Trouble importing users into ACS 5.0.0.21

Answered Question
Aug 12th, 2010

Hi.  We're having some trouble importing users via the csv import into our new ACS 5.0.0.21 install.

I downloaded the template from the "Import" page and wrote a script that populated the .csv with all of the required data but it seems to fail every time on the Identity Group.

At first I thought it was because the groups weren't in the system already so I manually added each group.  I retried the import and it still fails with the message:

2010-08-12 05:56:47: Record number: 1, Internal User <userid>: Import Failed
2010-08-12 05:56:47: <userid>: Referenced object not found
IdentityGroup:<Group Name>.

This repeats for every user and the group name changes based on the group we need to add them to.

From what I can see, there aren't any additional line breaks or extra characters anywhere in the csv file so I don't understand what could possibly be causing the import to fail.

Any insight would be appreciated.

Thanks!

I have this problem too.
0 votes
Correct Answer by jrabinow about 6 years 3 months ago

You need to have the full path of the identity groups. Since it is hierarchical it includes all names

of parent nodes separated by :. For example if you created "Test Group" under "All Groups"

then string for import file would appear as:

dave,,TRUE,FALSE,1234,,All Groups:Test Group

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jrabinow Thu, 08/12/2010 - 07:45

First I do recommend upgrading to ACS 5.1 when you have a chance. ACS 5.1 has richer functionality in the area of import (add/modify/delete) and also provides export capabilities

I do not have access to an ACS 5.0 system. However, the following file works for me in ACS 5.1 (assuming you have no internal user attributes defined)

name:String(64):Required,description:String(1024),"enabled:Boolean(true,false):Required","changePassword:Boolean(true,false):Required",password:String(32):Required,enablePassword:String(32),UserIdentityGroup:String(256)
dave,,TRUE,FALSE,1234,,All Groups

first line is header; second is data. This corresponds to:

name: dave

description:

enabled: TRUE

changePassword: FALSE

password: 1234

enablePassword:

UserIdentityGroup:  All groups  (this is default defined roup)

mlangguth Thu, 08/12/2010 - 08:01

Thanks for the response.  The csv you posted is pretty much what we've been trying:

name:String(64):Required,description:String(1024),"enabled:Boolean(true,false):Required","changePassword:Boolean(true,false):Required",password:String(32):Required,enablePassword:String(32),UserIdentityGroup:String(256)
userid,,true,true,password,,Test Group

That fails when we try to import it into our system, citing an error with the Identiy Group.

Correct Answer
jrabinow Thu, 08/12/2010 - 12:37

You need to have the full path of the identity groups. Since it is hierarchical it includes all names

of parent nodes separated by :. For example if you created "Test Group" under "All Groups"

then string for import file would appear as:

dave,,TRUE,FALSE,1234,,All Groups:Test Group

mlangguth Thu, 08/12/2010 - 13:11

Thank you!

That did the trick.  I've been all over the documentation (or so I thought) and never saw this mentioned.

You wouldn't happen to know an easy way of upgrading to 5.1, would you?  We've always run our own homegrown TACACS+ servers.  This is the first time we've ever messed with ACS.

Thanks again!

jrabinow Sat, 08/14/2010 - 16:38

There are two ways to do this

1) Install two patches followed by an upgrade to 5.1

2) Backup 5.0 data, reimage server to 5.1 and then restore the backup of 5.0 data

Can't really comment which is easier. More details on each of the options below

Option 1) Install two patches followed by application upgrade

there are a couple patches that need to be installed before upgrading to 5.1

1) ACS 5.0 patch 9. On CCO: 5-0-0-21-9.tar.gpg

2) ADE-OS version 1.2    /// upgrades operating system version. On CCO: ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg

Both these steps use the following command "acs patch install patch-name.tar.gpg repository repository-name "

Then can perform the upgrade to 5.1 using following command:

application upgrade application-bundle remote-repository-name

All the patches/upgrade bundles can be downloaded from CCO. 5.1 package is called "ACS_5.1.0.44.tar.gz"

More detailed documentation is at:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html#wp1167547

Option 2) Backup/Restore Option

Step 2 Perform Reimaging the ACS Server, page 5-6.

ACS upgrades the ADE-OS to 1.2 and ACS to 5.1.

Step 3 Restore the ADE-OS and ACS configuration data to the ACS 5.1 server:

Issue the restore command in the EXEC mode to restore the backup taken earlier:

restore filename repository repository-name

While ACS restores the 5.0 configuration data, it begins to convert and upgrade the ACS 5.0 Monitoring and Report Viewer data to the 5.1 format.

In Boh case the folloiwng steps should be performed to monitor status of upgrade

Step 4 To monitor the status of the data upgrade, from the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.

The Data Upgrade Status page appears with the following information:

Progress—Indicates the progress of the Monitoring and Report Viewer data upgrade.

Status—Indicates whether the Monitoring and Report Viewer data upgrade is complete or not. ACS displays the following message when the upgrade is complete:

The View database conversion is complete.

Step 5 After the data upgrade status is complete, click Switch Database.

Actions

This Discussion

Related Content