|Applies To||RSA Product Set: Archer|
RSA Version/Condition: All
|Issue||LDAP Sync fails to create more than 1000 users in RSA Archer when connecting to Microsoft Active Directory LDAP Server. The "Disable Page Searching" option is not checked in the LDAP configuration.|
Testing of LDAP configuration attributes in a third party tool like 'Softerra LDAP Browser' produces LDAP referral authentication prompts if results exceed 1000 users.
|Cause||RSA Archer LDAP Sync does not have an ability to recognize LDAP referral authentication prompts. LDAP paged search ends prematurely after the first page and only 1000 users are returned.|
|Resolution||To fix this issue, use port 3268 by appending ":3268" to the LDAP Configuration's Name/IP Address. For LDAPS, use port 3269. Using these ports will allow LDAP search to use Global Catalog domain controller for forest-wide search instead of forest root domain search.|
An alternative to port 3268 is to set Referral Chasing to None in Archer LDAP Service configuration file:
|Notes||If the LDAP Service configuration file is modified to use the ForceNoReferralChasing key, it will need to be added back after every Archer upgrade or every time the Archer installer is run. The Archer installer does not respect that setting and will not add it back.|
Finally, please vote up the RSA Archer Idea to add option to LDAP Configuration to enable/disable the ForceNoReferralChasing setting at runtime.
|Legacy Article ID||a59700|