Le 12/03/2015 14:23, Clément OUDOT a écrit :
2015-03-12 7:52 GMT+01:00 Jephte Clain <[email protected]>:
Le 11/03/2015 11:52, Clément OUDOT a écrit :
Hello,
hello,
I just tried this method. I have two tasks: user-task to
create/synchronize
user info (with conditions create, update, delete, changeId);
password-task
to synchronise password infos (with condition update only)
there are two problems:
- in async mode, only user-task is run when the ldap object is modified.
the
password-task is never run. shall I use a different <ldapConnection> for
the
password-task?
No it should work, but I never tested this kind of configuration
(launching 2 async task in the same process). It may be better to
start one process for each async task.
aaargh I'm an idiot :-(
I was modifying the userPassword attribute, not the dedicated attribute with
the encrypted clear password. It works as expected, sorry
- I guess there is some sort of connexion rate limiting in AD because the
password-task fails for several accounts with LdapErr: DSID-0C090724
the probleme is not with the password, because when I start the task for
one
user, it always succeed. however, trying to validate the connection for
thousands accounts in a row does not work.
In the AD's event viewer, I can see thousands of connexion attempts, with
a
lot of failures.
How do you solve this issue? is it possible to limit the lsc's update
rate?
Remember, I have to restart the lsc process each morning, so the issue
will
arise every day. Also, if I cannot make async mode work, I'll have to run
lsc regularly, say every 5 minutes. I don't want to fill the logs with
rejected connexion attempts
I never had limitation on AD connection. Could you send the complete
AD error message?
I think I wasn't doing it properly. in the user-task, I was creating the
password entry with an initial fixed password, and I was expecting the
password-task to update the account with the right password.
With a good night sleep, I wondered myself: "why not create the account with
the right password in the first place? I shall update the password if it
changes afterward." I guess I was lacking sleep yesterday...
Anyway, I still have errors, but there are not as many as yesterday:
== first kind ==
there are a few of these. they are the same as yesterday
mars 12 10:37:31 - ERROR - Error while looking for
(&(objectClass=user)(sAMAccountName=achaneti)) in :
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e,
v23f0]; remaining name ''
This is a "invalid password" error: the DN or the password is bad.
I know. this is the reason I told you earlier that when I do the test
with one account only, it works... So the password is not invalid.
== second kind ==
there are *a lot* of these errors.
mars 12 10:37:32 - INFO - Connecting to LDAP server
ldaps://ad2012.self/ou=synclsc,dc=ad2012,dc=self as
cn=Administrateur,cn=users,dc=ad2012,dc=self
mars 12 10:37:32 - ERROR - Error while looking for
(&(objectClass=user)(sAMAccountName=jdassere)) in :
javax.naming.CommunicationException: Request: 6 cancelled; remaining name ''
mars 12 10:37:32 - WARN - Communication error, retrying: Request: 6
cancelled
I do my test on a Windows Server 2012 running in a VM. I did a bare install,
without any tuning nor specific configuration.
I cannot have a copy of the production server, so I cannot test with the
actual configuration. So unless proven wrong, I'll assume my test server is
not properly configured.
Thanks for your help. Best regards,
I know sometimes AD has limit on concurrency. Can you try to run LSC
with -t1 (one thread) ?
muuuch better. thanks
when disabling concurrency, the two kinds of errors above no longer occur.
FYI, I have a lot of these:
mars 12 15:04:46 - ERROR - There is no future associated with operation
message ID 359, perhaps the operation would have been completed
but they seem to be harmless.
Clément.
--
Jephté CLAIN | Développeur / Intégrateur d'applications
Service Systèmes d'Information http://dsiun.univ-reunion.fr
Tel: +262 262 93 86 31 || Mobile: +262 692 29 58 24 ||
http://www.univ-reunion.fr
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
