When an identity source synchronization does not work properly, investigate the following areas to identify and resolve the problem.
Check the status of the identity router. At least one identity router must be connected to the Cloud Authentication Service.
LDAP Directory Server
- The LDAP directory server is running.
- The connection between the identity router and the LDAP directory server is functioning.
- The credentials used to access the LDAP directory server are valid.
- The port specified for the LDAP directory server is valid.
LDAP servers that are not patched against the Logjam attack may be unable to synchronize with the identity routers over an SSL/TLS connection. When the identity router unsuccessfully attempts to synchronize with an unpatched LDAP server, the following message appears in the identity router logs:
javax.net.ssl.SSLException: Ephemeral DH public key size is less than the required minimum
To work around this problem, update the LDAP servers in your environment to use a 2048-bit Diffie-Hellman group and to disable support for export cipher suites.
- If the identity source uses a Secure Sockets Layer (SSL/TLS) port, make sure the checkbox Use SSL/TLS to connect to the identity source is selected and the SSL/TLS certificate is valid. If necessary, re-import the certificate. If the port is non-SSL/TLS, the checkbox should not be selected.
- Make sure the identity source uses a valid User Base DN and user search filter to select users from the correct subtrees.
- If your identity source is configured with multiple directory servers, check that each server is properly configured and reachable.
Resolving Duplicate Users in Identity Sources
During identity source synchronization, a message might indicate that some users have duplicate Primary or Alternate Usernames. The duplicates may occur in one identity source or across multiple identity sources. These users can be synchronized, but they might not be able to complete authentication.
Note: Consider your particular environment to determine if the message requires further action. For example, if your users are always required to sign in with their Alternate Username rather than with Primary Username, duplication of the Primary Username might be irrelevant.
To resolve this issue, perform these steps:
Generate a user report. In the Cloud Administration Console, click Users > Reports.
Sort the report by the Username or Alternate Username column.
Examine the report to determine which identity sources have conflicts.
- Update the identity source configuration accordingly. Possible actions might include:
Deleting an unnecessary identity source.
Narrowing the scope of an identity source to eliminate the duplication.
Changing the attribute mapping for Primary Username or Alternate Username, to ensure that the value is unique for each user.
- The user record coming from LDAP does not have an email address.
- The user's email address in LDAP does not use valid syntax.
- A user record coming from LDAP has the same email address as a user record already in RSA SecurID Access, but RSA SecurID Access cannot confirm that the records belong to the same user because they have different object identifiers (objectGUID). A mismatch condition can occur if the user record was deleted from LDAP and then recreated.
- An administrator user record was manually created in RSA SecurID Access and the user already has a record with the same email address in LDAP.
- A user has a record in two different identity sources representing two different instances of the LDAP directory server. Both user records contain the same email address.
- Multiple users in a single LDAP directory server instance have the same email address.
- Two different LDAP directory servers containing the same users are configured as two different identity sources in RSA SecurID Access, resulting in multiple user records with duplicate email addresses.
- The record belongs to an object that is not a user object. If you want to prevent RSA SecurID Access from attempting to synchronize records that do not belong to users, adjust the Object Class to exclude these records.