This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
DellThornhill
New Contributor
New Contributor
‎2019-10-30 08:36 AM

Manually sync an identity source?

Jump to solution

Is it possible to manually sync an external identity source?  Our main identity source syncs with Active Directory but if we add users to AD in the morning we have to wait all day for the AM to sync AD so that we can provision the user.

Labels (1)
0 Likes
Reply
1 Solution

Accepted Solutions
EdwardDavis
Employee
Employee
In response to DellThornhill
‎2019-10-30 09:44 AM

Jump to solution

If this is Authentication Manager 8.x, there is no 'syncing' of AD or wait period....as there was in version 6.x and we'd sync and make carbon copies of ldap users in the internal database. AM 8.x no longer does any periodic sync to ldap, all connections are 'when requested' for 'specific operation'.

 

Authentication Manager will typically do nothing on any ldap connection until:

 

-an Admin uses the Security Console and attempts to list anything related to LDAP, such as users or groups, then it will do a lookup at that time to list what it can map

 

-an Admin makes a change on the Operations Console regarding the ldap connection, it validates the connection and tries a bind operation.

 

-the system is processing a user authentication event (runtime), and it needs to check all places where users are listed (internal database and external ldap connections) until a userid match is found

 

 

So, essentially, any changes you make in ldap, should appear instantly the moment you do [some action] on Authentication Manager, to force it to look up something on ldap. 

 

If you are making changes to the Operations Console external identity source settings, and making a change that will affect a replica connection, that change may take some time to propagate to the replica, but should not be more than a minute or two. Also, if you make a change such as the password on the account used for the ldap connection, the system may still be using an old account and password in cache in an 'ldap pool' (connection pools are maintained for runtime efficiency). These stale accounts and passwords may take the longest time to clear from cache or be dropped. To be sure, if you do make changes to the connection URL or bind account, and want to see instant results, bump each RSA server (restart) to force the systems to build all new ldap pools.

 

In summary: if you add a user to ldap, you should be able to go to the Security Console and immediately search for the userid and it will show up, no delays, and be able to assign tokens and whatnot. If there is any delay, it may be a ldap replication issue and not the Authentication Manager server.

View solution in original post

Reply
4 Replies
EdwardDavis
Employee
Employee
‎2019-10-30 09:02 AM

Jump to solution

What specific RSA software is syncing with AD ?

Is this an Identity Router, or an old version of Authentication Manager 6.x ?

0 Likes
Reply
DellThornhill
New Contributor
New Contributor
In response to EdwardDavis
‎2019-10-30 09:21 AM

Jump to solution

It's a very current version of Authentication Manager:  8.4 update 6.

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to DellThornhill
‎2019-10-30 09:44 AM

Jump to solution

If this is Authentication Manager 8.x, there is no 'syncing' of AD or wait period....as there was in version 6.x and we'd sync and make carbon copies of ldap users in the internal database. AM 8.x no longer does any periodic sync to ldap, all connections are 'when requested' for 'specific operation'.

 

Authentication Manager will typically do nothing on any ldap connection until:

 

-an Admin uses the Security Console and attempts to list anything related to LDAP, such as users or groups, then it will do a lookup at that time to list what it can map

 

-an Admin makes a change on the Operations Console regarding the ldap connection, it validates the connection and tries a bind operation.

 

-the system is processing a user authentication event (runtime), and it needs to check all places where users are listed (internal database and external ldap connections) until a userid match is found

 

 

So, essentially, any changes you make in ldap, should appear instantly the moment you do [some action] on Authentication Manager, to force it to look up something on ldap. 

 

If you are making changes to the Operations Console external identity source settings, and making a change that will affect a replica connection, that change may take some time to propagate to the replica, but should not be more than a minute or two. Also, if you make a change such as the password on the account used for the ldap connection, the system may still be using an old account and password in cache in an 'ldap pool' (connection pools are maintained for runtime efficiency). These stale accounts and passwords may take the longest time to clear from cache or be dropped. To be sure, if you do make changes to the connection URL or bind account, and want to see instant results, bump each RSA server (restart) to force the systems to build all new ldap pools.

 

In summary: if you add a user to ldap, you should be able to go to the Security Console and immediately search for the userid and it will show up, no delays, and be able to assign tokens and whatnot. If there is any delay, it may be a ldap replication issue and not the Authentication Manager server.

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to DellThornhill
‎2019-10-30 09:45 AM

Jump to solution

What you are saying sounds like to the Identity Source configured in the Identity Router, IDR in SecurID Access. The Identity Sources configured in an Authentication Manager appliance, all Version 8.x including 8.4 have a continuous and real time connection to LDAP.  Unless your Identity Source points to something other than a Domain Controller or Global Catalog.  When something is in the Identity Source, AM will see it, if AM cannot see it, it's not there.  If you have some type of Meta Directory or LDAP aggregator that AM points to, then the sync has to occur there, not in AM

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.