LDAP synchronization troubleshooting

In this section the possible issues when executing an automated synchronization with the directory service are described. Also actions to mitigate the issues are given.

The error codes are:

101: Connection error during user synchronization

Connection to LDAP not possible

To perform a synchronization of users between the directory service and IYOPRO a connection to the directory service is established by IYOPRO. If this connection can not be established no synchronization of user can not be performed. Typical reasons for connection errors are:

  • Credential configured to access the directory service are incorrect. The used credentials are stored in the IYOPRO configuration

    • The domain name is configured with the configuration key LDAP_DOMAINNAME

    • The user to access the directory service is configured with the configuration key LDAP_USERNAME. If no user name is configured, the user of the IYOPRO service is used.

    • The password to access the directory service is configured with the configuration key LDAP_PASSWORD

  • Directory service is not reachable via the network

    • Please check the availability of the directory service

102: Invalid directory entry

While processing the entries of the group containing the IYOPRO users an entry was found, that is not a user entry

Most likely the user group in the directory service contains some other resource records. Please verify that the group only contains * user records * group records, if recursing through the groups is activated by configuration option LDAP_GROUP_RECURSE

103: Account already in use

An new user should be added to IYOPRO, but the account name is already used by another user

Most likely a user account was removed from the directory service and subsequently disabled in IYOPRO. Later a new user account was created in the directory service using the same account name.

However, as this is a new account it was assigned an new security id by the directory service, the security id of the old (disabled) account in IYOPRO and the new account do not match.

To resolve this issue there are two options:

  • Delete the existing IYOPRO user

    • Use the system management function delete user to remove the user and all data belonging to the user from IYOPRO

  • Clear the existing IYOPRO user’s security id

Option 1 is a right choice, if the old user and the new user are different persons and the old user’s data (e.g. Diagrams in My Files) can be deleted. After deletion of the IYOPRO user the synchronization will create an new IYOPRO account for the new user.

Option 2 is the right choice, if the old and the new user are the same person. With the reset of the security id the next synchronization run will detect, that the user has no security id assigned and will assign the new one. Next the user can log on and access his data.

104: Account name change to account in use

Changing a users account name is not possible, as there is already another IYOPRO user with the target account name

During the synchronization run a change in the account name of a user was detected. This user was identified by his security id. However the new account name is already in use in IYOPRO.

If this happens please verify that the accounts provided for the user synchronization by the directory service are unique and match the existing IYOPRO accounts.

107: No enabled user

After processing all users, there are no enabled IYOPRO user left

Once IYOPRO has processed all users from the directory service, there are no enabled user left in IYOPRO. Probably there is a customizing issue with the user group of the directory service that is the source of the users or that group does not contain any users.

To resolve this issue, please check

  • that the group in the directory service contains user, which are not disabled

  • that the group name matches the configuration entry LDAP_GROUPNAME

  • that the credentials user to connect to the directory service allow to read the group members (configuration entries LDAP_USERNAME and LDAP_PASSWORD)

109: Group not found

While trying to synchronize users the configured group was not found

When trying to retrieve the users to be synchronized from the directory service, the configured group was not found by the directory service.

To mitigate this issue, please check:

  • that the configured group name configured in LDAP_GROUPNAME matches the group name in the directory service

  • that the configured group is part of the provided domain configured in LDAP_DOMAINNAME

  • that the configured credentials (configuration entries LDAP_USERNAME and LDAP_PASSWORD) to access the directory service are valid and allow retrieval of the group members

111: Connection error during group synchronization

The connection to the directory service could not be established, when trying to obtain the groups to synchronize

To perform a synchronization of user group between the directory service and IYOPRO a connection to the directory service is established by IYOPRO.

If this connection can not be established no synchronization of user groups can not be performed.

Typical reasons for connection errors are:

  • Credential configured to access the directory service are incorrect. The used credentials are stored in the IYOPRO configuration

    • The domain name is configured with the configuration key LDAP_DOMAINNAME

    • The user to access the directory service is configured with the configuration key LDAP_USERNAME. If no user name is configured, the user of the IYOPRO service is used.

    • The password to access the directory service is configured with the configuration key LDAP_PASSWORD

  • Directory service is not reachable via the network

    • Please check the availability of the directory service

112: Group member load error

When loading the list of groups to synchronized an exception occurred

While trying to load the members of the organizational unit configured for the group synchronization, an error occurred.

The configuration LDAP_GROUP_SYNC_OU specifies which entries should be synchronized.

To resolve this issue, please check:

  • That the provided organizational unit contains only user groups in the directory service

  • That the user groups contained in the organizational unit are accessible with the configured credentials

113: Loading groups for synchronization failed

Failed to load IYOPRO user groups to be synchronized

When trying to obtain the list of IYOPRO user groups that should be synchronized with the directory service, an error occurred.

114: Connection error during group member synchronization

Could not establish the connection to the directory service to synchronize group members

To perform a synchronization of group members between the directory service and IYOPRO a connection to the directory service is established by IYOPRO.

If this connection can not be established no synchronization of user can not be performed.

Typical reasons for connection errors are:

  • Credential configured to access the directory service are incorrect. The used credentials are stored in the IYOPRO configuration

    • The domain name is configured with the configuration key LDAP_DOMAINNAME

    • The user to access the directory service is configured with the configuration key LDAP_USERNAME. If no user name is configured, the user of the IYOPRO service is used.

    • The password to access the directory service is configured with the configuration key LDAP_PASSWORD

  • Directory service is not reachable via the network

    • Please check the availability of the directory service

115: Group assignment not possible (no IYOPRO user)

Assignment of a user to a group not possible, as the user is not an IYOPRO user.

The reason for this issue is that a user is member of the group in the directory service.

However this user is not a known IYOPRO user.

To resolve this issue make sure that all users specified as members in groups to be synchronized are also IYOPRO users. Check that the users are also part of the configured source for the user synchronization (configuration key LDAP_GROUPNAME).

116: Group assignment not possible (user not in team)

Assignment of the user to a user group not possible, as the user is not in the team

The user is not a member of the team which contains the group to be synchronized.

To resolve this issue make sure that all users specified as members in groups to be synchronized are team members in the team containing the IYOPRO group. If the team is not part of the auto joined teams (configuration key LDAP_AUTO_JOINED_TEAMS), the user needs to be added to the team manually.

118: Team user list empty

Failed to get the list of team users during auto join

While trying to synchronize group members the user list of the team containing the user group could not be loaded.

To resolve this issue verify the team member and ensure that the list of team members is not empty.

120: Configured team id is invalid

The team id configured for auto join is not a valid id (no int)

The configuration for the automatic joining of teams (auto join) contains an entry that can not be parsed as team id, as it’s not of the data type integer.

To resolve the issue ensure that the configuration key LDAP_AUTO_JOINED_TEAMS contains a comma separated list of valid team id’s.

121: Configured team id not found

The team with the configured team id for auto join was not found

The configuration for the automatic joining of teams (auto join) contains an entry that is not a valid team id.

To resolve this issue verify the configuration key LDAP_AUTO_JOINED_TEAMS and ensure that all provided id’s are valid team id’s.

The team id can be found in the repository. Select the teams node and expand. When a team is selected, the team id is shown right below the team name in the details display.

122: Conversion of user information failed

Conversion of the directory service object failed, when trying to determine the user status (enabled/disabled)

While trying to determine the status of an user via the directory service, the provided data could not be converted. IYOPRO will assume that the user is enabled in the directory service. If the user is currently disabled in IYOPRO, it will be enabled.

123: User enabled property is empty

The directory service data has an empty UserAccountControl property

While trying to determine the status of an user via the directory service, the provided data did contain the needed property UserAccountControl, but is does not contain any data. IYOPRO will assume that the user is enabled in the directory service.

If the user is currently disabled in IYOPRO, it will be enabled.

124: User enabled property has wrong type

The directory service data has an UserAccountControl property with the wrong data type

While trying to determine the status of an user via the directory service, the provided data did contain the needed property UserAccountControl, but it has the wrong data type. IYOPRO will assume that the user is enabled in the directory service.

If the user is currently disabled in IYOPRO, it will be enabled.

125: User enabled property is missing

In the directory service data the UserAccountControl property is not present

While trying to determine the status of an user via the directory service, the provided data did not contain the needed property UserAccountControl. IYOPRO will assume that the user is enabled in the directory service.

If the user is currently disabled in IYOPRO, it will be enabled.

126: Synchronization aborted

While performing the synchronization an error was detected and the synchronization process was aborted To understand the root cause of the issue, please verify the ADSync thread entries in the backend log.

If the configuration option LDAP_ONERROR_ABORT is set to false, detected errors will be skipped.