LDAP Directory Synchronization Troubleshooting

Document created by user.oxriBaJeN4 Employee on Sep 3, 2015Last modified by user.oxriBaJeN4 Employee on May 12, 2016
Version 2Show Document
  • View in full screen mode

This article discusses the possible causes and resolutions for LDAP directory Connector failures.

 

Mimecast monitors the directory connections to all of our customers, to ensure that the synchronization process is running smoothly. There are certain instances where the synchronization process may fail. This can result in end user logins failing, as well as permission issues. Prompt resolution of directory synchronization issues ensures that Mimecast end users can continue to login successfully.

 

When attempting to resolve a directory connection issue, you should always initially confirm whether any changes have been made to the infrastructure or devices, or if there are any known issues that may prevent successful connectivity.

Active Directory Credential Failure

 

Directory synchronization requires a user account in the customer infrastructure, in order to log on during the synchronization process. These account details are configured in the Administration Console. If these credentials do not match, the connection fails, and Mimecast is unable to logon and synchronize the directory.

 

Once you have confirmed that no infrastructure or device changes have been made, consider the following:

  • Has the Active Directory account been moved or deleted?
  • Has the password for the Active Directory account been modified or reset?
  • Is the Active Directory account still active and not expired, or locked out?

 

Directory Connection Connectivity Failure

 

If Mimecast cannot connect to your organization's environment using LDAP(s), the connection to the IP address that has been specified for the directory connector fails. As a result, Mimecast will be unable to synchronize with the directory server.

 

Once you have confirmed that no infrastructure or device changes have been made, consider the following:

 

  • Are there any connection issues that have arisen at your infrastructure?
  • Have any changes been made recently to your firewall?
  • Have you ensured that you allow connections to the appropriate port from the entire Mimecast regional IP Ranges, and have mapped them through to the correct destination?
  • Is the LDAP service currently running on your directory server?

 

Character Requirements

 

If you have special character requirements in attributes in your directory structure, it will be necessary to escape those characters. This is achieved by prefixing them with a backslash "\" in the attribute string. If an attribute value contains other reserved characters (e.g.) equals sign (=), non-UTF-8 characters) they must be encoded in hexadecimal by replacing the character with a backslash followed by two hex digits.

Failure to meet these requirements can cause a sync to fail.

An example of this symptom is:

 

Common Name String containing illegal character:

 

CN=Documents,OU=Docs/KB,DC=Mimecast,DC=COM

 

Common Name String escaped and encoded to hexadecimal replacing the illegal character:

 

CN=Documents,OU=Docs\2FKB,DC=Mimecast,DC=COM

 

Other examples of these reserved characters could be: , \ # + < > ; " = [Leading or Trailing spaces].

 

Active Directory Synchronization Failures

 

If your AD synchronization service starts failing, even though it has been working well for some time, check the service accounts, firewall logs, and certificate path/validity. If they look OK, try the following:

 

  1. Remove the public certificate from the Local Computer Personal store.
  2. Installing the public certificate in the NTDS\Personal store.

    cert.png

Attachments

    Outcomes