[ngw] GMS user provisioning
JBrugaletta at braytonlaw.com
Fri Jun 8 21:16:16 UTC 2018
Thats what I thought! ;) I couldn't figure out the difference (from the devices perspective) of the two scenarios. Doesn't appear to be one, other than potential failed attempt to connect while the re added GW account is being synced.
Ideally I want to do the Ed's Big Bang approach. Have to think it out though, especially the certificate part. Believe we're using a godaddy wildcard cert, but i remember having to "generate" it on the gms server itself. James mentioned that he has it at the firewall leve, so doesn't have to tinker with it at server level.
>>> "Ed Hanley" <ehanley at microfocus.com> 6/8/2018 1:47 PM >>>
Thinking this over some more, I think the mobile device will have exactly the same behavior in both Scenario's below. The mobile device is configured to connect to a specific DNS name and IP Port with its Mailbox ID and Password. Some mobile devices will just handle the switch without end user intervention and some others might not. It's hard to tell why some devices need to be touched when a server side change like this is done.
My Scenario 2 approach is more of a big bang, all at once, where the new server is already pre-populated with the 132 users email in the SQL DB. Where Scenario 1 is a slower more time consuming switch over, where you have to wait for the users mailbox to repopulate the SQL DB as you switch from LDAP to GroupWise provisioning mode. So the user has a longer outage of email service on their mobile device.
>>> Joe Brugaletta <JBrugaletta at braytonlaw.com> 6/8/2018 10:25 AM >>>
Logic makes sense. I'm doing the same thing (matching groups). But either way (new server, or deleting/recreating accounts from LDAP to GW), the devices no longer (or in your case not yet) exist. Right? So it seems either way the devices should reconnect. I wonder if its a timing thing that some reconnect and some don't.. or a phone model. Devices will still have accounts.
Scenario 1: Existing server, Delete LDAP Account, Add GW Account, wait for device
Scenario 2: New server, Add Gw account, wait for device
I dunno, just trying to understand why it wouldn't work one way ;)
>>> "Ed Hanley" <ehanley at microfocus.com> 6/8/2018 12:15 AM >>>
I'm creating a new GMS server instance and it gets provisioned by a GroupWise Group instead of a LDAP Group. The GroupWise Group has the exact same entries in it as the LDAP Group. Assume we have 132 users accounts in the old and new Groups. So the old server would have 132 users provisioned and the new server would have 132 users provisioned and all synced from all the GroupWise POAs to the GMS SQL DB. Now we just need the end users mobile devices to connect in when the Firewall NAT is changed from the old server to the new server.
>>> Joe Brugaletta <JBrugaletta at braytonlaw.com> 6/7/2018 3:27 PM >>>
Hey Ed, I'm curious how that works.. if I understand you correctly, you're creating a new server and setting it up to use GW accounts initially (no LDAP involved).. but no devices would exist on the new server, only the user accounts. So you'll have the user accounts sync'd on both servers , new server without devices, correct?
How is that much different from deleting/recreating the accounts (users sync, no devices).. accounts are still on users phones, but it wont auto-reconnect. Either way, GMS wont know about the devices.
THE NEW GMS SERVER ADDS THE NEW DEVICES (FOR THE FIRST TIME - NOT A CHANGE FROM LDAP TO GW) AS THEY CONNECT IN TO SYNC. END USERS DEVICES DO NOT GENERATE ANY PROMPT TO THE MOBILE DEVICE USER, THE DEVICE WILL AUTO RE-SYNC. SO YOU DO THE FIREWALL NAT CHANGE LATE Saturday NIGHT.
I have an SR going with Chad and they (backline) said "have users delete/re-add from their phones".
BRIAN C - CAN YOU ATTEST THAT THIS WORKED FINE FOR YOU WHEN I WAS ON-SITE IN MAY 2018?
>>> "Ed Hanley" <ehanley at microfocus.com> 6/7/2018 1:03 PM >>>
Using the other method avoids all those end user device resets.
>>> Ed Hanley 6/5/2018 7:47 PM >>>
All of mine involved changing the NAT at the Firewall. Each GMS was using the wild card cert for the customers' acme.com domain name. I bet it would work for regular public certs on each GMS. As long as the device accepts the cert being a valid, from a public CA the users do not get prompted.
>>> Joe Brugaletta <JBrugaletta at braytonlaw.com> 6/5/2018 7:21 PM >>>
Thanks for the tips, Ed. I may end up going this route but would have to think it through a little. is there a TID on doing such a thing? I envision cert problems, ip address problems, etc ;)
>>> "Ed Hanley" <ehanley at microfocus.com> 6/5/2018 3:09 PM >>>
Note the paragraph of:
If you want to accomplish the transition all at once, you can create a new Mobility system, based entirely on GroupWise provisioning, and then switch from the old system to the new system, perhaps over night, without notifying your mobile device users. Most users will likely not notice the change. You can then have those users that contact you about data integrity issues delete and re-add their email accounts in order to resynchronize the GroupWise data.
This is what I do for customers. New GMS 18.0.1 on a new SLES 12 SP3 OS. The Big Bang Theory.
>>> Ed Hanley <ehanley at microfocus.com> 6/5/2018 10:53 AM >>>
see "Changing the User Source for Your Mobility System"
>>> Joe Brugaletta <JBrugaletta at braytonlaw.com> 6/7/2018 2:53 PM >>>
No I've been on GW *auth* for a while now but *provisioning* was set to LDAP using an edir group, so all accounts were ldap based. I've switched about 6 users so far.. 4 out of 6 have had to delete/re-add account to their phones. Not how I was hoping it'd go.
>>> "Morris Blackham" <Morris.Blackham at microfocus.com> 6/7/2018 10:34 AM >>>
Could be an auth problem from the device. Were you user ldap auth before and are now user GW auth?
>>> Joe Brugaletta <JBrugaletta at braytonlaw.com> 6/6/2018 6:15 PM >>>
Getting the hang of the provisioning switch today. The only issue I'm having is that when users are deleted from LDAP, and readded via GW.. their devices do not re-sync to GMS. Users accounts are all sync'd up, but device state shows "Never connected"... some come back, some dont. Not sure what the trick is.
>>> "Joe Brugaletta" <JBrugaletta at braytonlaw.com> 6/5/2018 5:20 PM >>>
Thanks, thats what I wanted to know. I'm doing more testing here. Deleted my coworkers out of edir group, created a GroupWise group (Group Mobile) and added them to the dist list.. then went users > groups tab > add group and added my new gw group. My user account (joeb) is getting sync'd, but the other 3 aren't. Any ideas? I've tried forcing a Poll Now, restarting gms, removing/readding group. no dice.
>>> "Morris Blackham" <Morris.Blackham at microfocus.com> 6/5/2018 2:48 PM >>>
Toggling from ldap to gw does nothing except gms will use what ever method is default when it does the Poll for new users to add to the GAL.
Leads to this question.. what exactly does toggling the Config > User Source > Provisioning from LDAP to GroupWise do? I was able to add my gw account while leaving that set to LDAP for now, didnt think it'd allow that unless GW was selected under Provisioning.
Thanks for the help
>>> "Morris Blackham" <Morris.Blackham at microfocus.com> 6/5/2018 10:58 AM >>>
No if you remove them from the ldap group or delete the grp. the user in gms will get nuked. then add the back with gw provisioning either as separate users, or via a GW group. Then the gms user will get resynced and the the user should see same data after reconnecting when the sync is done. The existing devices not stay on ldap, unless your are talking about gms authentication to ldap instead of GW auth..
>>> Joe Brugaletta <JBrugaletta at braytonlaw.com> 6/5/2018 11:11 AM >>>
Thats my main concern.. do the users themselves have to do anything or will it just "find" them and re-sync.
Are you certain that they auto-delete? My reason for asking is this paragraph that Ed linked to. Almost makes it seem like NEW devices will be linked via GW, but existing devices will stay LDAP.
"If you want to start using GroupWise as the user source for provisioning, new mobile device users are added to your Mobility system based on their GroupWise location (user_name.post_office_domain). Existing mobile device users are still associated with their LDAP context (cn=user_name,ou=organizational_unit,org=organization). On the Users page, you can determine the source of each user by mousing over it."
>>> "Morris Blackham" <Morris.Blackham at microfocus.com> 6/5/2018 9:00 AM >>>
switching provisioning source from ldap to GW will cause you to remove the existing GMS users, then adding the back via a GW group. This will delete all their data from the GMS database. When you add them back via GW provisioning, it will re-sync the data. Probably want to do it after hrs or weekend. the resync could take quite a while depending on how may users you have.
when the user reconnects from the device, they ;should' have the same data..
>>> Joe Brugaletta <JBrugaletta at braytonlaw.com> 6/5/2018 9:10 AM >>>
So its similar to how I currently do it with edir? Add users to the Dist List and it auto-creates them in GMS? My main concern is "converting" from LDAP to GW.. I don't know if that screws everything up as far as current users/syncing.
>>> "Bruce Perrin" <Bruce.Perrin at lbb.texas.gov> 6/5/2018 3:30 AM >>>
We have our GMS set to "GroupWise" . We created a GW group for the mobile users and configured GMS to use that group for provisioning.
No issues so far. We have been running like this for years.
>>> "Joe Brugaletta" <JBrugaletta at braytonlaw.com> 6/4/2018 5:30 PM >>>
So trying to migrate from Edir to AD and just came across a little issue that I'm scared will break users phone email sync, so wanted to ask here first.
In GMS console, under "Config > User Source", I currently have Provisioning set to LDAP , but authentication set to GroupWise. the LDAP server is currently pointing to an OES box, where I have a group called "Group-Mobile" in Edir that gets synced. I add a new user there, shortly after, user gets created in GMS.
Whats the best way to switch GMS to AD? or change it to GroupWise (not sure what that does)?
More information about the ngw