ERROR CALCULATING POLICIES IN SCOPE Check that your LDAP server is properly configured both P and CP

RyanMilliron
New Contributor II

First, Sorry for the long post.  I have been working on this with Engineers for a few days:

I wanted to document an issue I am experiencing currently with my Jamf Pro Cloud instance.  At the time of writing this I am working with Jamf Engineers and we have not yet come to a solution, but I wanted to get information out there in case anyone in the community has seen this issue before, and (if/when) I get my problem resolved I would like to be able to provide a solution for both jamf engineers and the community to look back on. 

 

We are currently running Jamf Pro Cloud 10.38.3 and starting experiencing issues that I noticed Monday with our LDAP connection to OneLogin.  We started to get the ERROR CALCULATING POLICIES IN SCOPE for both Policies and Configuration Profiles for all users.   It is effecting almost all staff members at this point in one way or another, mostly in not being able receive configuration profiles that should automatically apply based on Smart Group deployments.   When I check my Jamf Logs I continually see an error: 

[ERROR] [ina-exec-63] [figurationProfilesService] - Error while recalculating profiles in scope for computer: 1199. Message: [LDAP: error code 18 - Invalid syntax

 

I have checked LDAP settings, they have not changed since before I've started at this position, and the service account is still active in OneLogin, and setup correctly in Jamf and all of our mappings had not changed.  I am able to produce valid test responses for User Mapping, User Group Mapping and User Group Membership Mappings.  From the OneLogin Side, I see valid access authentication for out ldap server account, so I know that there is communication coming from jamf and at least communicating with OneLogin via the service account.

 

Working with a Jamf Engineer, We found several smart groups that were calling for usernames and emails of users that are no longer with the company, as well as a few Groups that are not longer in OneLogin.  I have removed those with no change to the error message coming from Jamf on user management tabs or the Jamf Log files.

 

I have an open request at this point to verify that the following OneLogin article has been completed: "

  1. Execute query PI-002208 to disable LDAP connection pooling.

I have also linked another Jamf Nation article mentioning the PI in reference, as I noticed while I was working with the Jamf Engineer I was continually kicked out of my Jamf Cloud Instance, often immediately after logging back in. 

https://community.jamf.com/t5/jamf-pro/jamf-cloud-short-session-expiry-in-web-browser/m-p/177167

https://onelogin.service-now.com/support?id=kb_article&sys_id=a197410fdbf3b0501c167e77f4961914#jplda...

Hopefully this is the solve I am looking for.  If so I will update this Thread.  If anyone else has had issues with Jamf LDAP and OneLogin please let me know if you found a solution. 

1 ACCEPTED SOLUTION

RyanMilliron
New Contributor II

Update:  Worked With Jamf Engineers today and we believe the error: 

[ERROR] [ina-exec-63] [figurationProfilesService] - Error while recalculating profiles in scope for computer: 1199. Message: [LDAP: error code 18 - Invalid syntax 

was caused by a recent change in our OneLogin roles/groups that renamed and removed a few LDAP groups that were being called upon in Policies and Configuration Profiles.  Removing the non existent LDAP groups and adding the newly named in the effected Policies and Configuration Profiles seems to have resolved the issue.  Will confirm all functionality over the next 24 hours. 

View solution in original post

1 REPLY 1

RyanMilliron
New Contributor II

Update:  Worked With Jamf Engineers today and we believe the error: 

[ERROR] [ina-exec-63] [figurationProfilesService] - Error while recalculating profiles in scope for computer: 1199. Message: [LDAP: error code 18 - Invalid syntax 

was caused by a recent change in our OneLogin roles/groups that renamed and removed a few LDAP groups that were being called upon in Policies and Configuration Profiles.  Removing the non existent LDAP groups and adding the newly named in the effected Policies and Configuration Profiles seems to have resolved the issue.  Will confirm all functionality over the next 24 hours.