ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

LDAP user synchronization not working

book

Article ID: 213721

calendar_today

Updated On:

Products

CA Agile Central On Premise (Rally)

Issue/Introduction

New users are not created in a newly LDAP integrated on-premise 2.0+ platform.

 

Cause

This can be caused when the bind DN user does not have sufficient permissions to perform a dir sync.  The bind DN user must either be a domain admin or have the Replicating Directory Changes permissions in active directory.

In order to verify the cause, you can inspect the docker logs as follows:

$ docker ps | grep replicated_replicated.1

Sample Output:

0df94ce4fb5d        replicated/replicated:stable-2.49.0                              "/usr/bin/entrypoint…"   6 weeks ago         Up 6 weeks          9874/tcp, 9876-9877/tcp, 9879/tcp             replicated_replicated.1.n1nul7swhvc2uvsit33kim3vi

Take the container ID from your output as highlighted above, and use it for the following command:

$ docker logs 0df94ce4fb5d 2>&1 | grep "dir sync: LDAP Result Code 50"

If the following output is seen, then the bind DN user does not have the necessary access:

WARN 2021-03-30T17:22:08+00:00 identity/sync.go:170 Failed to sync identity source for config host=server.company.com, dn=dc=users,dc=company,dc=com: active directory: dir sync: LDAP Result Code 50 "Insufficient Access Rights": 00002105: LdapErr: DSID-0C09098A, comment: Error processing control, data 0, v4563

 

Environment

Release :

  • 2.0
  • 2.0.1
  • 2.1.0

Resolution

Perform one of the following actions:

  • Grant domain admin rights to the bind DN user
  • Grant "Replicating Directory Changes" (SE_SYNC_AGENT_NAME) permissions to the bind DN user

Additional Information

keywords: agile central Insufficient Access Rights