000016727 - LDAP Sync unable to create more than 1000 users in RSA Archer

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Apr 8, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000016727
Applies ToRSA Product Set: Archer
RSA Version/Condition: All
IssueLDAP Sync fails to create more than 1000 users in RSA Archer when connecting to Microsoft Active Directory LDAP Server. The "Disable Page Searching" option is not checked in the LDAP configuration.

Testing of LDAP configuration attributes in a third party tool like 'Softerra LDAP Browser' produces LDAP referral authentication prompts if results exceed 1000 users.
CauseRSA Archer LDAP Sync does not have an ability to recognize LDAP referral authentication prompts. LDAP paged search ends prematurely after the first page and only 1000 users are returned.
ResolutionTo fix this issue, use port 3268 by appending ":3268" to the LDAP Configuration's Name/IP Address. For LDAPS, use port 3269. Using these ports will allow LDAP search to use Global Catalog domain controller for forest-wide search instead of forest root domain search.
User-added image

An alternative to port 3268 is to set Referral Chasing to None in Archer LDAP Service configuration file:

  1. Stop the LDAP Service
  2. Open the LDAP Service configuration file, Archer.Services.DataFeedService.exe.config, located in \Program Files\RSA Archer\Services\
  3. Search for <appSettings> and add the ForceNoReferralChasing key:

      <add key="PreComputeTaskOnFault" value="true" />
      <add key="ForceNoReferralChasing" value="true"/>

  4. Save the file and restart the service
  5. Run the LDAP Synch manually or have it run at it's scheduled time

NotesIf the LDAP Service configuration file is modified to use the ForceNoReferralChasing key, it will need to be added back after every Archer upgrade or every time the Archer installer is run. The Archer installer does not respect that setting and will not add it back.

Finally, please vote up the RSA Archer Idea to add option to LDAP Configuration to enable/disable the ForceNoReferralChasing setting at runtime.
Legacy Article IDa59700