Enabling health check alerts for User Visibility

Follow these steps to enable health check alerts from the IBM® MaaS360® Portal for the Cloud Extender® User Visibility module.

Before you begin

This feature is available for Cloud Extender MEG Module 2.86 or later only.

Procedure

  1. From the IBM MaaS360 Portal Home page, select Setup > Cloud Extender Settings.
  2. Select Health Check Configuration > LDAP User Visibility Alerting.
    The LDAP User Visibility Alerting list is displayed. (This list also displays alerts for User Visibility for Active Directory.)
  3. From the list, enable the alerts that apply to your environment.
    If you set an alert subscription to Critical Only, the Cloud Extender sends an email message or a text message to the administrator for all alerts that are marked as Critical.
    The following table provides a description of each alert and the steps you take to remediate the alert:
    Alert name Alert description Remediation steps
    Invalid credentials The service account credentials are expired or invalid. The Cloud Extender cannot connect to the configured LDAP server because the server is unreachable or the service account credentials are invalid.
    1. Verify that LDAP is operational.
    2. Check for recent firewall or proxy changes that might block access to the LDAP server.
    3. Check whether the bind administrator credentials are valid and not expired. If required, use the Cloud Extender Configuration Tool in the MaaS360 Portal to update the credentials.
    4. Check whether any intrusion detection software in your network might be locking the bind administrator account. If the account is locked, add the account to the allow list to prevent the intrusion detection software from locking the account.
    5. If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
    Insufficient access Insufficient permissions on the LDAP bind administrator account is causing an insufficient access error response from the LDAP server for certain LDAP operations.
    1. Verify that the LDAP bind administrator account uses the necessary permissions to execute Bind, Query, and Filter operations on LDAP.
    2. If required, use the Cloud Extender Configuration Tool in the MaaS360 Portal to update the bind administrator account.
    3. If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
    Server down The authentication LDAP server is down. The Cloud Extender cannot connect to the directory server because the directory server is down or the Cloud Extender configuration is invalid.
    1. Verify that the configured LDAP server is reachable from the Cloud Extender server. Use the Cloud Extender reachability test to confirm that the LDAP server is reachable from the Cloud Extender server.
    2. Check whether the bind administrator account is still active and the password is not expired. If required, use the Cloud Extender Configuration Tool in the MaaS360 Portal to update the bind administrator account credentials.
    3. If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
    Server busy The authentication LDAP server is busy. The Cloud Extender cannot process the client request because the LDAP server is busy.
    1. Check whether the LDAP server is low on system resources.
    2. Check whether other applications are also using LDAP resources during this time period.
    3. Review the LDAP server performance and contact internal or vendor teams for assistance with resolving this issue.
    Server unavailable The authentication LDAP server is unavailable. The Cloud Extender cannot process the LDAP bind request with the configured bind administrator credentials because the LDAP server might be unavailable.
    1. Verify that the configured LDAP server is reachable from the Cloud Extender server. Use the Cloud Extender reachability test to confirm that the LDAP server is reachable from the Cloud Extender server.
    2. Check whether the bind administrator account is still active and the password is not expired. If required, use the Cloud Extender Configuration Tool in the MaaS360 Portal to update the bind administrator account credentials.
    3. If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
    Script timeouts The User and Group discovery script from LDAP is taking more time to complete than the configured threshold. The IBM MaaS360 Portal might not be using the latest User and Group information from your LDAP directory. The User and Group discovery scripts time out due to the following issues:
    • Too many users and groups that are configured in the Cloud Extender scope.
    • The Cloud Extender is trying to reach remote LDAP servers or domain controllers that are slowing down the script.
    Follow these steps to remediate this alert:
    1. Use the Cloud Extender Scaling Tool to determine whether you require multiple Cloud Extenders for your environment and if your current scale meets the criteria. From the IBM MaaS360 Portal Home page, select Setup > Services > Enterprise Email Integration to download the tool.
    2. If you are using LDAP mode, verify that the search base for users is not that wide. Use the Cloud Extender Configuration Tool in the IBM MaaS360 Portal to limit the scope of the search base and use filters for Users and Groups to optimize search performance.
    3. If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for guidance on correct scaling or recommendations on how to increase the timeout settings.
    Delays in Full uploads An error occurred during a full sync from your LDAP directory. The last successful and complete upload from the server occurred more than a day ago from the scheduled upload date. The server is either unreachable or the service account is invalid. The scheduled full sync of Users and Groups from your LDAP directory did not complete within the expected time frame.
    1. Verify that the Cloud Extender that is configured for User Visibility is operational.
    2. Check whether the bind administrator account is still active and the password is not expired.
    3. Check whether your LDAP server is reachable from the Cloud Extender server.
    4. From the Cloud Extender Configuration Tool in the MaaS360 Portal, select Setup > Cloud Extender > Actions and run a Test action on the Cloud Extender that is configured for User Visibility.
    5. From the Cloud Extender Configuration Tool in the MaaS360 Portal, select Setup > Cloud Extender > Actions > User Visibility Refresh to refresh the User Visibility data. Wait 1 hour to confirm that the issue is resolved.
    6. If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
    Delays in Delta uploads The last successful incremental upload from the LDAP server is more than 8 hours from the scheduled upload date. The server is unreachable or the service account is invalid. The scheduled incremental sync of Users and Groups from your LDAP server did not complete within the expected time frame.
    1. Verify that the Cloud Extender that is configured for User Visibility is operational.
    2. Check whether the bind administrator account is still active and the password is not expired.
    3. Check whether your LDAP server is reachable from the Cloud Extender server.
    4. From the Cloud Extender Configuration Tool in the MaaS360 Portal, select Setup > Cloud Extender > Actions and run a Test action on the Cloud Extender that is configured for User Visibility.
    5. From the Cloud Extender Configuration Tool in the MaaS360 Portal, select Setup > Cloud Extender > Actions > User Visibility Refresh to refresh the User Visibility data. Wait 1 hour to confirm that the issue is resolved.
    6. If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
    Error in full uploads The Cloud Extender cannot upload all User and Group information from the LDAP server due to critical errors during the sync.
    1. Verify that LDAP is operational.
    2. Check for recent firewall or proxy changes that might block access to the LDAP server.
    3. If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
    Error in incremental uploads The Cloud Extender cannot upload new or changed User and Group information from the LDAP server due to critical errors during the sync.
    1. Verify that LDAP is operational.
    2. Check for recent firewall or proxy changes that might block access to the LDAP server.
    3. If this issue continues, collect logs from the Cloud Extender, and then contact IBM Support for further assistance.
  4. Publish the Cloud Extender settings to activate the alerts.