000016727 - LDAP Sync unable to create more than 1000 users in RSA Archer

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000016727
Applies ToRSA Product Set: Archer
RSA Version/Condition: All
IssueLDAP Sync fails to create more than 1000 users in RSA Archer when connecting to Microsoft Active Directory LDAP Server. The "Disable Page Searching" option is not checked in the LDAP configuration.
Testing of LDAP configuration attributes in a third party tool like 'Softerra LDAP Browser' produces LDAP referral authentication prompts if results exceed 1000 users.
 
CauseRSA Archer LDAP Sync does not have an ability to recognize LDAP referral authentication prompts. LDAP paged search ends prematurely after the first page and only 1000 users are returned.
 
ResolutionTo fix this issue, use port 3268 by appending ":3268" to the LDAP Configuration's Name/IP Address. For LDAPS, use port 3269. Using these ports will allow LDAP search to use Global Catalog domain controller for forest wide search instead of forest root domain search.
 
User-added image

 
An alternative to port 3268 is to set Referral Chasing to None in Archer LDAP Service configuration file:

  1. Stop the LDAP Service
  2. Open the LDAP Service configuration file, Archer.Services.DataFeedService.exe.config, located in \Program Files\RSA Archer\Services\
  3. Search for <appSettings> and add the ForceNoReferralChasing key:
    <appSettings> 
      <add key="PreComputeTaskOnFault" value="true" />
      <add key="ForceNoReferralChasing" value="true"/>
    </appSettings>

  4. Save the file and restart the service
  5. Run the LDAP Synch manually or have it run at it's scheduled time
 
Legacy Article IDa59700

Attachments

    Outcomes