2015-03-12 7:52 GMT+01:00 Jephte Clain <[email protected]>: > Le 11/03/2015 11:52, Clément OUDOT a écrit : >>> >>> Hello, >>> >>> I just tried this method. I have two tasks: user-task to >>> create/synchronize >>> user info (with conditions create, update, delete, changeId); >>> password-task >>> to synchronise password infos (with condition update only) >>> >>> there are two problems: >>> >>> - in async mode, only user-task is run when the ldap object is modified. >>> the >>> password-task is never run. shall I use a different <ldapConnection> for >>> the >>> password-task? >> >> >> No it should work, but I never tested this kind of configuration >> (launching 2 async task in the same process). It may be better to >> start one process for each async task. > > > aaargh I'm an idiot :-( > I was modifying the userPassword attribute, not the dedicated attribute with > the encrypted clear password. It works as expected, sorry > >> >>> >>> - I guess there is some sort of connexion rate limiting in AD because the >>> password-task fails for several accounts with LdapErr: DSID-0C090724 >>> >>> the probleme is not with the password, because when I start the task for >>> one >>> user, it always succeed. however, trying to validate the connection for >>> thousands accounts in a row does not work. >>> In the AD's event viewer, I can see thousands of connexion attempts, with >>> a >>> lot of failures. >>> How do you solve this issue? is it possible to limit the lsc's update >>> rate? >>> Remember, I have to restart the lsc process each morning, so the issue >>> will >>> arise every day. Also, if I cannot make async mode work, I'll have to run >>> lsc regularly, say every 5 minutes. I don't want to fill the logs with >>> rejected connexion attempts >>> >> >> I never had limitation on AD connection. Could you send the complete >> AD error message? > > > I think I wasn't doing it properly. in the user-task, I was creating the > password entry with an initial fixed password, and I was expecting the > password-task to update the account with the right password. > > With a good night sleep, I wondered myself: "why not create the account with > the right password in the first place? I shall update the password if it > changes afterward." I guess I was lacking sleep yesterday... > > Anyway, I still have errors, but there are not as many as yesterday: > > == first kind == > > there are a few of these. they are the same as yesterday > > mars 12 10:37:31 - ERROR - Error while looking for > (&(objectClass=user)(sAMAccountName=achaneti)) in : > javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: > LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, > v23f0]; remaining name '' >
This is a "invalid password" error: the DN or the password is bad. > == second kind == > > there are *a lot* of these errors. > > mars 12 10:37:32 - INFO - Connecting to LDAP server > ldaps://ad2012.self/ou=synclsc,dc=ad2012,dc=self as > cn=Administrateur,cn=users,dc=ad2012,dc=self > mars 12 10:37:32 - ERROR - Error while looking for > (&(objectClass=user)(sAMAccountName=jdassere)) in : > javax.naming.CommunicationException: Request: 6 cancelled; remaining name '' > mars 12 10:37:32 - WARN - Communication error, retrying: Request: 6 > cancelled > > > I do my test on a Windows Server 2012 running in a VM. I did a bare install, > without any tuning nor specific configuration. > > I cannot have a copy of the production server, so I cannot test with the > actual configuration. So unless proven wrong, I'll assume my test server is > not properly configured. > > Thanks for your help. Best regards, > I know sometimes AD has limit on concurrency. Can you try to run LSC with -t1 (one thread) ? Clément. _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
