000033659 - RSA Archer 5.x LDAP Synch sometimes fails when Use Serverless Binding option is enabled in LDAP Configuration

Document created by RSA Customer Support Employee on Aug 10, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033659
Applies ToRSA Product Set: Archer
RSA Version/Condition: 5.x
IssueThe LDAP Synch sometimes fails when Use Serverless Binding option is enabled in LDAP Configuration.
User-added image
CauseOne possible cause is the LDAP Configuration has the Use Serverless Binding option enabled and the environment has multiple Active Directory Domain Controllers (ADDC).
Serverless binding doesn't dictate which Active Directory Domain Controllers it will hit first. If users/groups aren't completely identical across all of your Active Directory Domain Controllers, the LDAP Synch could connect to an ADDC that doesn't have the same users/group setup/hierarchy and the LDAP Synch may fail. Running the LDAP Synch again may succeed, but that only means that it hit a different ADDC that does match the user/group setup that it recognizes.
ResolutionThere are a few options:
  1. Specify the Active Directory Domain Controller:
    1. Uncheck the Use Serverless Binding option.
    2. For Name/IP Address, enter the IP Address or Server Name of the specific Active Directory Domain Controller.
    3. Run LDAP Synch tests to verify consistency.
  2. For Name/IP Address, specify an Active Directory Global Catalog and append ":3268" and run LDAP Synch.
  3. Request the Active Directory Administrator verify the Domain Controllers are syncing correctly across the domain controllers in Active Directory.