Description

This article explains how to validate and troubleshoot the remote sync rule and directs to common errors noticed.

Scope

FortiAuthenticator.

Solution

When the Remote sync rule is created for the use case:

The user can be synced as an LDAP User, a Remote RADIUS user, or a local user; in this use case, the user is synced as a Remote LDAP user. 

The specific period to sync the rule and groups associated linked to show the below results 

 Navigate can verify logs by going to Logging -> Log Access -> Logs to verify the events.

The user is added to the section of Authentication -> Remote Users -> LDAP, the log indicates that the user1414 in the use case has been successfully synced and added to the associated user group.

To know more about the LDAP filter syntax for group filters refer to LDAP filter syntax for groups and remote user sync rules.

date=2024-12-17 time=08:19:27+0000 oid=23478798 logid=30303 cat="Event" subcat="System" level="information" nas="" action="" status="" msg="Successfully synced (rule: Test ldap sync rule) with LDAP_WITH_RADIUS on Thu Sep 5 10:19:27 2024." user="" --> which refers the rule is successfully synced.

The common errors seen are:

"Failed to sync remote LDAP users (rule: Test ldap sync rule) with XXXX : Cannot add any more users because limit of 700 has been reached" user="" -->  User licenses on the box needs to be verified and corrected.

"Failed to sync remote LDAP user XXXX (rule: Test ldap sync rule) @ AD_SIIV (10.40.132.102), deleting." user="user1414" --> User is deleted.

Note the users if imported by the sync rule will only be deleted when setting the group filter or removed from the Active directory. Manually imported users will not be deleted by the sync rule and need manual deletion, this is by design.