Directory User Synchronization

GW 14.2.1 / SLES 11 SP4 / Active Directory 2012

I have my Primary Domain, pridom, MTA configured to run a Directory User Synchronization nightly at 11pm. It runs dutifully with lots of output (logging is set to verbose):

[INDENT]00:00:00 7B6D Scheduled Event Settings:
00:00:00 7B6D Today's Directory User Sync Event Times:
00:00:00 7B6D 23:00:03
....
23:00:11 795F Synchronizing Directory XYZ_ORG
23:00:11 795F Connecting to LDAP server at ldapad for Directory XYZ_ORG
....lots of detail....
23:00:16 795F Disconnecting from LDAP server for Directory XYZ_ORG
23:00:16 795F Synchronization complete for Directory XYZ_ORG[/INDENT]

Immediately following is this:

[INDENT]23:00:16 795F Synchronizing users for Domain pridom
23:00:16 795F Error: No LDAP Server Address is specified
23:00:16 795F Synchronization complete for Domain pridom[/INDENT]

A Directory User Synchronization is also configured in a Secondary Domain's, podom, MTA. This appears in podom's log:

[INDENT]23:00:10 3038 Synchronizing users for Domain podom
23:00:10 3038 Error: No LDAP Server Address is specified
23:00:10 3038 Synchronization complete for Domain podom[/INDENT]

XYZ_ORG is Active Directory and pridom is set as its Sync Domain. I can sorta understand why Directory User Synchronization run by podom's MTA might get an error. However, I'm at a loss as to why pridom's MTA would get the same error.

Any insights are appreciated.
  • In article <cbristol.7s85an@no-mx.forums.microfocus.com>, Cbristol wrote:
    > XYZ_ORG is Active Directory and pridom is set as its Sync Domain. I can
    > sorta understand why Directory User Synchronization run by podom's MTA
    > might get an error. However, I'm at a loss as to why pridom's MTA would
    > get the same error.


    Interesting in that I'm not seeing any LDAP syncing attempts by any of the
    secondary MTAs.
    My gut feel is that the LDAP definition didn't get written fully all where
    it should be. Two things I'd try,
    A) Make a change to the existing LDAP server details for the directory
    making the 'Enable Synchronization' is checked along the way
    B) Starting for the Primary Domain and then all other Domains, run
    Maintenance, Validate Database to make sure there are no errors.


    Andy of
    http://KonecnyConsulting.ca in Toronto
    Knowledge Partner
    http://forums.novell.com/member.php/75037-konecnya
    If you find a post helpful and are logged in the Web interface, please
    show your appreciation by clicking on the star below. Thanks!

  • Hi,

    I would suggest that you double-check the configuration of the "LDAP Server" in the Admin Console.

    In the configuration of the connection to AD have you specified an IP address or DNS entry in the Address field?

    Please let us know.

    Cheers,
  • I use a DNS name in the Directory definition and in the LDAP server definition. The DNS name (same for both) resolves to a vIP that goes to 4 AD servers.

    This raises an interesting question. From what I've read, it seems that the LDAP server definition is necessary only if you want/need several LDAP servers for redundancy (we take care of that with a vIP) or if you need to have a Post Office using a specific LDAP address. Neither case is true for us. So, is the LDAP server definition unnecessary?

    I disable the User Synchronization event for all MTAs except my primary domain. The
    [INDENT]23:00:10 3038 Synchronizing users for Domain podom
    23:00:10 3038 Error: No LDAP Server Address is specified
    23:00:10 3038 Synchronization complete for Domain podom[/INDENT]
    messages no longer appear in those MTA logs. It still appears in the primary domain's log.

    Thank you!
  • Hi,

    After hours - in case this breaks something... in the directory definition change the DNS name to a static IP, you will probably need to re-enter the password for the LDAP user, test the connection to make sure it works. Then click on the sync button at the bottom. Let us know what you see in your logs.

    Cheers,
  • By "static IP" do you mean the vIP to which DNS name ldapad points:

    [INDENT]gw01:~ # nslookup ldapad
    Name: ldapad.xyz.org
    Address: 192.168.79.201[/INDENT]

    or to one on the AD servers that sit behind the vIP?

    [INDENT]gw01:~ # nslookup xyz.org
    Name: xyz.org
    Address: 192.168.60.21
    Name: xyz.org
    Address: 192.168.64.196
    Name: xyz.org
    Address: 192.168.66.235[/INDENT]

    CB
  • Hi,

    I would try the vIP address first. If that fails one of the physical server IPs.

    Cheers,
  • Am Thu, 19 Jan 2017 12:36:03 0000 schrieb cbristol:

    > I use a DNS name in the Directory definition and in the LDAP server
    > definition. The DNS name (same for both) resolves to a vIP that goes to
    > 4 AD servers.


    When LDAP answers ... what is the sender IP? The vIP or the phys. one?
    (Maybe you have to do a small tcpdump.)

    Bernd
  • Sorry for the delay; I had to schedule this, just in case......

    Tests run -
    [INDENT]


    • Changed the Directory address to the vIP address and ran a Sync: same error.
    • Changed the Directory address to the IP of one of my AD servers and ran a Sync: same error.
    • Changed Directory address to the vIP, deleted the LDAP server that was under the Directory and ran a Sync: same error.

    [/INDENT]

    Perplexing but, at least, this doesn't appear to affect anything else.
  • toblerone;2449193 wrote:
    Am Thu, 19 Jan 2017 12:36:03 0000 schrieb cbristol:

    > I use a DNS name in the Directory definition and in the LDAP server
    > definition. The DNS name (same for both) resolves to a vIP that goes to
    > 4 AD servers.


    When LDAP answers ... what is the sender IP? The vIP or the phys. one?
    (Maybe you have to do a small tcpdump.)

    Bernd


    Interesting thought; I'll look into it. However, the test results I got using an AD server's IP instead of the vIP (assuming that the AD server answered the LDAP query using its address) make this a low probability culprit.
    Thx!
  • Hi,

    May I suggest a packet trace/capture - I tend to use Wireshark - to see what is happening to the LDAP traffic sent/received? We can see if a "call" is even being made.

    Cheers,