Analyzing UCS AD Connector errors

The UCS AD Connector synchronizes objects between the UCS directory (OpenLDAP) and MS Active Directory 2000/2003/2008.

For an article related to UCS 4.x, refer to AD-Connector - Troubleshooting Guide.

Configuration

The configuration of the UCS Active Directory Connector is described in the UCS manual for users and administrators.

General information about error analysis

When objects are not synchronized correctly, either partly or as a whole, please check the following files and outputs on the UCS Domain Controller first:

  • Output from univention-adsearch with a filter (e.g.univention-adsearch cn=Administrator) should show the AD object. If this tool doesn’t function, check the connector’s basic configuration.
  • Logfile /var/log/univention/connector-status.log: Current synchronization overview
  • Logfile /var/log/univention/connector.log: General logfile, the amount of information can be configured by changing the debug level from 0 to 4 in the UCR variable connector/debug/level.
  • Output from univention-connector-list-rejected: Lists all objects, that are not fully synchronized, i.e. rejects.

If the problematic object is in the list of rejects, the logfiles connector.log should be checked.

Typical errors

Consider checking Bug #13048 (German)

Password service not reachable

The Connector creates users in the other directory, but doesn’t activate the users in the AD. The passwords are not sychronized.

The connector.log shows tracebacks like this one:

failed in post_con_modify_functions
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/univention/connector/__init__.py", line 1018, in sync_to_ucs
    f(self, property_type, object)
  File "/usr/lib/python2.4/site-packages/univention/connector/ad/password.py", line 239, in password_sync
    res = get_password_from_ad(connector, rid)
  File "/usr/lib/python2.4/site-packages/univention/connector/ad/password.py", line 128, in get_password_from_ad
    s.connect ( (connector.lo_ad.host, 6670) )
  File "<string>", line 1, in connect
error: (111, 'Connection refused')

Possible reasons for the errors:

  • The Windows firewall forbids access: Add Exception for C:\Windows\UCS-AD-Connector\ucs-ad-connector.exe in the Windows-Firewall settings
  • The password service on the AD is not running: Check/Restart UCS AD Connector service under Start → Administrative Tools → Services)
  • The configuration is incomplete, e.g. no certificates are present: See logfile in the installation path C:\Windows\UCS-AD-Connector\ucs-ad-connector.log

An LDAP server is not reachable

In the connector.log are tracebacks, ending with the following error message:

SERVER_DOWN: {'desc': "Can't contact LDAP server"}

Check the availability of the UCS LDAP server (e.g. using univention-ldapsearch) and the AD LDAP (e.g. using univention-adsearch).

The AD’s maximum search size is reached

The AD doesn’t return more than 1000 items when performing a search. A group with more than 1000 primary members exceeds this size in the Connector. The error message in the connector.log ends with:

ldap.SIZELIMIT_EXCEEDED: {'info': , 'desc': 'Size limit exceeded'}

The configuration for the search size limit is documented in the Connector manual.

Features from the UCS cannot be represented in AD

UCS has more features than AD, e.g.

  • nested group memberships
  • Container and OU structures

If features from UCS are to be synchronized, which cannot be represented in the AD, the objects are recorded in the connector.log, with this or a similar error message:

UNWILLING_TO_PERFORM: {'info': '00002142: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perfor

Continuous synchronization of all users

This error is not be mistaken with a reject, where the rejected objects are resynchronized after some time.

Most common cause is that the password hashes cannot be saved in the AD and therefor the object is synchronized again. This can occur when the connector is not configured according to the Connector documentation to work with a Windows 2008 Server. By default, a Windows 2008 is configured to not save complete NTLM hashes. This problem can be solved with the correct configuration of the AD policies.

When this problem occurs, the connector.log contains NTLM hash outputs with the string NO PASSWORD*******************, e.g.:

25.10.2010 19:09:45,546 LDAP        (INFO   ): password_sync_ucs: Hash AD: CAA1239D44DA7EDF926BCE39F5C65D0FNO PASSWORD********************* Hash UCS: CAA1239D44DA7EDF926BCE39F5C65D0F3CC16AE8CE3F6C8A31283C286CD09B63

This topic was automatically closed after 24 hours. New replies are no longer allowed.

Mastodon