Application Note 1029: LDAP (Active Directory) Synchronization

General

The OpenLM Server is capable of synchronizing users and groups with an organization’s LDAP to combine license management, license statistics, and report extraction with other company information. LDAP synchronization provides automatic maintenance of Users’ and Groups’ data.

LDAP Synchronization holds many advantages, for different levels of decision makers in the organization. On an administrative and managerial standpoint, it can be applied for enforcing license usage permissions, implementing usage chargeback (usage billing), analysis of usage trends etc. Administrators may gain in automating FlexLM Option file management, thus streamlining FlexLM reporting. From the end-user point of view, this information may be applied to easily locate other users holding a required license.

The Groups synchronization functionality is part of the Users and Groups extension, and requires additional licensing.

Additional information

Please refer to the video tutorial section on the OpenLM site, for a demonstration of Active Directory synchronization.

Users and groups presentation

The Users and User groups which exist in the OpenLM Database are apparent in the EasyAdmin web application, in the Users and Groups windows respectively. Initially, upon installation of the OpenLM server, the Users and Groups windows are only populated by the logged user (e.g. ‘Orik’ – that’s me), the default ‘generaluser’ user, and the “OpenLM Users” default group.

The Active directory tab – Interfacing the LDAP

This tab is the OpenLM Server’s interface to LDAP (Active directory) synchronization. The 1st thing to do is to connect to the LDAP Database. Type in the LDAP server details:

  • Domain name: the IP Address of the server which is your organization’s domain controller (e.g: 102.101.100.106)

  • Username (e.g: administrator)

  • Password, and

  • LDAP server type: (e.g. “Active Directory”)

Click the ‘Check’ button, and receive an authentication status notification, as depicted below:

 

Organizations may have multiple domain controllers (for example, if different departments or subsidiary companies have their own servers for user authentication). In order to add a second server, select the row where the asterisk is shown above, and type in the data for the second server. In order to apply another synchronization rule to the same LDAP server, click the “Duplicate” button under the list of domain controllers.

Synchronizing Users

It is important to note that synchronizing to the LDAP is a tricky business. You may end up having taken in more users than you intended, and deleting users from the database is difficult. It is highly recommended to experiment on a separate database, NOT on the production database.

In order to synchronize user information:

  • Check the “Synchronize users” check-box. Other fields on the “Active directory” tab are activated.

  • Click the ‘Select’ button. The active directory browser opens.

  • Select a synchronization start node.In this example, We’ve selected an Organizational Unit (OU): OU_Test. Click ‘OK’ and the node path appears in the “Synchronization Start Node” text box. The LDAP would be synchronized from this node down.

 

  • Set the “Sync time interval” value. The value in this example states that the user details would be updated every 12 hours.
  • It is highly recommended to Check the “Sync only active users of licenses” in order to avoid adding users that do not actively use the application. New active users would be added to the list of users as they check out a license, and their LDAP details would be synchronized when the “Sync time interval” elapses.
  • Set the “Sync username attribute”.

    • “sAMAccountName” is good for Pre Windows server 2000 Active directory versions.

    • “userPrincipalName” is good for Post Windows server 2000 Active directory versions.

    • “cn”  should be used for any LDAP configuration other than “Active Directory”, i.e. “Novelle Directory” or “Apache DS” .

      The value of the selected field (sAMAccountName or userPrincipalName or cn) within the Active Directory would be applied as the user name recognized by OpenLM.

Synchronization of Groups

Check the “Synchronize groups” checkbox to enable a variety of options for associating users with groups in the OpenLM database, according to the data structure on the LDAP.

AD Groups:

This option goes through the list of users that populate the nodes beneath the selected node. The “AD Groups” selection should be used carefully, because it may introduce a large amount of undesired groups. This is because users who are members of groups within the selected node may also be members of groups from beyond that node, resulting in additional introduction of these external groups.

Attribute:

OpenLM groups may be created according to specific attributes their members may have. In order to do that, select the “Attribute” radio button, and pick up a suitable attribute from the adjacent drop-down list of attributes. Examples for attributes are: “Division”, “Employee ID”, “Initials” or “Cost center”. Type in a Regex expression that would articulate the required attribute.

Fixed:

This option enables the administrator to associate a particular group name to all users of a specific node within the AD tree. The ‘Fixed’ name typed in the textbox is the group name of the users that would consequently be synchronized in this method.

OUs (organizational units):

This option is in use by organizations that have an organizational hierarchy represented in the LDAP; for example departments nested inside divisions. By selecting the OU synchronization method:

  • Users would be introduced into groups in the OpenLM database. These groups would be named after the LDAP OUs under which the users have been created.

  • If the “Add full hierarchy” checkbox is ticked, the entire OU hierarchy tree descending from the start node would be introduced as groups in the OpenLM database. OUs in which no users have been defined in the LDAP, would be presented in OpenLM as empty groups.

  • If the “Add full hierarchy” checkbox is not ticked, OpenLM would flatly create groups named after the LDAP OUs, and populate these groups by the users which have been defined under these OUs. No empty groups would be created.

Case study

In order to demonstrate the different group synchronization methods, I have created the following OU structure, and enabled all users. Note that Users U_A1 & U_AB2 are members of more than one group:

Case 1: Synchronize users only

Procedure: OU_AB was selected as the start node.

Outcome: All Users were synchronized. No Groups or OUs synchronized.

Case 2: Synchronize AD Groups (1)

Procedure: OU_AB was selected as the start node.

Outcome: All groups and users beneath OU_AB were synchronized. The Hierarchical tree was not preserved.

Case 3: Synchronize AD Groups (2)

Procedure: OU_B was selected as the start node.

Outcome:

  • Users B1 & AB2 have been synchronized.
  • Group B1 was synchronized.
  • Group A1 was synchronized, with only user AB2.

Case 4: Synchronize AD Groups (3)

Procedure: OU_A was selected as the start node.

Outcome: Mirror image of the previous case:

  • Users A1, A2, A3 & AB2 were synchronized.
  • Groups  A1, A2, A3 & B1 were synchronized. Group B1 only contains user AB2.

Case 5: Fixed

Procedure: Start node = OU_A. The “Fixed” name was named “The_A_Team”.

Outcome: All of OU_A’s users were gathered in “The_A_Team” group.

Case 6: Attribute

Reminder: Users A1 & B1 are the only users to have been defined owning “division” attributes with the value “my_division” (See LDAP diagram).

Procedure: OU_AB was selected as the start node. The “Attribute” synchronization method was chosen. The ‘division’ attribute with the value “my_division” was configured in the Active directory configuration form.

Outcome: All Users in OU_AB were synchronized. Users A1 & B1 were gathered in the “my_division” group.

Case 7: OU

Procedure: OU_AB was selected as the start node. “Add Full Hierarchy” was not checked.

Reminder: Users  AB1 & B1 were created under the OU_AB Operational Unit. All other users, i.e. A1, A2, A3, AB2 were created under OU_A.

Outcome: All users under OU_AB were synchronized. OpenLM has flatly created groups named OU_AB, and OU_A. Each of these two groups contain the users which have been created under the respective LDAP’s OUs:

  • Group “OU_AB” contains the users AB1 & B1 (see image below).
  • Group “OU_A” contains all other users, i.e. A1, A2, A3, AB2.

Case 8: OU (2)

Procedure: OU_AB was selected as the start node. “Add Full Hierarchy” was checked.

Outcome: This time the OU hierarchy was preserved, so OU_A and OU_B appear under OU_AB. The users are again grouped according to the position in which they were created:

  • Group “OU_AB” contains the users AB1 & B1.
  • Group “OU_A” contains all other users, i.e. A1, A2, A3, AB2 (see image below).
  • Group “OU_B” is empty.

Please follow and like us:

Application note 1013: OpenLM Alerts

Scope

OpenLM Alerts is designed to assure the stability and availability of your licensing system. The system allows the system manager to define conditions and what will happen when these conditions are met. The system is able to handle complex conditions on multiple license servers and features and is able to send alert by email or SMS.

This document presents the OpenLM Alerts software module. It elaborates the module’s installation process, and conveys basic information regarding the OpenLM Alert’s functionality and configuration options.

General

The implementation of OpenLM Alert system allows organizations to handle problems related to the licensing system even before the users experience the problems. The “OpenLM Alerts” tool provides the system administrator ability to closely monitor the licensing system through a set of predefined message rules.

These messages may be assigned different severity levels, i.e.: Alerts, Warnings and Notifications. The Alerts tool messages may be configured to be sent to the system administrator as an email, an SMS text message, as a notification in the EasyAdmin web application or redirected to an event log file.

OpenLM Alerts System Architecture

The Alerts system is implemented by a Windows service working in conjunction with the OpenLM Server.


The Alert Systems interface, OpenLM Alerts Editor allows the user to define a set of alerts that are written to an XML file. OpenLM Alerts service reads the alert and constantly checks the conditions against OpenLM Server.

When a condition is met, OpenLM Alerts checks the defined destinations and timelines, and sends the messages to the users using the SMTP and SMS gateway.

“OpenLM Alerts” is an optional component that requires additional licensing. It may be downloaded and installed for evaluation purposes for a period of up to 30 days. After that, a customer would have to contact sales@openlm.com for pricing.

Downloading and Installation

The Alerts tool can be installed on any Windows platform. It should be installed on the same machine as the OpenLM Server. The OpenLM Alerts installer requires .NET Framework 3.5.

The OpenLM System components are available for download on the OpenLM site. After filling in your name and email, you would be directed to the download section. Select the OpenLM Version 1.7 section:

Roll down to the bottom of the page, and click the “Download” button under the OpenLM Alerts label. Follow the standard Installation wizard commands to go through the installation process.

Note: The OpenLM Alerts component monitors your license servers (FLEXlm, IBM LUM, and Sentinel RMS) and it should not be installed on the same server as your license servers. Otherwise, the OpenLM alerting system will also stop running along with FLEXlm in case of any hardware or software failure.

At the end of the installation process, the Alerts Configuration Form will be displayed.

The Alerts Configuration Form

Open the Alerts Configuration from. Its image is shown below:

Fill in the required information to configure the Alerts module:

  • OpenLM server: Type in the OpenLM Server name or IP. In the example above, the Alerts module was installed on the same machine as the OpenLM server, hence OpenLM server was defined as localhost.

  • Alerts Port and UI Port: These are the OpenLM server ports that interface with the Alerts module. These should be the same ports as defined in the “OpenLM server configuration”  form under the “Port Settings” label, namely the “Alerts server checking port” and the “User interface http server port” respectively.

Click the “Check connectivity to OpenLM Server” buttons to ensure that the Alerts module interfaces the OpenLM server on both these ports.

  • Configure mail / sms services: The OpenLM Alerts may be sent email or SMS text message. In order to configure the alert to be send as an email:

  1. Click the Configure mail/sms services button. The Configuration widow opens on the Email tab.

      

  1. Type in the required information, and click the “Test account” button. A test message would be sent to the configured account.

  2. Click the “OK” button to finalize this configuration.

In order to set the Alerts module to send SMS text messages:

  1. select the SMS tab on the Configuration window.

  1. Contact OpenLM Sales (sales@openlm.com) in order to receive your SMS username and password.

  2. Type in the required data, and press the “Test account” button. An SMS text message would be sent to the configured account.

  3. Click the “OK” button to finalize this configuration.

The Alerts editor window

The OpenLM Alerts System features a visual and easy-to-use Alerts Editor. In order to access the editor: Click the Windows “Start” button, and navigate to “OpenLM” → “Alerts System Service” → “OpenLM Alerts Editor”. The Alerts Editor window opens.

To add a new alert, follow these steps:

  1. Click the “Add” button. The “Conditions Editor” window opens.


  1. Enter the “Query Name” text.
  2. Click the “Severity” drop down menu, and select the required severity level to be Alert, Warning or Notice.
  3. Select the condition type: OpenLM Alerts system uses conditions to help organizations locate failures or inefficient usage of licenses. The condition types are:
    1. Feature threshold – Checks the usage level of a feature.
    2. Check duplicate licenses – Checks whether a user uses the same features on multiple workstations.
    3. OpenLM server is down.
    4. Feature Expiration – Alert that a feature license expiration date is coming up.
    5. Monitored license manager that OpenLM fails to contact
    6. Users without default group
    7. Users without default project
  1. Configure one or more Alert destinations:
    1. Click the “Type” drop down menu, to select the Alert destination type. The optional types are:
      1. Email
      2. SMS text message
      3. EasyAdmin web application
      4. Event log
    2. Type in the Alert’s destination in the “Destination” text box.
    3. To customize the number of times an alert could be sent, click the “Limit Send Times” button. The “Select allowed sending times” window opens. Customize the alert’s sending times on this window.
  2. Click the “Add” button. A corresponding Alert line is added in the “Query Definition” frame (see below).


  1. Configure each alert line separately and click “OK”. A new alert is added to the Alerts List on the “Alerts Editor” window.
  2. In order to edit an alert, select a Query Name (e.g.: my_new_alert) on the “Alerts Editor” window, and click the “Edit” button. The “Conditions Editor” opens again, and the necessary changes may be applied.

Alerts Timing

There is a method for setting up the Alerts’ timing (e.g.: If the system administrator is reluctant to receive SMS messages at 3:00 AM). In order to do so, please configure the “Select allowed sending times” window.

This window is accessible through the “Conditions Editor” window’s “Limit send times” button. Configuration of timing may be done in two methods: via the “User Interface” or the “Custom Pattern”.

User interface configuration

The example below shows an email alert pattern configured to each working day of the week, between 08:00 and 20:00. Note the Regular expression for this pattern is “* 8-20 * * 1-5”

 

Custom Pattern configuration

The user may also set the alert according to the Regular expression pattern, in order to obtain more complex alert timing patterns. For example: setting the alert for each working day of the week on every whole hour would create the pattern 0 */1 * * 1-5. In order to combine the two patterns mentioned above, i.e: have an alert for each working day of the week on every whole hour AND between 08:00 and 20:00, we need to superimpose the patterns, i.e:
“* 8-20 * * 1-5” + “0 */1 * * 1-5” = “0 8-20/1 * * 1-5”

Implementation Tips

  • Every Alert query consumes resources from the OpenLM system, hence a good alerts’ system should contain the minimum number of checks that would assure a stable and effective licensing system. The frequency of queries can be configured on the “Select Frequency” dialog box (Click the “Frequency” button in the “Alerts Editor” window to access this dialog box).

  • The “Limit Send Time” button in the “Conditions Editor” window allows you to direct the alert to the desired destination. For example, an alert may be sent to an email during work hours and to SMS after work hours.

Revision Table

Revision Date Author Notes
0.1 – Preliminary Nov 10, 2011 Orik Preliminary
1.0 Mar 23, 2012 Orik Added Alerts’ timing
Please follow and like us:

Problem/Error with AutoCAD network license management: “A valid license could not be obtained by the network license manager”

Details:

You can face above problem frequently on AutoCAD 2007 based products when you are working in an organization where:

  • Concurrent licensing scheme is implemented through server/client networking mode.
  • Network bandwidth is low.
  • Network latency is high or connected through VPN.

All of the products based on AutoCAD 2007 contain licensing enhancements which tend to increase network latency and bandwidth utilization of the network. Therefore, you can face this problem while trying to claim the license of the program from the License Manager Server. Earlier versions of AutoCAD products i.e. older than 2007 release were not observing this problem. In this problem, first you are presented with a FLEXlm license finder dialogue box during license obtaining process followed by a message stating:

“A valid license could not be obtained by the network license manager.

Error [1.5. -15]”

In some other products you can receive a bit different message as given below:

“A valid license could not be obtained by the network license manager.

Error [1.5. -18]”

Reasons for Error:

A network throughput or data rate of the link is the main reason for this error especially in case of heavy applications like AutoCAD 2007. Reasons can be summarized as below:

  • Low Bandwidth of the connection i.e. Dial-up connection or low speed ISDN/DSL connection.
  • High Network Latency i.e. VPN
  • Response waiting time of the application/program

One or more of the above reasons can be the root cause of this problem. This problem has recommended solutions which given below.

Solutions:

  • Recommended solution for this problem is either increase in the bandwidth of the connection or decrease in the network latency or enhancement in both parameters.
  • By modification of the response waiting time counter/value which is used as the last resort for the solution of this problem. This is a stepwise procedure to modify the response waiting time counter. Here is the stepwise procedure for the same:
  1. Right click My Computer and choose properties.
  2. On system property dialogue box choose advanced tab.
  3. Click on the environment Variables
  4. On environment variable dialogue box choose system variables field and hit the new button
  5. A new system variable dialogue box with two fields appears; put “FLEXLM_TIMEOUT” in variable name and put 1000000 in variable value field.
  6. Click OK on all three dialogue boxes to close them
  7. Launch the AutoCAD application

 

 

 

 

 

 

 

 

If the problem persists, increase the variable value in multiples of 1000000 micro seconds and reach to the value which gives you satisfactory communication results.

Please follow and like us:

ArcGIS Software Bug/Problem: “The ArcGIS Desktop Administrator does not connect to ArcGIS License Manager 9.3 while it is connected through VPN or network speeds are slow”

Details:

You must not panic when you see above mentioned issue during the process of ArcGIS license-claiming from ArcGIS License Manager 9.3. This is a software bug mostly observed in all level of ArcGIS software ver9.3; earlier releases of this software did not observe this problem but following mentioned all levels observed this issue.

  • ArcGISArcEditor 9.3
  • ArcGIS – ArcInfo 9.3
  • ArcGIS – ArcView 9.3 & 9.3.1
  • ArcInfo Workstation 9.3

All of the above software modules observe this problem while operating on following Windows Operating systems.

  • Windows 2000
  • Windows XP
  • Windows 2003 Server
  • Vista

This bug is identified by the ID ‘NIM037135’ and FlexNet licensing error ID “-15,570” which is shown in the error report/message returned against licensing request to the server. Following error message is returned with related details:



The name of the server and license path may vary as per network configuration. The error numbering scheme will be -15 and followed by 570 after comma; this is ArcGIS error reporting format.

Reasons for error:

This happens mostly in following two conditions when network/concurrent licensing scheme for ArcGIS is implemented.

  • The connection between server and license requesting machine is through VPN.
  • The connection is either Dial-up or a slow ISDN/DSL one.

Solution:

There is a stepwise process to resolve this issue of the software through modification of the environment variables in the Windows operating systems. The network or server client messages take certain time to process and reach at their destinations. Therefore, the waiting time of the program for communication response to reach is set a bit larger to resolve this issue on the windows OS. Stepwise procedure is given below:

  • Right click My Computer and choose properties.
  • On system property dialogue box choose advanced tab.
  • Click on the environment Variables
  • On environment variable dialogue box choose system variables field and hit the new button
  • A new system variable dialogue box with two fields appears; put “FLEXLM_TIMEOUT” in variable name and put 1000000 in variable value field
  • .Click OK on all three dialogue boxes to close them
  • Launch the ArcGIS 9.3 program

If the problem still persists then, repeat above mentioned procedure with an increase the variable value in the multiples of 1000000 micro seconds and reach to the value which gives you satisfactory communication results.

Please follow and like us:

Serve OpenLM EasyAdmin using Apache webserver

OpenLM Software is delivered with a built-in web server that starts as a service. Users can continue and use the built-in web server or use a standard web server such as Apache.
This guide explains how to configure OpenLM EasyAdmin to work with Apache webserver.

Test environment

Apache version 2.2.17
Windows 7 32 bit

Edit Apache configuration file “httpd.conf”

1. Add AddHandle line
Add this line:
AddHandler cgi-script .cgi

Note: the file may already contain this line. If it has been commented out (with a preceding hash sign “#”), just remove the hash character to enable it.

2. Define easyadmin

Add these lines at the end of the file:

Alias /easyadmin “<Location of easyadmin directory>”
<Directory “<Location of easyadmin directory>”>
Options +Indexes FollowSymLinks +ExecCGI
AllowOverride None
Order deny,allow
Allow from all
</Directory>

e.g. – if easyadmin is located at:
“C:\Program Files\OpenLM\OpenLM Server\WebApps/EasyAdmin2” then you need to add the following:

Alias /easyadmin “C:/Program Files/OpenLM/OpenLM Server/WebApps/EasyAdmin2”
<Directory “C:/Program Files/OpenLM/OpenLM Server/WebApps/EasyAdmin2”>
Options +Indexes FollowSymLinks +ExecCGI
AllowOverride None
Order deny,allow
Allow from all
</Directory>

3. Apply & Save changes

Save & close “httpd.conf”.
Restart Apache server.

Run application

To run easyadmin use the following url:

http://<apache server>:<apache port>/easyadmin/index.html
e.g. if Apache server is installed on a server named olm-prod on port 8080, use the following address: http://olm-prod:8080/easyadmin/index.html

Please follow and like us:

Serve OpenLM EasyAdmin using Microsoft IIS 6

Serve OpenLM EasyAdmin using Microsoft IIS 6

OpenLM Software is delivered with a built-in web server that starts as a service. Users can continue and use the built-in web server or use a standard web server such as Microsoft IIS 6.
These guide explains how to configure OpenLM EasyAdmin to work with Microsoft IIS 6.

1. Create easyadmin site in IIS

Open “Control Panel–>Administrative Tools–>Internet Information Services”
Right-Click “Default Web Site” and select “New–>Virtual Directory…”:
Press “Next” on the wizard:
For Alias use “easyadmin” and press “Next”:
Set directory to easyadmin path, typically “C:\Program Files\OpenLM\OpenLM Server\WebApps\EasyAdmin2” and press “Next”:
Add “Execute (such as ISAPI applications or CGI)” to the allowed access permissions and press “Next”:
Click “Finish”:

2. Config easy admin to use proxy.exe

Navigate to easyadmin directory, typically: “C:\Program Files\OpenLM\OpenLM Server\WebApps\EasyAdmin2”
Edit file “Config.js” and change “proxy.cgi” to “proxy.exe” as seen here:

3. Delete old log files

The log files are located in %ALLUSERSPROFILES%\Application Data\OpenLM\openlm_proxy.log (typically “C:\Documents and Settings\All Users\Application Data\OpenLM\openlm_proxy.log”)

4. Check that easyadmin is working

Open web browser and browse http://<web server>/easyadmin/index.html

Additional steps necessary for Windows 2003 Server (after creating the virtual directory)

Right-click the new “easyadmin” virtual directory and select “Properties”:

At the properties form click “Configuration…” button:

Click “Add…”:

At “Add/Edit Application Extension Mapping” click “Browse…” and navigate to “cgi-bin” directory (Typically in C:\Program Files\OpenLM\OpenLM Server\WebApps\EasyAdmin2\cgi-bin)

Change filter type to “CGI exe files (*.exe) and select “proxy.exe”

You need to add double quotes to the file path and set “exe” as Extension

Click “OK”.

Navigate to “Web Service Extensions”, select “All Unknown CGI Extensions” and click “Allow”:

Please follow and like us: