1 2 Previous Next 11 Replies Latest reply on Jun 17, 2009 11:13 PM by mrgui

    Active directory connector


      I am currently trying to setup AD sync to Endpoint by using search groups, and I'm running into a problem where the connector parses the AD security group but then states that the members within the group aren't users.

      It then fails saying abadoning search due to error
      error during synch (0x5c000016) - "no connection has been established"

      it then closes. under Search groups I have the distinguished name set like below...

      CN=security-group, OU=Test, DC=mydomain, DC=com

      A push in the right direction would help.
        • 1. RE: Active directory connector
          does it work if you do a search without using the search groups feature?

          if so, I'd use the ldap browser to open one of the users who are in the group, and then check their memberOf attribute to make sure the group DN is indeed correct.

          looks like your basic connection strategy is wrong, so start there by checking the base DN and the authentication credentials.

          You might need to escape the "-" as well, I'm not sure that's a supported car in an LDAP search query. I can't find any info to say either way though.
          • 2. RE: Active directory connector
            thanks for the reply. I have verified that my connection settings are correct through the ldap browser and all users have the correct "memberof" status for this group.

            I can authenticate via ldap browser as well as through the connection manager when I use search settings. I can't use search settings though because the way our AD is configured, all the users are in the same OU. I need to be able to put endpoint users into their own group and pull them from there.

            any other suggestions would be great.

            • 3. RE: Active directory connector
              set the entry limit to a small number and test the connector will actually add users - it's good to start from a position of the connector working - then we can expand.

              what portion of the total user population listed in the AD are you intending to import into EEM? (how many in AD, how many do you need to import?)

              • 4. RE: Active directory connector
                Thanks again for your help. I ended up getting it to work by adding (objectClass=organizationalPerson) under the object filter in search settings. I was under the assumption that if you use one tab you don't use the other.

                I was wrong. :)

                thanks for the help!
                • 5. RE: Active directory connector
                  You could also use an LDAP filter to limit your imported users. If your AD guys actually know how it works without the GUI tools to help them, they could create an additional attribute, like sbuser=yes. You could then configure SB server to apply the filter (&(objectclass=organizationalPerson)(sbuser=yes)).
                  • 6. Endpoint encryption Active Directory Connector error 0x5c000016
                    I am also getting error 0x5c000016 when running Active Directory synchronisation in Endpoint Encryption Manager. I am unable to find any users.

                    Here is what I am seeing in the log:

                    15/06/2009 11:08:13 Starting synchronization
                    15/06/2009 11:08:13 LDAP connection initialized
                    15/06/2009 11:08:13 Connecting to dc001a ...
                    15/06/2009 11:08:13 LDAP logon successful
                    15/06/2009 11:08:13 Searching...
                    15/06/2009 11:08:13 checking search groups list
                    15/06/2009 11:08:13 Checking if dn 'CN=BGroup, OU=Groups, OU=ABC, OU=User Accounts, OU=Consulting, DC=BFG, DC=DOMAIN, DC=COM' is a group
                    15/06/2009 11:08:13 ldap reports = 0 (Success)
                    15/06/2009 11:08:13 abandoning search due to error
                    15/06/2009 11:08:13 error during synch (0x5c000016) - "No connection has been established"
                    15/06/2009 11:08:13 Closing LDAP connection ...
                    15/06/2009 11:08:13 checked 0 users (0 updated)
                    15/06/2009 11:08:13 added 0 users
                    15/06/2009 11:08:13 disabled 0 users
                    15/06/2009 11:08:13 removed 0 users
                    15/06/2009 11:08:13 Synchronization complete

                    My configuration in the connector is as follows:

                    Search settings

                    BaseDN is blank
                    Objectfilter = (objectClass=organizationalPerson)
                    Timeout = 30
                    Entry limit = 10 (same error with 1000)
                    Search depth from base DN - Entire subtree

                    Search groups

                    CN=BGroup, OU=Groups, OU=ABC, OU=User Accounts, OU=Consulting, DC=BFG, DC=DOMAIN, DC=COM

                    I am UK based and I am wdonering about the spelling of organizationalPerson....any other clues on where am I going wrong?
                    • 7. RE: Endpoint encryption Active Directory Connector error 0x5c000016
                      gotta set a base DN my friend - without that it won't know where to start searching from.

                      if you don't know it, use the LDAP browser to look it up.
                      • 8. String
                        I'm able to reproduce your error in my lab and my bet is that you have the Distinguished Name string incorrect on the Search Groups tab...in other words, make sure your CN's are actually CN's, your OU's, OU's etc.

                        Use the Softerra LDAP Browser included in the Tools.zip download to find that specific group, go to the properties and copy the string.
                        • 9. RE: String
                          The pointer towards the LDAP browser at http://www.softerra.com/download.htm was very good - that is an excellent tool. Thanks again to btschida

                          I resolved my problem, by completing login details including using the Change... button to set a password and logging into my active directory.

                          I also set a BaseDN, but that wasn't the fix.
                          1 2 Previous Next