jclancy1 Absent Member.
Absent Member.
2598 views

LDAP sync with AD does not populate group users

I am trying to sync Filr with a specific group in AD. The group itself has synced but none of the users show up. I have checked the primary group and it is not the one I am syncing. I have added the group filter to the string as I have seen posted in other threads. At one point the Sync status came up completed and I saw the 2 users listed and the group listed but nothing shows up in the people view or in my group membership. I added a third user to the group and synced again but that user does not appear in the sync status or in Filr. The ssf log does not show any errors, just that the sync starts and completes.
If anyone has a solution I'd appreciate their sharing.
Thanks,
Janey
0 Likes
9 Replies
sveld1 Absent Member.
Absent Member.

Re: LDAP sync with AD does not populate group users

Are you sure you've enabled the checkbox 'Synchronize group membership' in the Groups section?

How does you filter look like?
How many object in your AD?

Best regards, Sebastiaan Veld If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...
0 Likes
jclancy1 Absent Member.
Absent Member.

Re: LDAP sync with AD does not populate group users

Yes. I have everything checked in both Users and Groups selections except the choices for deletion. I have thousans of objects in AD, but only two users in the group I am trying to sync. This is my filter string: (&(memberOf=cn=FilrUsers,ou=Filr,dc=covdnssrv,dc=co,dc=volusia,dc=fl,dc=us)(|(objectClass=Person)(objectClass=orgPerson)(objectClass=inetOrgPerson))).
Thanks for your help.
0 Likes
sveld1 Absent Member.
Absent Member.

Re: LDAP sync with AD does not populate group users

Can you take a look at Support | Not all users syncing during Filr LDAP sync and tis one may be usefull How to view and set LDAP policy in Active Directory by using Ntdsutil.exe

Best regards, Sebastiaan Veld If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...
0 Likes
jclancy1 Absent Member.
Absent Member.

Re: LDAP sync with AD does not populate group users

Thanks for your reply Sebastiaan. We are on Windows 2008 R2 with the default LDAP Policy settings. I did get one synchronization to complete successfully and modify 1 group and 2 users. However, the two users do not show in the people area of Filr or in the Group membership list. When I aded a third person to the group and resynchronized the status says completed successfully but Modified users is 0 and the new member is not in Filr. Our LDAP is prety simple and we have a lot of applications that query it successfully. Can you think of any other setting that may be wrong or search string I could try?
Thanks again,
Janey
0 Likes
sveld1 Absent Member.
Absent Member.

Re: LDAP sync with AD does not populate group users

Do you use in your Filr LDAP settings:
LDAP attribute that uniquely identifies a user or group: objectGUID
LDAP attribute used for Filr name: sAMAccountName

Then, your User Base DN is set to the root of the Folder where the user objects are in (or higher and have set to search the subtree)?

Best regards, Sebastiaan Veld If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...
0 Likes
jclancy1 Absent Member.
Absent Member.

Re: LDAP sync with AD does not populate group users

Hi Sebastiaan,
The LDAP unique identifier is objectGUID and the user name attribute is sAMAccountname.
I did run the ntdsutil and those settings are:
MaxPoolThreads 4
MaxDatagramRecv 1024
MaxReceiveBuffer 10485760
InitRecvTimeout 120
MaxConnections 5000
MaxConnIdleTime 900
MaxPageSize 1000
MaxQueryDuration 120
MaxTempTableSize 10000
MaxResultSetSize 262144
MinResultSets 0
MaxResultSetsPerConn 0
MaxNotificationPerConn 5
MaxValRange 5000
ThreadMemoryLimit 0
SystemMemoryLimitPercent 0

These are the defaults except for the MaxValRange which was 0. I changed it to 5000 this morning but it did not solve the problem.
My Base DN is: OU=Filr,DC=domainname - where my group FilrUsers is located. There are only three users in the group so far.
My Filter is: (&(|(objectClass=Person)(objectClass=orgPerson)(objectClass=inetOrgPerson)(memberOf=cn=FilrUsers,ou=Filr,dc=domainname)))
I have search subtree checked.
Under Users I have Synchronize user profiles and Register LDAP user profiles automatically checked
Under Groups I have Synchronize group profiles, Register LDAP group profiles automatically, and Synchronize Group Membership checked.
I can RDP to my Domain Controller with the proxy user I have established and browse AD.

Any additional ideas are welcome. I appreciate the time you have already taken to assist. Hope to hear from you again.
Thanks,
Janey
0 Likes
sveld1 Absent Member.
Absent Member.

Re: LDAP sync with AD does not populate group users

But is the folder OU=Filr,DC=domainname also the folder where your user objects are in? You also have to add the OU where your users are.

Best regards, Sebastiaan Veld If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...
0 Likes
jclancy1 Absent Member.
Absent Member.

Re: LDAP sync with AD does not populate group users

Hello Sebastiaan,
I finally got this working correctly with an assist by Novell. It turns out that my LDAP configuration was corrupt, probably from me trying so many different things. I deleted the configuration I had and added a new configuration with the same settings and it works fine now. I do not use an OU for my users because I have about 100 OU's with users. I sync to the top level of the domain. It syncs ok although it does return an error because of the referral limitation, but I can live with the error.
Thanks so much for your help,
Janey
0 Likes
sveld1 Absent Member.
Absent Member.

Re: LDAP sync with AD does not populate group users

Thanks for the follow up. You must have really pushed it:)) Good to hear it's working now.

Best regards, Sebastiaan Veld If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.