Members are not getting populated into entitlement in entitlement catalog for the LDAP application

Which IIQ version are you inquiring about?

8.4

Please share any images or screenshots, if relevant.

image1441×573 24.6 KB

image1548×444 14.1 KB

image748×628 72.7 KB

Share all details about your problem, including any error messages you may have received.

I have created and LDAP application and performed the group aggregation task on the application, as a result i got entitlements from the LDAP application to IIQ with no errors, but the members of the groups are not getting populated as shown in above images. I have also tried performing Refresh identity cube with “Refresh Identity Entitlement for all links”, still entitlements are not provisioned to identity neither any members are not provisioned into the entitlement’s members tab. Please help me resolving this issue.

Thank you!

Hi @Prash373 Have you executed account aggregation? Also share Application xml or details

Hello @Prash373

You can check two things here.

1. Check group schema for groups attribute and ensure they are marked as Managed, Entitlement, Multi-Valued
2. Secondly check if correlation config/rule is configured correctly for LDAP application accounts and resolving them to correct identities.

Hi @Prash373 Can you share the group schema, particularly the groupmemberattribute value

Hi @Prash373 , can u check if you have this defined inside the schema . Also are the entitlements visible on the identity?

image799×393 9.07 KB

Hi @Arpitha1 , i have executed account aggregation task with “Promote managed attribute” option checked, and still have same result. And here is the application xml file,

LDAP_Application.xml (14.8 KB)

Hi @j_place . Here is my group schema : -

image1669×858 41.9 KB

And here is the screenshot of account schema attribute which defines the group object

No, Entitlements are not visible on identity.

Thanks @Prash373, that looks good. Can you confirm that groups is the correct account attribute for “Member Of”? In some LDAP implementations groupOfUniqueNames does not have a corresponding “back link” on the account.

Can you able to see accounts? If so, can you share a pic?

I see, ou with different values between your application xml and your group snap. In your xml, you have ou=accounts where in group pic, you have ou=SMAC Sol. Only Mathew seems having group, so can you share pic of Mathew’s account

Hi @Prash373 - can u try replacing <entry key="searchDNs"> with this snippet:

<entry key="searchDNs"><value>
    <List>
      <Map>
        <entry key="searchDN" value="ou=accounts,dc=example,dc=com"/>
        <entry key="searchScope" value="SUBTREE"/>
        <entry key="groupMembershipSearchDN" value="ou=groups,dc=example,dc=com"/> 
        <entry key="groupMemberAttribute" value="uniqueMember"/>
      </Map>
    </List>
  </value>
</entry>

Hello @Prash373 the issue might be with the target source. I faced a similar problem with LDAP, although I added uniqueMember entries to the group, the members were not showing up. Only after I created the user under the group did the members appear as expected.

image1188×319 21.6 KB

Got it, thank you for pointing out my mistake. Fixed it and now everything is working fine.

Sounds good. Can you close the thread by marking solution, so it will be not in opened state

Hi @Prash373
Can you try adding the iterateSearchFilter entry under the group.searchDNs section in your application XML config. This helps iterate through LDAP groups during aggregation.

<entry key="group.searchDNs">
  <value>
    <List>
      <Map>
        <entry key="iterateSearchFilter" value="(objectClass=groupOfUniqueNames)"/>
        <entry key="searchDN" value="ou=groups,dc=example,dc=com"/>
        <entry key="searchScope" value="SUBTREE"/>
      </Map>
    </List>
  </value>
</entry>