When trying to assign LDAP groups to an ACL in IM I get the error "Cannot list LDAP groups"

Document ID : KB000093210
Last Modified Date : 27/04/2018
Show Technical Document Details
Issue:
In IM (or Admin Console), you can try to assign LDAP groups to ACL's via  Security -> Manage Access Control List... -> Set LDAP group.  In some environments this this can cause IM (or Admin console) to report the error  "Cannot list LDAP groups" without further information on the problem.
Environment:
Any current UIM version
Cause:
The problem is that in the background, the hub is doing an LDAP search on the DN defined on the LDAP configuration to find all groups. By default, this DN is the base DN and in large environments with hundreds or thousands of groups, the IM (or Admin console) timeout is reached before the list has been compiled by the hub, resulting in the error message "Cannot list LDAP groups"
Resolution:
You cannot specify a specific list of groups for UIM use in the GUI.  What you can do is:
  1. Create a sub container for your LDAP groups you want to use for UIM, and move the groups into that CN and change the DN for the groups container in the hub configuration
  2. Edit the AD template in the hub.cfg, specifically the filter_group group entry to include both the category and the group name(s)  you want the hub to limit the search to. This will allow the hub to overcome the limitation when too many groups are found in the specified DN in the hub configuration. The filter would need to look like this:
(&(objectCategory=group) (cn=<common part of groupnames>*))