ldap_sync does not update all contacts after a large import of contacts is performed using the pdm_load utility.

Document ID : KB000027010
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue

After a large data import of contacts using the pdm_load utility is performed into the ca_contact table, ldap_sync does not update all of the contacts in CA Service Desk Manager (CA SDM)

Environment

CA Service Desk Manager 12.9, 14.1

Cause

In CA Service Desk Manager, the "contact" object maps to 2 separate MDB tables: 'ca_contact' and 'usp_contact'.O

Often, when a large data load is done it is only the 'ca_contact' table that is updated. For the ldap_sync process to run effectively, it is required for the 'ldap_dn' column to also have a value for the contact in the 'usp_contact' table.

Although CA Support does not recommend, nor support the loading of contacts using the pdm_load utility into the ca_contact table, we do however understand that there are times when attempting to load contacts this way may be the only possible option aside from manually creating users via the CA SDM user interface.

Resolution

Please note the following important points:

1.  It is critical to test this first in your CA Service Desk Manager Test, QA, or Development environment before running this on a production server to assess the impact.

Potential impact might include:

  • If no match can be found in LDAP, 'ldap_sync' will make the contact inactive in CA SDM

  • If there are a large number of contacts in CA SDM, consider passing additional arguments to run the process in smaller chunks.  For example: ldap_sync -c "last_name = 'A%'" -l "userid=?". By running this in smaller sets, the impact on the CA SDM application can be minimized.


2.  It is critical to be aware of importance of testing the LDAP connection, testing and being aware of the impact on CA Service Desk Manager, the LDAP directory server and confirming with the LDAP Server admin, the appropriate credentials and container to use in the LDAP Search Base.

 

Follow these steps to resolve and prevent the issue:

  1. Run the following command on the CA Service Desk Manager primary or background server where NX_ROOT is your CA Service Desk Manager install directory:

    NX_ROOT/bin/pdm_extract -f "select id from ca_contact" > contact.out

  2. Open the file that has been created from the command above with a text editor.

    It will look like the following:
    TABLE ca_contact id  { "8A3127C3A55C6341B183EC5031B716D8" } { "615604CB4E5F91489D48AB050B8BA31E" } { "FFA6E32C7BBCAB449F973B7A797B2477" }...
    Change the table name to 'usp_contact' so that file looks like the following:
    TABLE usp_contact id  { "8A3127C3A55C6341B183EC5031B716D8" } { "615604CB4E5F91489D48AB050B8BA31E" } { "FFA6E32C7BBCAB449F973B7A797B2477" }...
    Save the modified contact.out file.

  3. Load the modified contact.out file as follows:

    NX_ROOT/bin/pdm_load -f <path to modified contact.out>

    You will now have matching rows in both the ca_contact and usp_contact MDB tables.

    The id in the 'ca_contact' tables now has a matching row in the 'usp_contact' table.

  4. Using your DBMS client (i.e. SQL QUERY Analyzer), run the following query.

    UPDATE usp_contact SET ldap_dn = 'NOT_NULL' where ldap_dn IS NULL

    The reason for this is the ldap_sync program will expect to only update contacts that have a NOT NULL value for the ldap_dn column.

  5. After the UPDATE statement is complete, run the following command on the primary or background CA Service Desk Manager server:

    NX_ROOT/bin/pdm_cache_refresh -t usp_contact

    NOTE: This refreshes the application's cache on the usp_contact table as we had updated the table outside of the CA Service Desk Manager GUI.

  6. We are now ready to run ldap_sync with an added argument. The added argument will tell CA Service Desk Manager's ldap_sync program to not use 'ldap_dn' as the unique value for its sync with ldap. Rather, it tells 'ldap_sync' to use the 'userid' value in CA Service Desk Manager and match that up with the 'uid', 'sAMAccountName' or 'pzUserName' on the LDAP directory store.

    After this is complete, all contacts in CA Service Desk Manager should now be matched up with the corresponding contact data in the LDAP store:

    NX_ROOT/bin/ldap_sync -l "userid=?"

 

Additional Information:

How to integrate CA Service Desk Manager with LDAP

Managing multiple LDAP servers in CA Service Desk Manager

Troubleshooting LDAP Configuration with CA Service Desk Manager