Environment
ZENworks Configuration Management 2017 Policies
Situation
The Dynamic Local User policy has been configured to include or
exclude specific users.
The user is member of groups, which fail to resolve through ZENworks generated LDAP calls.
The user is member of groups, which fail to resolve through ZENworks generated LDAP calls.
Resolution
Workaround
Configure the ZENworks Agent to skip requesting user group membership details in containment lookup:
Create the registry value HKLM\Software\Novell\ZCM\AgentSettings\DonotFetchUserGroups (Reg_SZ): True
Configure the ZENworks Agent to skip requesting user group membership details in containment lookup:
Create the registry value HKLM\Software\Novell\ZCM\AgentSettings\DonotFetchUserGroups (Reg_SZ): True
Cause
In case the LDAP lookup fails for at least one user group, an error
is returned to the ZENworks agent. If the containment lookup fails,
the ZENworks agent skips any user inclusion / exclusion details and
the DLU policy applies as assigned.
Status
Reported to EngineeringAdditional Information
Please note that the zenserver
service might need to get restarted on the different Primary
Servers since the web server keeps returning already cached
containment lookup group membership details.
This issue has been exhibited after adding a Open Enterprise Server with Domain Services for Windows configuration to an existing eDirectory tree and adding domain user group membership to existing users.
Looking up domain user group details through a previous installed LDAP server fails in this case as domain user group are stored in domain containers which do not resolve in ZENworks. Domain containers are of object class Container, which is different to "normal" eDirectory containers (Country, Organization, Organization Unit...). The Container object class is not contained in the eDirectory specific ldap lookup filter used in ZENworks and so objects below such domain containers fails to resolve in ZENworks.
This issue has been exhibited after adding a Open Enterprise Server with Domain Services for Windows configuration to an existing eDirectory tree and adding domain user group membership to existing users.
Looking up domain user group details through a previous installed LDAP server fails in this case as domain user group are stored in domain containers which do not resolve in ZENworks. Domain containers are of object class Container, which is different to "normal" eDirectory containers (Country, Organization, Organization Unit...). The Container object class is not contained in the eDirectory specific ldap lookup filter used in ZENworks and so objects below such domain containers fails to resolve in ZENworks.