UST File Verification Request

[vannost]

Hello,

For the past couple of weeks I've been working on and off attempting to get User Sync Tool to function.
We use Active Directory.
I have created a AD service account and a group account to add new users. I configured the UST files and set up all parameters according to your specifications.

I am unable to get the sync tool to function correctly. When I drop a user into the UST user group in Active Directory nothing happens when I execute the UST file. I am executing the UST file from a linux command line that has access to the internet.

I attached the files. Could someone on your end have a look and get back to me with any suggestions?
ldap-connector.txt
umapi-connector.txt
user-sync-config.txt

[adorton-adobe]

What console or log output do you get from the sync tool?

What command-line parameters are you using to invoke the sync tool?

[vossen-adobe]

Also, it looks like everything is commented out in the files., And they are .text instead of .yml.

[vannost]

Hi, So far when I run user-sync-config.yml I don’t get any output on the command line also the log file does not have any data. So it : $ ./user-sync.config.yml on the linux command line and the command doesn’t produce anything, it goes back to the command line. Thanks you. From: Andrew Dorton [mailto:[email protected]] Sent: Tuesday, September 18, 2018 9:20 AM To: adobe-apiplatform/user-sync.py <[email protected]> Cc: Thomas Van Nostrand <[email protected]>; Author <[email protected]> Subject: Re: [adobe-apiplatform/user-sync.py] UST File Verification Request (#401) What console or log output do you get from the sync tool? What command-line parameters are you using to invoke the sync tool? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fissues%2F401%23issuecomment-422390053&data=02%7C01%7CVanNostrand.Thomas%40spcollege.edu%7C9f091d666262417424dc08d61d696dfe%7C575038c8ac704295810e0df79c005f41%7C0%7C0%7C636728735990054326&sdata=KoH1VB3OUb223l3%2FHrpi1n7Ezx3AVs4ZUIsIItYkDCc%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAoe0rnlm5RBj2tVwR31619UMrbfb2cfFks5ucPL5gaJpZM4Wt5YH&data=02%7C01%7CVanNostrand.Thomas%40spcollege.edu%7C9f091d666262417424dc08d61d696dfe%7C575038c8ac704295810e0df79c005f41%7C0%7C0%7C636728735990064335&sdata=qm2FcgJ87RK1mg%2Fhi400RHR3INBsOQe8h7tdNNUIsTs%3D&reserved=0>.

[vannost]

Hi, I created the files in NotePad ++ and saved them as .yml. The files that I sent you are txt. Thank you From: janssenda-adobe [mailto:[email protected]] Sent: Tuesday, September 18, 2018 9:21 AM To: adobe-apiplatform/user-sync.py <[email protected]> Cc: Thomas Van Nostrand <[email protected]>; Author <[email protected]> Subject: Re: [adobe-apiplatform/user-sync.py] UST File Verification Request (#401) Also, it looks like everything is commented out in the giles., And they are .text instead of .yml. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fissues%2F401%23issuecomment-422390431&data=02%7C01%7CVanNostrand.Thomas%40spcollege.edu%7C3def6bb6d65b42a3f23608d61d69969b%7C575038c8ac704295810e0df79c005f41%7C0%7C0%7C636728736667227186&sdata=Nrl9lQvC0sI2nNXtFRBQ0VhIBazpEXscfHDJvInOU9M%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAoe0rtUJBy8-arvTerzg1CJVgoOuELZtks5ucPM9gaJpZM4Wt5YH&data=02%7C01%7CVanNostrand.Thomas%40spcollege.edu%7C3def6bb6d65b42a3f23608d61d69969b%7C575038c8ac704295810e0df79c005f41%7C0%7C0%7C636728736667227186&sdata=77c0gcuRBPUlJoUW7D0%2FuDQtLcPg25z3FwzZgH%2FdE2s%3D&reserved=0>.

[vossen-adobe]

Please take a look at the documentation here:
https://adobe-apiplatform.github.io/user-sync.py/en/success-guide/

In order to run UST, you need to do ./user-sync instead of user-sync-config.yml. The user-sync pex file will read in the .yml files. In addition, please make sure to uncomment the keys and values in the .yml files.

Lastly, I think the base dn on your ldap connector is too low. This is the base dn the tool scans for users and groups, and it looks like you have it set to OU=Admins. I'm guessing you'll need to pull it up to just "DC=SPCollege,DC=edu"

[vannost]

Thank you. I’ll make the changes and give it another college try! From: janssenda-adobe [mailto:[email protected]] Sent: Tuesday, September 18, 2018 9:33 AM To: adobe-apiplatform/user-sync.py <[email protected]> Cc: Thomas Van Nostrand <[email protected]>; Author <[email protected]> Subject: Re: [adobe-apiplatform/user-sync.py] UST File Verification Request (#401) Please take a look at the documentation here: https://adobe-apiplatform.github.io/user-sync.py/en/success-guide/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fadobe-apiplatform.github.io%2Fuser-sync.py%2Fen%2Fsuccess-guide%2F&data=02%7C01%7CVanNostrand.Thomas%40spcollege.edu%7C658b989afe7e4cda29a708d61d6b472d%7C575038c8ac704295810e0df79c005f41%7C0%7C0%7C636728743926671628&sdata=8i6Zv69snwn%2FOOfD%2BPFxwsD9%2B5fpMECd45Wa0PuSTwY%3D&reserved=0> In order to run UST, you need to do ./user-sync instead of user-sync-config.yml. The user-sync pex file will read in the .yml files. In addition, please make sure to uncomment the keys and values in the .yml files. Lastly, I think the base dn on your ldap connector is too low. This is the base dn the tool scans for users and groups, and it looks like you have it set to OU=Admins. I'm guessing you'll need to pull it up to just "DC=SPCollege,DC=edu" — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fadobe-apiplatform%2Fuser-sync.py%2Fissues%2F401%23issuecomment-422394629&data=02%7C01%7CVanNostrand.Thomas%40spcollege.edu%7C658b989afe7e4cda29a708d61d6b472d%7C575038c8ac704295810e0df79c005f41%7C0%7C0%7C636728743926681637&sdata=lznlDc2AKdyIW9U7tvDaUjhTSE%2FOmYe2A6N8HxN0ZXA%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAoe0rsjbWscWLEsmedQfUJcHlrqgJaA5ks5ucPYSgaJpZM4Wt5YH&data=02%7C01%7CVanNostrand.Thomas%40spcollege.edu%7C658b989afe7e4cda29a708d61d6b472d%7C575038c8ac704295810e0df79c005f41%7C0%7C0%7C636728743926681637&sdata=xI%2Bg5KMs1bxMJvoD7BwdJ61JVlOjnJpiYbcd5nSgvLI%3D&reserved=0>.

[adorton-adobe]

Also - Notepad doesn't doesn't respect Unix line endings or space indentation and has a tendency to save every file with a ".txt" extension. I recommend Notepad++ if you're editing the config files on Windows.

[bajwa-adobe]

Please use following command to test-run.
python user-sync.pex --process-groups --users mapped --test-mode

You have few keys missing from your configuration. Please download example configurations from latest release and simply edit required attributes. Here is configuration guide.

Please remove sensitive information such as UMAPI details before posting the information on public forum.

[vannost]

Hello,

Thank you in advance for your help on this issue. I managed to get the ./user-sync to open in Python and run on an Ubuntu / Linux command line with the commands:
./user-sync -t --users all --user-filter [email protected]./
and
./user-sync -c user-sync-config.yml --users all

I can see that user-sync is installed correctly and it utility is executing.

When I run either commands I receive the following:

Using main config rile: user-sync-config.yml (encoding usf8)
==============Start Run (User Sync version 2.4rcl)===========
Python version: 3.6.5 on linux
-----------comand line agruemnts ---------------
--users all --user filter [email protected]/

date-time CRITICAL main - Value not found for key: limits in: <user-sync-config.yml>

After am exhaustive Google search and a lot of modifications I am coming up short on a solution.

Anyone have any ideas?

Thank you.

[adorton-adobe]

Make sure you include all configuration options that are specified in the example configs. It may be easier to get clean copies of the example config files and fill them in with your UMAPI/LDAP/group settings.

The specific option it can't find is specified here:

https://github.com/adobe-apiplatform/user-sync.py/blob/v2/examples/config%20files%20-%20basic/1%20user-sync-config.yml#L228

[vannost]

Hello,
ust error.docx

I took your advise and used clean UMAPI/LDAP copies and I reprogrammed the config file. I've move ahead in the project on your advise.

the user-sync file opens and opens python on the linux box that I am using. The UST then reads the config file. When it gets to the ldap file I am getting the following error: " CRITICAL main - value not found for key: host in: ldap configuration.

I'm stuck here. I have verified that the account name and password are correct by logging into the account with the credentials, that checks out ok. I have also compared my ldap connector to the examples provided here:
https://adobe-apiplatform.github.io/user-sync.py/en/success-guide/setup_config_files.html

My ldap file looks like this:

username: [email protected] - verified login
password: ServiceAccountPassword - verified login
Host: D0DC02.SPCOLLEGE.EDU
base_dn: DC=Spcollege.edu,DC=edu

At this point the UST should work. I attached a copy of the linux console log. Any help will be greatly appreciated.

[adorton-adobe]

Config keys are case sensitive. All config keys should be lower case. It looks like "host" is capitalized in your config file.

[adorton-adobe]

Another thing I just noticed - be sure to prefix the LDAP hostname with either "ldap://" or "ldaps://" (depending on whether or not you want the sync tool to connect securely or insecurely).

[vannost]

Hello Again,

Thank you for your suggestions, it worked. The UST is now reading the umapi connector. I am getting another Critical error, this time it has something to do with the public/private key authentication.

Critical Main - Connecto to org #########@Adobe.org at endpoint https://usermanagement.adobe.io/v2/user management. failed: Could not deserialize key data

The key is named certificate_pub.crt

Am I using the wrong type of public/private key?

[adorton-adobe]

Make sure that in connector-umapi.yml, you are pointing to your private key file. If your private key file is called "private.key" and you've copied it to the same directory as the sync tool and umapi connector config file, then you just need to set priv_key_path to private.key (no absolute path needed).

[vannost]

Ok, I'll give it a try. Incidentally I created a new Integration on Adobe.io, updated my config, connectors and Linux directory -- same issue.
Thank you

[vannost]

Hello Again,

I took your advise and removed the absolute path to the private key. I get the following output when I run ./user-sync (see below) I tried adding the key directly to the umapi file in the space provided, still didn't work.
I'm running Ubuntu Linux. Is there something that I need to do to the directory to or the key to make it execute?

I've set +x permissions on the key file and I set 777 permissions on the key as well.

Any suggestions will be greatly appreciated.

:~/user-sync$ ./user-sync -c user-sync-config.yml --users all
2018-09-26 15:32:25 78488 INFO config - Using main config file: user-sync-config.yml (encoding utf8)
2018-09-26 15:32:25 78488 INFO main - ========== Start Run (User Sync version: 2.4rc1) ===========
2018-09-26 15:32:25 78488 INFO main - Python version: 3.6.5 on linux
2018-09-26 15:32:25 78488 INFO main - ------- Command line arguments -------
2018-09-26 15:32:25 78488 INFO main - -c user-sync-config.yml --users all
2018-09-26 15:32:25 78488 INFO main - -------------------------------------
2018-09-26 15:32:25 78488 CRITICAL main - Connection to org 9C59EF9957DD60A47F000101@AdobeOrg at endpoint https://usermanagement.adobe.io/v2/usermanagement failed: Could not deserialize key data.
2018-09-26 15:32:25 78488 INFO main - ========== End Run (User Sync version: 2.4rc1) (Total time: 0:00:00)

[Luci2015]

Hi,
There is something wrong with the private key you used. Maybe the connector-umami.yml file does not point to the private key (selected the public one by mistake?) or the key is not of expected format.

While you troubleshoot your private key issue, you could generate a new pair or public and private keys using this openssl command in Terminal:
openssl req -x509 -sha256 -nodes -days 1095 -newkey rsa:2048 -keyout private.key -out certificate_pub.crt
This will output the two files in the same folder you ran this command. Upload the certificate_pub.crt to your integration, then move the private.key inside the working folder where you have the user-sync tool. The umapi.yml file should contain for the private key path, at this point, just the name of the file (
priv_key_path: private.key )
Also, since you've hit a bunch of errors already, I'd not run the sync tool in production mode, so make sure you add '-t' in the command line arguments, to run the tool in test_mode (make no change in Admin Console)

[vannost]

Hello,

I took your advise and recreated the key pair. I also built a new Iteration, uploaded the new certificate_pub.crt to the new Iteration and I rebuild the config and connector files.

I am no longer receiving the "Could not deserialize key data" error, thank you.
I am also using a test Active Directory group when running UST. There are three users in that group.

However; I am pulling a new error:
Critical main- Unexpected LDAP failure reading all users: ALL provided fields "must" be text when bytes mode is off; got 'memberOf'

I attached the output.

ldap error.docx

Searching high and low for what might be causing this I came up short.

Do you have any suggestions?

Thank you

[adorton-adobe]

It's a known issue in 2.4rc1 when running the sync tool in Python 2.7. See #396.

It will be resolved in the next 2.4 release candidate. For now, use Python 3.6 (you'll need the 3.6 sync tool build if you do this) or use version 2.3 of the sync tool.

[vannost]

Hi,

Where can I find the 3.6 sync tool build? I tried ust 2.3. I get the attached error as output.

ldap error.docx

Error:
Unexpected Ldap failure reading all users; {'desc': 'Referral', 'info': 'referral:\nldap://spcollege.edu, 'desc':u'Referral'}

[vossen-adobe]

Please try removing OU=Admin from the base_dn in connector-ldap.yml. The base dn should correspond to the DN containing all of your users and groups.

[Luci2015]

Also your host value looks wrong, in comparison to your initial one. This last one seems to have a double .edu part and missing the DODC01 part (IP works too, but might change...).
One other thing that looks suspicious to me is that one of your DC values has a dot inside -> Check the distinguishedName attribute of your local domain in AD, for example, and use that as base_dn. (Example for test.domain.local : "DC=test,DC=domain,DC=local")

[vossen-adobe]

@vannost - My team is ready to work with you on getting this setup. Please see the email that was sent out yesterday, and we can move forward to schedule a meeting!

[vannost]

Hi

Thank you. The script ran and it added over a hundred accounts that are not in the Active Directory group that I using as a test group. Also, the names and email addresses were added and no products were added.

I am going to read through the documentation again and verify that my config and connectors are mapped properly.

Thank you for your help thus far. I'll be in touch a bit later.

[vannost]

Hello,

The script is running at this point, the mappings from my org to Adobe are working. I verified my config file and it is pointing to the correct Active Directory group.
When I run the script it creates accounts that are not the target and the product is not loading.

I attached a screen shot with the output errors and the Adobe Admin Console users list. For instance, SeminoleNTSS has an added email entry on the Admin Console ( it wasn't there before) there are not products loaded and the SeminoleNTSS account is not in the group mapping.

ldap error.docx

user-sync-config data:

directory_users:

(optional) user_identity_type (default value enterpriseID)

All Adobe users have an identity type: one of Adobe ID, Enterprise ID,

or Federated ID. When a directory user is created on the Adobe side,

you must specify what identity type the Adobe-side user should have. This

identity type then determines whether the account is controlled by the

user (Adobe ID) or by the company (Enterprise ID or Federated ID), and

whether the sign-in process is handled by Adobe (Adobe ID or Enterprise ID)

or by your Identity Provider (Federated ID).

If your directory does not specify the Adobe-side identity type

for one (or any) of your users, you can specify a default type here that

will be used: one of "adobeID", "enterpriseID", or "federatedID".

user_identity_type: federatedID

(optional) default_country_code (no default value)

All Adobe users have a country code, which is a two-letter (ISO-3166) country code

which represents the home country of the user.

If your directory doesn't have an appropriate value for each of your users,

you can configure a default value here that applies to any user without one.

[NOTE: For Enterprise ID users, specifying a country code is not absolutely required

when they are created on the Adobe side. If none is specified, Adobe will ask

the user for his home country at the time of first sign-in. But to avoid mistakes,

it is highly recommended that IT assign the value via User Sync.]

default_country_code: US

connectors:

# (optional) ldap (no default value)
# ldap stand for "lightweight directory access protocol", which is the
# network protocol used by most in-house directory systems (including
# Active Directory from Microsoft).  The value of the ldap setting is
# the absolute or relative pathname of a file that contains credentials
# and other configuration settings for accessing your ldap-compliant
# directory system.  (See the documentation for details.) If you
# use a relative pathname, it is interpreted relative to the
# location of this configuration file, not relative to the
# working directory of your User Sync process.
ldap: connector-ldap.yml

groups:
# the value of this setting is a mapping whose keys are single enterprise
# directory groups and whose values are lists of Adobe groups. This mapping
# is specified as a list of entries, each of which has a directory_group
# setting (whose value is a single directory group) and an adobe_groups
# setting (whose value is a list of 0 or more product configuration and
# user groups). In this example, imagine that "Acrobat DC Pro" is a
# product configuration and "Copy Editors" is a user group, and that
# the "Copy Editors" user group will be assigned access to appropriate
# Adobe products, such as InDesign and InCopy.
# [You will need to edit or remove these examples.]
- directory_group: Adobe Staff Test Users
adobe_groups:
- Default All Apps plan - 20 GB configuration

[adorton-adobe]

I was just informed that a call has been set up to work through any remaining sync tool issues, so I'm closing this.