Active Directory users are not synching

From Swivel Knowledgebase
Revision as of 11:25, 7 August 2013 by Gfield (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Logo.gif


Overview

Active Directory users are not synchronizing from the AD group into Swivel.


Prerequisites

PINsafe 3.x


Symptoms

Updates in the AD are not replicated on the Swivel server.

The Active Directory server has a group that contains some users that are not appearing in the AD repository on Swivel.

The Swivel logs may display the following:

ERROR 192.168.1.1 admin:Exception occured during repository group member query, group: CN=PINsafeusers,OU=PINsafe,DC=xxx,DC=swivelsecure,DC=com, exception ADserver1.xxx.swivelsecure.com:389

or

ERROR 192.168.1.1 admin:Exception occured during repository group member query, group: CN=PINsafeusers,OU=PINsafe,DC=xxx,DC=swivelsecure,DC=com, exception javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of: OU=Swivelsecure,DC=Swivelsecure,DC=com]; remaining name CN=Users,OU=Swivelsecure,DC=Swivelsecure,DC=com

or

No error appears in the Swivel log, but the user is not imported.

Solutions

If you see an error, this can be caused by a user who is a member of the group PINsafeusers but is part of another domain. Swivel will not be able to read the attributes for that user. Swivel would need to connect to that AD domain or read a Global Catalogue Server.

Ensure that you can browse the AD domain, this will verify network connectivity and authentication.

If it is one Swivel instance that is not authenticating but other instances are, verify that the synchronisation details are correct, ensuring that synchronisation occurs at differing times. Restart the Swivel instance and monitor for synchronisations.

If you see no error, but the user is not imported, and you are sure that the user is a member of an AD group configured as a PINsafe group, check whether this is configured as the primary group for that user. Swivel cannot read membership of primary groups, as this is handled in a non-standard way by Active Directory. Either change the primary group for the user to a different group, or if this is not possible or desirable, create a new group within Active Directory and use that as the Swivel group. This problem also applies to indirect membership: if the user's primary group is configured as a member of another group that Swivel is using, the user will not be imported.

If there are too many synchronisations to the AD server such as multiple repositories configured, or synchronisation is set to a small value such as 1-5 minutes, then the socket may be constantly busy. Ensure AD synchronisation is set to occur at differing times and has a suitable interval between synchronisations, typically every 60-120 minutes.

For these and further solutions see AD data source configuration