Highlighted
Absent Member.
Absent Member.
1701 views

Directory User Synchronization

GW 14.2.1 / SLES 11 SP4 / Active Directory 2012

I have my Primary Domain, pridom, MTA configured to run a Directory User Synchronization nightly at 11pm. It runs dutifully with lots of output (logging is set to verbose):

[INDENT]00:00:00 7B6D Scheduled Event Settings:
00:00:00 7B6D Today's Directory User Sync Event Times:
00:00:00 7B6D 23:00:03
....
23:00:11 795F Synchronizing Directory XYZ_ORG
23:00:11 795F Connecting to LDAP server at ldapad for Directory XYZ_ORG
....lots of detail....
23:00:16 795F Disconnecting from LDAP server for Directory XYZ_ORG
23:00:16 795F Synchronization complete for Directory XYZ_ORG[/INDENT]

Immediately following is this:

[INDENT]23:00:16 795F Synchronizing users for Domain pridom
23:00:16 795F Error: No LDAP Server Address is specified
23:00:16 795F Synchronization complete for Domain pridom[/INDENT]

A Directory User Synchronization is also configured in a Secondary Domain's, podom, MTA. This appears in podom's log:

[INDENT]23:00:10 3038 Synchronizing users for Domain podom
23:00:10 3038 Error: No LDAP Server Address is specified
23:00:10 3038 Synchronization complete for Domain podom[/INDENT]

XYZ_ORG is Active Directory and pridom is set as its Sync Domain. I can sorta understand why Directory User Synchronization run by podom's MTA might get an error. However, I'm at a loss as to why pridom's MTA would get the same error.

Any insights are appreciated.
Labels (1)
0 Likes
16 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Directory User Synchronization

In article <cbristol.7s85an@no-mx.forums.microfocus.com>, Cbristol wrote:
> XYZ_ORG is Active Directory and pridom is set as its Sync Domain. I can
> sorta understand why Directory User Synchronization run by podom's MTA
> might get an error. However, I'm at a loss as to why pridom's MTA would
> get the same error.


Interesting in that I'm not seeing any LDAP syncing attempts by any of the
secondary MTAs.
My gut feel is that the LDAP definition didn't get written fully all where
it should be. Two things I'd try,
A) Make a change to the existing LDAP server details for the directory
making the 'Enable Synchronization' is checked along the way
B) Starting for the Primary Domain and then all other Domains, run
Maintenance, Validate Database to make sure there are no errors.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
“i’ve sworn an oath of solitude til the blight is purged from these lands”
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Directory User Synchronization

Hi,

I would suggest that you double-check the configuration of the "LDAP Server" in the Admin Console.

In the configuration of the connection to AD have you specified an IP address or DNS entry in the Address field?

Please let us know.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Directory User Synchronization

I use a DNS name in the Directory definition and in the LDAP server definition. The DNS name (same for both) resolves to a vIP that goes to 4 AD servers.

This raises an interesting question. From what I've read, it seems that the LDAP server definition is necessary only if you want/need several LDAP servers for redundancy (we take care of that with a vIP) or if you need to have a Post Office using a specific LDAP address. Neither case is true for us. So, is the LDAP server definition unnecessary?

I disable the User Synchronization event for all MTAs except my primary domain. The
[INDENT]23:00:10 3038 Synchronizing users for Domain podom
23:00:10 3038 Error: No LDAP Server Address is specified
23:00:10 3038 Synchronization complete for Domain podom[/INDENT]
messages no longer appear in those MTA logs. It still appears in the primary domain's log.

Thank you!
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Directory User Synchronization

Hi,

After hours - in case this breaks something... in the directory definition change the DNS name to a static IP, you will probably need to re-enter the password for the LDAP user, test the connection to make sure it works. Then click on the sync button at the bottom. Let us know what you see in your logs.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Directory User Synchronization

By "static IP" do you mean the vIP to which DNS name ldapad points:

[INDENT]gw01:~ # nslookup ldapad
Name: ldapad.xyz.org
Address: 192.168.79.201[/INDENT]

or to one on the AD servers that sit behind the vIP?

[INDENT]gw01:~ # nslookup xyz.org
Name: xyz.org
Address: 192.168.60.21
Name: xyz.org
Address: 192.168.64.196
Name: xyz.org
Address: 192.168.66.235[/INDENT]

CB
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Directory User Synchronization

Hi,

I would try the vIP address first. If that fails one of the physical server IPs.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Directory User Synchronization

Am Thu, 19 Jan 2017 12:36:03 +0000 schrieb cbristol:

> I use a DNS name in the Directory definition and in the LDAP server
> definition. The DNS name (same for both) resolves to a vIP that goes to
> 4 AD servers.


When LDAP answers ... what is the sender IP? The vIP or the phys. one?
(Maybe you have to do a small tcpdump.)

Bernd
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Directory User Synchronization

Sorry for the delay; I had to schedule this, just in case......

Tests run -
[INDENT]


  • Changed the Directory address to the vIP address and ran a Sync: same error.
  • Changed the Directory address to the IP of one of my AD servers and ran a Sync: same error.
  • Changed Directory address to the vIP, deleted the LDAP server that was under the Directory and ran a Sync: same error.

[/INDENT]

Perplexing but, at least, this doesn't appear to affect anything else.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Directory User Synchronization

toblerone;2449193 wrote:
Am Thu, 19 Jan 2017 12:36:03 +0000 schrieb cbristol:

> I use a DNS name in the Directory definition and in the LDAP server
> definition. The DNS name (same for both) resolves to a vIP that goes to
> 4 AD servers.


When LDAP answers ... what is the sender IP? The vIP or the phys. one?
(Maybe you have to do a small tcpdump.)

Bernd


Interesting thought; I'll look into it. However, the test results I got using an AD server's IP instead of the vIP (assuming that the AD server answered the LDAP query using its address) make this a low probability culprit.
Thx!
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Directory User Synchronization

Hi,

May I suggest a packet trace/capture - I tend to use Wireshark - to see what is happening to the LDAP traffic sent/received? We can see if a "call" is even being made.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Directory User Synchronization

I used tcpdump for the capture and Wireshark to look at the results. First time out with that tool.

The Directory is configured with the vIP. All of the in and out packets showed the vIP.

Here's where it gets interesting.... The server where I run my Primary Domain is a VM so it s configured with a single "NIC". The main IP is the server IP and is used for maintenance backups, etc. The Primary Domain has its own IP and there is a Secondary Domain, also with its own IP.

Wireshark showed all packets to/from LDAP using the server's IP. So I checked the Primary Domain MTA settings and found that "Bind exclusively to TCP/IP Address" is not checked. Could this be the problem? "Bind exclusively to TCP/IP Address" is checked in the Secondary Domain MTA settings.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.