Important Update: Archer Community Scheduled Maintenance on November 23–24 - New Community Launching Soon! Learn More..

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
100% helpful (5/5)

LDAP Sync Unable to Create More Than 1000 Users in Archer

KB-Sync1
Archer Employee
Archer Employee

on ‎2020-12-11 04:13 AM - edited on ‎2024-09-21 05:54 AM by

Article Number

000016727


Applies To


Product(s): Archer
Version(s): All Versions
Primary Deployment: On Premises/AWS Hosted/AWS SaaS

Description


  • LDAP Sync fails to create more than 1000 users in Archer when connecting to Microsoft Active Directory LDAP Server. The "Disable Page Searching" option is not checked in the LDAP configuration.
  • Testing of LDAP configuration attributes in a third party tool like 'Softerra LDAP Browser' produces LDAP referral authentication prompts if results exceed 1000 users.

Cause


Archer LDAP Sync does not have an ability to recognize LDAP referral authentication prompts. LDAP paged search ends prematurely after the first page and only 1000 users are returned.
 

Resolution


To fix this issue, use port 3268 by appending ":3268" to the LDAP Configuration's Name/IP Address. For LDAPS, use port 3269. Using these ports will allow LDAP search to use Global Catalog domain controller for forest-wide search instead of forest root domain search.
0EMVM000006LaD8.png0EMVM000006LaD8.png

An alternative to port 3268 is to set Referral Chasing to None in Archer LDAP Service configuration file:
  1. Stop the LDAP Service
  2. Open the LDAP Service configuration file, Archer.Services.DataFeedService.exe.config, located in \Program Files\Archer\Services\
  3. Search for <appSettings> and add the ForceNoReferralChasing key:  
    <appSettings> 
  <add key="PreComputeTaskOnFault" value="true" /> 
  <add key="ForceNoReferralChasing" value="true"/> 
</appSettings>
  4. Save the file and restart the service
  5. Run the LDAP Synch manually or have it run at it's scheduled time

Notes


If the LDAP Service configuration file is modified to use the ForceNoReferralChasing key, it will need to be added back after every Archer upgrade or every time the Archer installer is run. The Archer installer does not respect that setting and will not add it back.

Finally, please vote up the Archer Idea to add option to LDAP Configuration to enable/disable the ForceNoReferralChasing setting at runtime.
 

Version history
Last update:
‎2024-09-21 05:54 AM
Updated by: