Le 11/03/2015 11:52, Clément OUDOT a écrit :
Hello,
I just tried this method. I have two tasks: user-task to create/synchronize
user info (with conditions create, update, delete, changeId); password-task
to synchronise password infos (with condition update only)
there are two problems:
- in async mode, only user-task is run when the ldap object is modified. the
password-task is never run. shall I use a different <ldapConnection> for the
password-task?
No it should work, but I never tested this kind of configuration
(launching 2 async task in the same process). It may be better to
start one process for each async task.
aaargh I'm an idiot :-(
I was modifying the userPassword attribute, not the dedicated attribute
with the encrypted clear password. It works as expected, sorry
- I guess there is some sort of connexion rate limiting in AD because the
password-task fails for several accounts with LdapErr: DSID-0C090724
the probleme is not with the password, because when I start the task for one
user, it always succeed. however, trying to validate the connection for
thousands accounts in a row does not work.
In the AD's event viewer, I can see thousands of connexion attempts, with a
lot of failures.
How do you solve this issue? is it possible to limit the lsc's update rate?
Remember, I have to restart the lsc process each morning, so the issue will
arise every day. Also, if I cannot make async mode work, I'll have to run
lsc regularly, say every 5 minutes. I don't want to fill the logs with
rejected connexion attempts
I never had limitation on AD connection. Could you send the complete
AD error message?
I think I wasn't doing it properly. in the user-task, I was creating the
password entry with an initial fixed password, and I was expecting the
password-task to update the account with the right password.
With a good night sleep, I wondered myself: "why not create the account
with the right password in the first place? I shall update the password
if it changes afterward." I guess I was lacking sleep yesterday...
Anyway, I still have errors, but there are not as many as yesterday:
== first kind ==
there are a few of these. they are the same as yesterday
mars 12 10:37:31 - ERROR - Error while looking for
(&(objectClass=user)(sAMAccountName=achaneti)) in :
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e,
v23f0]; remaining name ''
== second kind ==
there are *a lot* of these errors.
mars 12 10:37:32 - INFO - Connecting to LDAP server
ldaps://ad2012.self/ou=synclsc,dc=ad2012,dc=self as
cn=Administrateur,cn=users,dc=ad2012,dc=self
mars 12 10:37:32 - ERROR - Error while looking for
(&(objectClass=user)(sAMAccountName=jdassere)) in :
javax.naming.CommunicationException: Request: 6 cancelled; remaining name ''
mars 12 10:37:32 - WARN - Communication error, retrying: Request: 6
cancelled
I do my test on a Windows Server 2012 running in a VM. I did a bare
install, without any tuning nor specific configuration.
I cannot have a copy of the production server, so I cannot test with the
actual configuration. So unless proven wrong, I'll assume my test server
is not properly configured.
Thanks for your help. Best regards,
--
Jephté CLAIN | Développeur / Intégrateur d'applications
Service Systèmes d'Information http://dsiun.univ-reunion.fr
Tel: +262 262 93 86 31 || Mobile: +262 692 29 58 24 ||
http://www.univ-reunion.fr
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
