This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OpenLDAP Incremental access import configuration

prashanth_sv
New Contributor III
New Contributor III

‎08/04/2023 04:10 AM - last edited on ‎08/07/2023 08:08 AM by Community Manager

Hi Team,

V23.6

We are looking for OpenLDAP Incremental access import configuration and in the LDAP connector documentation, its not clearly mentioned as the attributes are different in OpenLDAP and no examples are provided for different LDAP types and the definition for each attribute used below. 

 

 

 

{
 "incrementalImportType": "NotUsed",
 "changeLogBase": "OU=TestOU,DC=corp,DC=test,DC=com",
 "changeNumberFilter": "&(changeNumber>=##MAX_CHANGENUMBER##)(targetDN=*OU=TestOU,DC=corp,DC=test,DC=com*)",
 "dnAttributeName": "targetDn",
 "dnAttributeNameMappedTo": "username",
 "changeNumberAttrName": "uSNChanged",
 "changeTypeAttrName": "changeType",
 "changedFeildsInScope": "status,CUSTOMPROPERTY1,CUSTOMPROPERTY2,
LASTLOGONDATE,DISPLAYNAME,CUSTOMPROPERTY25,CUSTOMPROPERTY3,
COMMENTS,CUSTOMPROPERTY4,CUSTOMPROPERTY5,CUSTOMPROPERTY6,
CUSTOMPROPERTY7,CUSTOMPROPERTY8,CUSTOMPROPERTY9,DESCRIPTION,
CUSTOMPROPERTY14,CUSTOMPROPERTY15,CUSTOMPROPERTY16,
CUSTOMPROPERTY17,CUSTOMPROPERTY18,NAME,CUSTOMPROPERTY20,
CREATED_ON,ACCOUNTCLASS,customProperty29,dummy",
 "changesLogAttrName": "changes",
 "searchAttribute": "entrydn",
 "searchOn": "rdn"
}

 

 

 

 

Does someone as sample Incremental Config for OpenLDAP, which we can refer for incremental access import?

Already tried  "incrementalTimeField": "modifyTimestamp" in groupimport mapping but its not working and incremental import job is consuming 3-4 hours which is same as Full access import.

Do you have any suggestions for the above query?

Regards,

Prashanth.s.v

[This message has been edited by moderator to merge reply]

 

0 Kudos
7 REPLIES 7

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎08/08/2023 09:13 PM

Hello @prashanth_sv,

Please utilize the provided JSON within the "groupimportmapping" section, leaving the "incremental-config" field empty. Additionally, feel free to adjust the attributes below according to your preferences:

```json
{
"importGroupHierarchy": "false",
"entitlementTypeName": "isMemberOf",
"importnestedmembershipoutofscope": "false",
"performGroupAccountLinking": "true",
"incrementalTimeField": "",
"groupObjectClass": "(objectClass=groupOfUniqueNames)",
"groupAccountMappingAttributeName": "uniqueMember",
"mapping": "memberHash:member_char,entitlement_value:entrydn_char,entitlement_glossary:entrydn_char,customProperty1:cn_char,customProperty2:entryuuid_char,customProperty3:objectClass_char,customProperty15:owner_char,lastscandate:createTimestamp_date,createdate:createTimestamp_date,updatedate:modifyTimestamp_date,RECONCILATION_FIELD:entitlement_value"
}
```

0 Kudos

prashanth_sv
New Contributor III
New Contributor III

‎08/09/2023 03:45 AM

Hi Sudesh,

Tried with your suggestion but no success. It still processing almost same 3-4 hours. But we need this attribute right for incremental import to work. Do you have any sample JSON's for incremental config?

Regards,

Prashanth.s.v

0 Kudos

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎08/13/2023 10:32 PM

Hello @prashanth_sv,

In the above group import mapping json can you try with 
"incrementalTimeField": "whenChanged",  and try.
{
"importGroupHierarchy" : "true",
"entitlementTypeName": "",
"performGroupAccountLinking": "true",
"incrementalTimeField": "whenChanged",
"groupObjectClass": "(objectclass=group)",
"mapping": "memberHash:member_char,customProperty1:sAMAccountType_char,customProperty16:memberOf_char,customProperty2:instanceType_char,
customProperty3:uSNCreated_char,customProperty4:groupType_char,customProperty5:dSCorePropagationData_char,customProperty12:dn_char,
customProperty13:cn_char,lastscandate:whenCreated_date,customProperty15:managedBy_char,entitlement_glossary:description_char
customProperty9:name_char,customProperty10:objectCategory_char,customProperty11:sAMAccountName_char,customProperty14:objectClass_char,
status:isCriticalSystemObject_char,entitlement_value:distinguishedName_char,customProperty17:distinguishedName_char,RECONCILATION_FIELD:customProperty17",
"activeGroupPossibleValues": [
"active",
"a",
"l",
"TRUE"
]

For Ref:- 
https://docs.saviyntcloud.com/bundle/LDAP-v2022x/page/Content/Example-JSON-for-Connection-Parameters... 
https://docs.saviyntcloud.com/bundle/LDAP-v2022x/page/Content/Introduction.htm 

Thanks,

0 Kudos

prashanth_sv
New Contributor III
New Contributor III

‎08/24/2023 03:35 AM

Hi Sudesh,

No the above config will not work as we don't have 'whenChanged' attribute in OpenLDAP, as we had already tried this in initial phase.

Regards,

Prashanth.s.v

0 Kudos

Rishi
Saviynt Employee
Saviynt Employee
In response to prashanth_sv

‎09/14/2023 07:16 AM

Can you get an export of group object attributes, so that we can see if there is any attribute which contains group change time stamp.

The attribute modifyTimestamp gets updated even when a user is added or removed from the group, probably thats the reason you still see large number of groups returned even for incremental import.

To prove the above theory, can you update the json with modifyTimestamp as incremental field in the Json that Sudesh provided and then run two incremental imports one after the other (confirm that first run was successful before running the second incremental import). Since the second import job is executed soon after the first one, there would be hardly any add/remove events on the group so the modifyTimestamp would remain same for most of the groups. Thus the expectation is that the second job will be completed quickly.

0 Kudos

prashanth_sv
New Contributor III
New Contributor III
In response to Rishi

‎09/20/2023 08:37 AM

Hi Rishi,

We dont have the group related information linked in the users OU and only available at groups OU level. Please find the attached LDIF export. 

Also we ran the jobs consecutive times but the job is still taking same time as full import.

prashanth_sv_0-1695224169543.png

 

Regards,

Prashanth.s.v

Preview file
25 KB
0 Kudos

Ishan
Saviynt Employee
Saviynt Employee

‎09/21/2023 03:59 PM

@prashanth_sv ,Please ensure the items marked in bold are added/updated to the existing groupimportmapping field. 
 
{"entitlementTypeName": "isMemberOf", "groupAccountMappingAttributeName":"member", "performGroupAccountLinking": "true", "incrementalTimeField": "modifytimestamp", "groupObjectClass":"(|(objectclass=groupOfUniqueNames)(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))","mapping":"entitlement_value:nameinnamespace_char,entitlementid:nameinnamespace_char,entitlement_glossary:description_char,lastscandate:modifytimestamp_customDate--yyyyMMddHHmmss,updatedate:modifytimestamp_customDate--yyyyMMddHHmmss,createdate:createtimestamp_customDate--yyyyMMddHHmmss,displayName:cn_char,customProperty1:entryid_char,customProperty2:creatorsname_char,customProperty3:nsuniqueid_char,customProperty4:dn_char,customProperty5:entrydn_char,customProperty6:nameinnamespace_char,RECONCILATION_FIELD:customProperty6"}
 
 
For testing, run the full import once which will bring in and map modifytimestamp and createtimestamp to Saviynt fields, after that run the incremental import and check the time taken to import. 
Please test out and let us know the results. 

Ishan Kamat
Technical Architect, Professional Services
SaviyntLogo.png

0 Kudos
Copyright © 2023 Khoros, LLC