When creating an LDAP synchronisation job, all parameters appear to be correct, but when run the job will report "[LDAP search] Search failed (check Base DN)"
Example Configuration in RAS Authentication Manager Administration
- Select Users | LDAP Users | Add Synchronization
- Enter a Job Name
- Ensure LDAP Server Type is set to Active Directory
- Enter an LDAP Host e.g. domain.com
- Enter a Base DN e.g. DC=domain,DC=com
- Ensure Scope is set to All Sublevels
- Enter an LDAP Query Filter e.g. (objectClass=user)
- Enter a Bind DN e.g. CN=Administrator,CN=Users,DC=domain,DC=com
- Enter the password
- Click Test to ensure credentials are correct
- Click OK
- Select Users | LDAP Users | Run Synchronization
- Select the synchronisation job created above
- Click Run
- Click OK
- Select Users | LDAP Users | List Synchronizations
- Select the synchronisation job
- Click Details
This error would appear to be due to having an excessive number of results returned by the LDAP query. When using the command line utility "sdaceldap" this can be seen:
sdaceldap -h domain.com -p 389 -b "DC=domain,DC=com" -s sub -d import -o AD_Users.csv -m active.map -D "administrator@domain.com" -w password "objectclass=user"
Returns the following error:
Starting Import:
ldap_search_s Sizelimit exceeded
Create an LDAP Query Filter designed to return fewer results. e.g. limit to a group:
In RAS Authentication Manager Administration
- Select Users | LDAP Users | Add Synchronization
- Enter a Job Name
- Ensure LDAP Server Type is set to Active Directory
- Enter an LDAP Host e.g. domain.com
- Enter a Base DN e.g. DC=domain,DC=com
- Ensure Scope is set to All Sublevels
- Enter an LDAP Query Filter e.g. (&(objectClass=user)(memberOf=CN=RSA,CN=Users,DC=domain,DC=com))
- Enter a Bind DN e.g. CN=Administrator,CN=Users,DC=domain,DC=com
- Enter the password
- Click Test to ensure credentials are correct
- Click OK
NOTE: A faster and more efficient query is to replace "objectclass=user" with "objectcategory=person". Objectcategory is an indexed field and takes less possessor time to query.
- Select Users | LDAP Users | Run Synchronization
- Select the synchronisation job created above
- Click Run
- Click OK
- Select Users | LDAP Users | List Synchronizations
- Select the synchronisation job
- Click Details
Alternatively hack the maximum limits in Active Directory (defaults are 1000 records and 120 seconds):
- From a command prompt run NTDSUTIL
- Enter LDAP Policies
- Enter Connections
- Enter Connect to server <servername> where <servername> is the name of the target server
- Enter Quit
- Enter Show values to see the current values
- Enter Set maxpagesize to <value> where <value> is the maximum number of records
- Enter Set maxqueryduration to <value> where <value> is the maximum number of seconds to run the query
- Enter Show values to check the values
- Enter Commit changes
- Enter Quit
- Enter Quit