Remote Sync Rule Logs are visible in the RAW logs of FortiAuthenticator under Logging → Log Access → Logs.

Additional debugging information can be accessed at https://FortiAuthenticator-IP/debug → User Sync → LDAP/SAML.

These debug logs do not contain details about synced users or reasons why a user may be missing.

However, they provide information regarding the ID of rules being synced, including details such as the ldapuser_sync_rule table, Minimum Update Interval, Table_Name, and Number of Synced Rules.

Received notification for table ldap_ldapusersync from Postgres -

Table name = ldap_ldapusersync

Number of Sync rules = 2

Minimum update_interval amongst configured rules = 3600 seconds.

Waiting for data on socket

Time (local) = Mon Feb 10 10:23:07 2025 CET

IDs of rules to be synchronised for table ldap_ldapusersync = 8 6

As explained above, the most useful information can be found in the RAW logs.

The following example shows logs generated after a successful sync of the rule named 'Test-Rule', where two users, 'test1' and 'test2', are successfully imported into FortiAuthenticator via the rule applied.

Performing remote LDAP user sync (rule: TestRule) with adserver.com (dclab.adserver.com).

After that, the number of users retrieved should also be visible in the RAW logs.

Note: 

This number represents the total number of users that can be synced via the Remote-Sync-Rule, based on the applied filter, not the number of new users added.

Retrieved 2 user(s) from the remote LDAP server "adserver.com (dclab.adserver.com)". (sync rule: TestRule)

User details added through the Sync Rule will also be visible. Keep in mind that these logs will display only users newly imported, not users who were previously imported into FortiAuthenticator.

After the Remote-User Sync Rule, is performed:

Successfully synced (rule: TestRule) with adserver.com on Mon Feb 10 10:23:32 2025.

The following logs display errors related to specific issues:

In this scenario, the OTP method assignment priority is enabled on the Remote-Sync Rule, meaning that users imported from the server will be assigned an available token.

Cannot add user from LDAP server adserver.com because of this error: Failed to import user "test2" (rule: TestRule), Email is required if TFA method is FTM

This error requires users to have email attributes preconfigured on the Active Directory (AD) server. Otherwise, the activation code cannot be sent, preventing the token from being assigned. As a result, the user will not be imported.

Even though the Remote-Sync Rule logs indicate a successful sync, the user will not be imported

For this reason, the server needs to be configured to map users via an email address attribute.

Cannot add user from LDAP server adserver.com because of this error: Unable to import valid token for test2 (rule: TestRule)

This is an error indicating that no more free tokens are available on FortiAuthenticator. If a token were available, the logs should appear as follows:

Successfully assigned token to test1 (rule: TestRule) @ adserver.com (dclab.adserver.com) with FortiToken Mobile ("FTKMOB16A*****") token-based authentication.

What happens if:

Changing OTP-Method assignment priority from 'None' to one of 'FortiToken/Email/SMS':

• Users who were imported before and did not have a token assigned will still not have a token after the rule is manually re-synced and the 'FortiToken' Method is used. To assign a token to these users, they must first be deleted manually from FortiAuthenticator, and resync again via the Rule.
• New users imported after the change will have a token assigned based on criteria such as having a predefined mail account on the LDAP server, and tokens being available on FortiAuthenticator.

Changing OTP-Method assignment priority from 'FortiToken/Email/SMS' to 'None':

• Users who were imported earlier and had a token assigned will retain their token even after the rule is updated to use 'None' as the OTP method. This will remain the case until these users are deleted from FortiAuthenticator and re-imported via the sync rule.
• New users imported after the change will not have any token assigned.