When an identity source synchronization does not work properly, investigate the following areas to identify and resolve the problem.
Check the status of the identity router. At least one identity router must be connected to the Cloud Authentication Service.
LDAP Directory Server
- The LDAP directory server is running.
- The connection between the identity router and the LDAP directory server is functioning.
- The credentials used to access the LDAP directory server are valid.
- The port specified for the LDAP directory server is valid.
LDAP servers that are not patched against the Logjam attack may be unable to synchronize with the identity routers over an SSL connection. When the identity router unsuccessfully attempts to synchronize with an unpatched LDAP server, the following message appears in the identity router logs:
javax.net.ssl.SSLException: Ephemeral DH public key size is less than the required minimum
To work around this problem, update the LDAP servers in your environment to use a 2048-bit Diffie-Hellman group and to disable support for export cipher suites.
- If the identity source uses a Secure Sockets Layer (SSL) port, make sure the checkbox Use SSL to connect to the identity source is selected and the SSL certificate is valid. If necessary, re-import the certificate. If the port is non-SSL, the checkbox should not be selected.
- Make sure the identity source uses a valid User Base DN and user search filter to select users from the correct subtrees.
- If your identity source is configured with multiple directory servers, check that each server is properly configured and reachable.
- The user record coming from LDAP does not have an email address.
- The user's email address in LDAP does not use valid syntax.
- A user record coming from LDAP has the same email address as a user record already in RSA SecurID Access, but RSA SecurID Access cannot confirm that the records belong to the same user because they have different object identifiers (objectGUID). A mismatch condition can occur if the user record was deleted from LDAP and then recreated.
- An administrator user record was manually created in RSA SecurID Access and the user already has a record with the same email address in LDAP.
- A user has a record in two different identity sources representing two different instances of the LDAP directory server. Both user records contain the same email address.
- Multiple users in a single LDAP directory server instance have the same email address.
- Two different LDAP directory servers containing the same users are configured as two different identity sources in RSA SecurID Access, resulting in multiple user records with duplicate email addresses.
- The record belongs to an object that is not a user object. If you want to prevent RSA SecurID Access from attempting to synchronize records that do not belong to users, adjust the Object Class to exclude these records.