The UCS AD Connector synchronizes objects between the UCS directory (OpenLDAP) and MS Active Directory 2000/2003/2008.
For an article related to UCS 4.x, refer to AD-Connector - Troubleshooting Guide.
Configuration
The configuration of the UCS Active Directory Connector is described in the UCS manual for users and administrators.
General information about error analysis
When objects are not synchronized correctly, either partly or as a whole, please check the following files and outputs on the UCS Domain Controller first:
- Output from univention-adsearch with a filter (e.g.univention-adsearch cn=Administrator) should show the AD object. If this tool doesn’t function, check the connector’s basic configuration.
- Logfile /var/log/univention/connector-status.log: Current synchronization overview
- Logfile /var/log/univention/connector.log: General logfile, the amount of information can be configured by changing the debug level from 0 to 4 in the UCR variable connector/debug/level.
- Output from univention-connector-list-rejected: Lists all objects, that are not fully synchronized, i.e. rejects.
If the problematic object is in the list of rejects, the logfiles connector.log should be checked.
Typical errors
Consider checking Bug #13048 (German)
Password service not reachable
The Connector creates users in the other directory, but doesn’t activate the users in the AD. The passwords are not sychronized.
The connector.log shows tracebacks like this one:
failed in post_con_modify_functions
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/univention/connector/__init__.py", line 1018, in sync_to_ucs
f(self, property_type, object)
File "/usr/lib/python2.4/site-packages/univention/connector/ad/password.py", line 239, in password_sync
res = get_password_from_ad(connector, rid)
File "/usr/lib/python2.4/site-packages/univention/connector/ad/password.py", line 128, in get_password_from_ad
s.connect ( (connector.lo_ad.host, 6670) )
File "<string>", line 1, in connect
error: (111, 'Connection refused')
Possible reasons for the errors:
- The Windows firewall forbids access: Add Exception for
C:\Windows\UCS-AD-Connector\ucs-ad-connector.exe
in the Windows-Firewall settings - The password service on the AD is not running: Check/Restart UCS AD Connector service under Start → Administrative Tools → Services)
- The configuration is incomplete, e.g. no certificates are present: See logfile in the installation path C:\Windows\UCS-AD-Connector\ucs-ad-connector.log
An LDAP server is not reachable
In the connector.log are tracebacks, ending with the following error message:
SERVER_DOWN: {'desc': "Can't contact LDAP server"}
Check the availability of the UCS LDAP server (e.g. using univention-ldapsearch) and the AD LDAP (e.g. using univention-adsearch).
The AD’s maximum search size is reached
The AD doesn’t return more than 1000 items when performing a search. A group with more than 1000 primary members exceeds this size in the Connector. The error message in the connector.log ends with:
ldap.SIZELIMIT_EXCEEDED: {'info': , 'desc': 'Size limit exceeded'}
The configuration for the search size limit is documented in the Connector manual.
Features from the UCS cannot be represented in AD
UCS has more features than AD, e.g.
- nested group memberships
- Container and OU structures
If features from UCS are to be synchronized, which cannot be represented in the AD, the objects are recorded in the connector.log, with this or a similar error message:
UNWILLING_TO_PERFORM: {'info': '00002142: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perfor
Continuous synchronization of all users
This error is not be mistaken with a reject, where the rejected objects are resynchronized after some time.
Most common cause is that the password hashes cannot be saved in the AD and therefor the object is synchronized again. This can occur when the connector is not configured according to the Connector documentation to work with a Windows 2008 Server. By default, a Windows 2008 is configured to not save complete NTLM hashes. This problem can be solved with the correct configuration of the AD policies.
When this problem occurs, the connector.log contains NTLM hash outputs with the string NO PASSWORD*******************, e.g.:
25.10.2010 19:09:45,546 LDAP (INFO ): password_sync_ucs: Hash AD: CAA1239D44DA7EDF926BCE39F5C65D0FNO PASSWORD********************* Hash UCS: CAA1239D44DA7EDF926BCE39F5C65D0F3CC16AE8CE3F6C8A31283C286CD09B63