This content has been marked as final. Show 11 replies
does it work if you do a search without using the search groups feature?
if so, I'd use the ldap browser to open one of the users who are in the group, and then check their memberOf attribute to make sure the group DN is indeed correct.
looks like your basic connection strategy is wrong, so start there by checking the base DN and the authentication credentials.
You might need to escape the "-" as well, I'm not sure that's a supported car in an LDAP search query. I can't find any info to say either way though.
thanks for the reply. I have verified that my connection settings are correct through the ldap browser and all users have the correct "memberof" status for this group.
I can authenticate via ldap browser as well as through the connection manager when I use search settings. I can't use search settings though because the way our AD is configured, all the users are in the same OU. I need to be able to put endpoint users into their own group and pull them from there.
any other suggestions would be great.
set the entry limit to a small number and test the connector will actually add users - it's good to start from a position of the connector working - then we can expand.
what portion of the total user population listed in the AD are you intending to import into EEM? (how many in AD, how many do you need to import?)
Thanks again for your help. I ended up getting it to work by adding (objectClass=organizationalPerson) under the object filter in search settings. I was under the assumption that if you use one tab you don't use the other.
I was wrong. :)
thanks for the help!
You could also use an LDAP filter to limit your imported users. If your AD guys actually know how it works without the GUI tools to help them, they could create an additional attribute, like sbuser=yes. You could then configure SB server to apply the filter (&(objectclass=organizationalPerson)(sbuser=yes)).
I am also getting error 0x5c000016 when running Active Directory synchronisation in Endpoint Encryption Manager. I am unable to find any users.
Here is what I am seeing in the log:
15/06/2009 11:08:13 Starting synchronization
15/06/2009 11:08:13 LDAP connection initialized
15/06/2009 11:08:13 Connecting to dc001a ...
15/06/2009 11:08:13 LDAP logon successful
15/06/2009 11:08:13 Searching...
15/06/2009 11:08:13 checking search groups list
15/06/2009 11:08:13 Checking if dn 'CN=BGroup, OU=Groups, OU=ABC, OU=User Accounts, OU=Consulting, DC=BFG, DC=DOMAIN, DC=COM' is a group
15/06/2009 11:08:13 ldap reports = 0 (Success)
15/06/2009 11:08:13 abandoning search due to error
15/06/2009 11:08:13 error during synch (0x5c000016) - "No connection has been established"
15/06/2009 11:08:13 Closing LDAP connection ...
15/06/2009 11:08:13 checked 0 users (0 updated)
15/06/2009 11:08:13 added 0 users
15/06/2009 11:08:13 disabled 0 users
15/06/2009 11:08:13 removed 0 users
15/06/2009 11:08:13 Synchronization complete
My configuration in the connector is as follows:
BaseDN is blank
Objectfilter = (objectClass=organizationalPerson)
Timeout = 30
Entry limit = 10 (same error with 1000)
Search depth from base DN - Entire subtree
CN=BGroup, OU=Groups, OU=ABC, OU=User Accounts, OU=Consulting, DC=BFG, DC=DOMAIN, DC=COM
I am UK based and I am wdonering about the spelling of organizationalPerson....any other clues on where am I going wrong?
gotta set a base DN my friend - without that it won't know where to start searching from.
if you don't know it, use the LDAP browser to look it up.
I'm able to reproduce your error in my lab and my bet is that you have the Distinguished Name string incorrect on the Search Groups tab...in other words, make sure your CN's are actually CN's, your OU's, OU's etc.
Use the Softerra LDAP Browser included in the Tools.zip download to find that specific group, go to the properties and copy the string.
The pointer towards the LDAP browser at http://www.softerra.com/download.htm was very good - that is an excellent tool. Thanks again to btschida
I resolved my problem, by completing login details including using the Change... button to set a password and logging into my active directory.
I also set a BaseDN, but that wasn't the fix.