Active Directory users are not synching

From Swivel Knowledgebase Wiki

Jump to: navigation, search

Image:logo.gif


Contents

Overview

Active Directory users are not synchronizing from the AD group into PINsafe


Prerequisites

PINsafe 3.x


Symptoms

Updates in the AD are not replicated on the PINsafe server.

The Active Directory server has a group that contains some users that are not appearing in the AD repository on PINsafe.

The PINsafe logs may display the following:

ERROR 192.168.1.1 admin:Exception occured during repository group member query, group: CN=PINsafeusers,OU=PINsafe,DC=xxx,DC=swivelsecure,DC=com, exception ADserver1.xxx.swivelsecure.com:389

or

ERROR 192.168.1.1 admin:Exception occured during repository group member query, group: CN=PINsafeusers,OU=PINsafe,DC=xxx,DC=swivelsecure,DC=com, exception javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: OU=Swivelsecure,DC=Swivelsecure,DC=com]; remaining name CN=Users,OU=Swivelsecure,DC=Swivelsecure,DC=com

or

No error appears in the PINsafe log, but the user is not imported.

Solutions

If you see an error, this can be caused by a user who is a member of the group PINsafeusers but is part of another domain. PINsafe will not be able to read the attributes for that user. PINsafe would need to connect to that AD domain or read a Global Catalogue Server.

Ensure that you can browse the AD domain, this will verify network connectivity and authentication.

If it is one PINsafe instance that is not authenticating but other instances are, verify that the synchronisation details are correct, ensuring that synchronisation occurs at differing times. Restart the PINsafe instance and monitor for synchronisations.

If you see no error, but the user is not imported, and you are sure that the user is a member of an AD group configured as a PINsafe group, check whether this is configured as the primary group for that user. PINsafe cannot read membership of primary groups, as this is handled in a non-standard way by Active Directory. Either change the primary group for the user to a different group, or if this is not possible or desirable, create a new group within Active Directory and use that as the PINsafe group. This problem also applies to indirect membership: if the user's primary group is configured as a member of another group that PINsafe is using, the user will not be imported.

For these and further solutions see AD data source configuration

Retrieved from "http://kb.swivelsecure.com/wiki/index.php/Active_Directory_users_are_not_synching"
Personal tools