Why are Users not added to AD Group after LDAP Sync

Hello Everybody.


This article talks about the common issue faced when using LDAP Group Sync for Authentication in Harness and how users do not get added after linking the Group.


Let’s assume you are using LDAP for User Auth in Harness and are linking it to the AD to add users in Groups in Harness. We start by creating the User Group in the Harness UI where we will perform the Group User Sync with the LDAP Server, this is done by searching the Group Name which then returns if it exists.

Once we click on Link Group the Sync starts in the background and results in the outcome where the users have been populated. This is done in intervals based on the Auth Config for the LDAP Server.

The final outcome will look like below where the users have been added.

Problem Statement

The manual method works perfectly fine but when we need to manage 100s of User Groups it would become tedious so Harness provides automation functionality using the Terraform Provider to add the Groups.

This is done by providing the LDAP Group Sync Schema as mentioned here : Terraform Registry

We have seen cases where when using this functionality customers have run into issues where the User Groups on the Harness end never end up populating the Users in the UI.

In the UI we can see that the User Group which was created for the sync test via TF Prov was done with the Group name :


But the Users never get added which is not ideal and in order to Troubleshoot this, When we take a look at the logs for the Sync Task we can see that Harness Ldap Sync is running on this Group but it is not able to find any members and is the reason why the user is not showing up on Harness :

2022-11-30 07:05:09,807 [1.0.77437-000] 18738 [task-exec-394] INFO - No entries found in group 

2022-11-30 07:05:09,548 [1.0.77437-000] 18738 [task-exec-394] INFO - LdapSearchRequest : [[org.ldaptive.SearchRequest@862781980::baseDn=CN=app_app_app_xxxxxxxxxxxxxxxx

The reason for this is because the Dn which is present for this Group harnesstest-MP according to the config at the LDAP Server end should be something like :

"distinguishedname": "CN-harnesstest-MP,OU=App..........

But what is being provided to Harness during the sync is :

"distinguishedname": "CN=app_app_app_uemxxxxxxxxxxxxx

The same CN is supposed to be picked up so that the Group Sync works, The issue is that group Dn is set to the wrong value in Harness.

1 Like