Overview for the LDAP sync process:

Common Issues:

 Users / Groups / Assignments are not updated in Incorta :

1. Check the files within the compressed directory.zip (users.csv , groups.csv and user-groups.csv)
   • Each one of those files will contain the data extracted from LDAP for the respective query.
   • Check for your missing user/group/assignment.
2. Entry does not exist in file → Check the query that gets the data from LDAP. You can test the query using 3rd party tools to make sure if the missing entry is being fetched or not. Refer to the tools part at the end of the article.
3. Entries exist in the file but not reflected in Incorta → check the log file for the ldapsync script for errors related to this entry.
4. Entries exist in the query output but not in the file → 
• Check if the directory.zip is updated / created when you execute the script , In some cases if there is a permission issue the file can not be overwritten.
• Currently incorta doesn’t support paging in fetching from LDAP so there is a limitation on the number of users that will be fetched. The query getting the users has to be very specific in order to work within this limitation. Limit is 1000 records by default ( configured from ldap side) in case the limit is exceeded an error (LDAP_SIZELIMIT_EXCEEDED) will be thrown.
• In case the script is scheduled with a tool like cron , Make sure that the script is being triggered from the scheduler.

INC_02060401: Could not connect to LDAP server with URL , INC_02060401: Could not connect to LDAP server with URL: (simple bind failed:

• Check connectivity to ldap from the server you are executing the script on , This can be done by the below unix command, In case you can not connect ( a prompt will not show), you will need to check if the port is correct or if connectivity is open between Incorta server and LDAP server.
  

telnet  <ldap_server_name> <port>​

• Check the credentials you are using , this can be tested by 3rd party LDAP tools.
• Check if you are using the correct protocol to connect to LDAP and the port you are connecting is supporting this (ldap / ldaps)

Users are removed from ldap but not reflected in Incorta ( In case that this user had been already created before):

Currently there is no way to remove users automatically because of dashboard ownership issues.

Syncing nested groups:

Below is an example of the case

We have a group NonProd which in turn has Developers, Bi Analyst and Admin groups. When I do the sync based on NonProd group, I'd like to see group NONProd imported on Incorta and also nested groups of Developers/ BI Analyst and Admin groups and its members.

&(objectCategory=person)(mail=*)(memberOf:1.2.840.113556.1.4.1941:=CN=group1,OU=x,DC=y,DC=z))

(&(objectClass=group)(cn=*)(memberof:1.2.840.113556.1.4.1941:=groupDn))

Users are not created with the correct type 

Check the settings for the property user.type

Following 3rd party tools can be used to test connectivity, credentials and test queries for LDAP 

Test LDAP with Apache DS:

Apache DS is an Open Source software that can be downloaded and installed on multiple platforms , It provides a GUI to connect to LDAP server.

Testing LDAP with ldapsearch:

ldapsearch is a command line tool that can be used to connect to LDAP and execute search queries on. If the tool is not installed on your platform it will need root access to be installed.

Given the below parameters

Base DN : dc=wimpi,dc=net

Ldap server Host : 127.0.0.1

Port : 10389 (non secure)

User name : uid=admin,ou=system

ldapsearch -x -b "dc=wimpi,dc=net" -H ldap://127.0.0.1:10389  -D "uid=admin,ou=system" -W

The above command will output all entries in ldap, In PROD env this will be a lot of output so probably you will need to limit the output with search filter 

ldapsearch -x -b "dc=wimpi,dc=net" -H ldap://127.0.0.1:10389  -D "uid=admin,ou=system" -W "objectClass=person"

Above command will only output the entries with person object class.