OHDSI Home | Forums | Wiki | Github

Active Directory and Atlas: can't import users

Hi all,

I’ve been able to connect our WebAPI 2.8.0 to the Active Directory and select the groups to attach to roles, but then I can’t load up the users in the groups to import into Atlas:

Any ideas?

@Chris_Knoll @anthonysena

Thanks,
Ajit

@Ajit_Londhe

If you do not see the list of users, it means AD search filter is not configured properly. You need to check with AD engineer internally what is correct filter to get users. Also you need to use AD Global Catalogue port for your AD instance.

@Konstantin_Yaroshove, can you give an example of what the filter might look like, and which settings in the settings.xml document should be set with those values?

Here is example of configuration details. Since each AD configuration is unique, I recommend to discuss the options with internal engineers.

<security_ad_url>ldap://ad.domain.local:3268</security_ad_url>
<security_ad_searchBase>DC=domain,DC=local</security_ad_searchBase>
<security_ad_searchFilter>(&amp;(distinguishedName=*)(memberOf=CN=some-bucket,OU=users,DC=domain,DC=local))</security_ad_searchFilter>
<security_ad_principalSuffix>@domain.local</security_ad_principalSuffix>
<security_ad_system_username>username</security_ad_system_username>
<security_ad_system_password>password</security_ad_system_password>

(originally from email with @Konstantin_Yaroshove but wanted to share here in case it’s helpful for others)

Did some more debugging, and it appears that after selecting the groups, WebAPI tries to get all group objects from the AD to then map the selected ones:

https://github.com/OHDSI/WebAPI/blob/master/src/main/java/org/ohdsi/webapi/user/importer/service/UserImportServiceImpl.java#L98

This requires paging through the AD user list, but doing so throws the error:

[LDAP: error code 12 - 00000057: LdapErr: DSID-0C090B0B, comment: Error processing control, data 0, v3839

As @Konstantin_Yaroshove found, perhaps AD doesn’t like to provide > 5000 groups back:
https://kc.mcafee.com/corporate/index?page=content&id=KB92306&locale=en_US

I’m wondering, why does it need to get all AD groups to map a few pre-selected groups?

I’m not sure what is version of Windows Server in your environment. According to article below 5000 is a hard limit but not a reason for the failure.

I’ll check on the version.

I also found this about Spring-based Java apps and LDAP:

Edit: this isn’t the issue

Thank you @Konstantin_Yaroshove for your help on this, we’ve resolved the issue by using a searchFilter that limits the results to just the AD groups we intend on mapping / importing, something like this:

(|(CN=atlas-admin, …)(CN=atlas-user, …))

However, I still had 1 issue, as described here:

Essentially, by adding wildcards to the AD group search string, the search times out when using larger AD systems.

@Ajit_Londhe

Hello, Ajit, I found this old thread while doing research on the “Import Users from LDAP/AD” function in Atlas.

I can run through the import process and assign Atlas role but have two questions/issues

  1. The Atlas import wizard doesn’t allow me to choose which user to import from the AD group
  2. When the import was successfully completed, I couldn’t see the new user using the “Manage Permission” function. I explored all the roles, including the one I assign during the import, but couldn’t find the new users. The new user only shows up in Atlas after that person’s first login.

Are you seeing the same behavior at your side? Thanks for your input.

Thank you
Jack

t