configure.  As version 2.x has been deprecated, support will be limited.  Updates and fixes will only be applied to 3.x.

Regards,

James

 

 

[Logan Graham]

Thank you james, that was it the api was set to the wrong user, I will look at upgrading this soon just wanted to try and get this initial fix done.

Really appreciate the help with this it has been driving me insane for the past few days. 

Thanks again,

Logan G